Thursday, February 18, 2016

Setting Up An Amazon Web Services Hardware VPN Connection to an Untangle Firewall

I have configured an Amazon Web Services hardware VPN connection to the IPSec module of an Untangle firewall.  

Although I am very comfortable with the Untangle firewall in general and have used the OpenVPN module for point to site connections, I’m new to IPsec and Amazon Web Services.  

I was unable to find any place where someone had documented the steps they took to establish this particular connection so I will fill that void now.

Amazon provides a lot of documentation, with varying degrees of granularity, for a number of tasks.  Usually, all of the necessary steps are provided with very clear guidance.  In this case I got tripped up by relying on less than complete, higher level summaries.

I followed the procedures to manually set up the VPN connection contained here in the Amazon Virtual Private Cloud User Guide. To set up a VPN connection, you need to complete the following steps:
  1. Create a Customer Gateway
  2. Create a Virtual Private Gateway
  3. Enable Route Propagation in Your Route Table
  4. Update Your Security Group to Enable Inbound SSH, RDP and ICMP Access
  5. Create a VPN Connection and Configure the Customer Gateway
  6. Launch an Instance Into Your Subnet
These procedures assume that you have a VPC with one or more subnets, and that you have the required network information (see What You Need for a VPN Connection).

As noted in the Amazon documents, you can use the VPC wizard to complete many of these steps.  I opted to do things manually to remove the mystery and to put me in a better position to be able to refine and troubleshoot things rather than needing to routinely resort to a wizard to start from scratch.

As you work through the process you will see that there are two broad kinds of Amazon hardware VPN connections, those that make use of Border Gateway Protocol (BGP) and those that don't.  The Untangle firewall does not include Border Gateway Protocol, so when a particular instruction varies based on whether or not you have BGP, choose the alternative that does not rely on BGP.

It's easy to overlook the third step above, enabling route propagation.  I made that mistake which caused no end of headaches.  Take your time and follow the steps, especially that one.

The fifth step is where you will get the information you need to configure the Untangle IPsec module.  After you have created your VPN Connection you will need to navigate to that VPN connection and download configuration details. The Untangle firewall is not one of the devices for which specific configuration information is prepared.  You should choose the Generic / Vendor Agnostic alternative as shown below.

Now we shift to the Untangle side of the house.

Go to the IPsec module.

Select the IPsec Options tab and decide if you want the Untangle firewall to process or bypass all IPsec traffic.  

When this checkbox is enabled, traffic from IPsec tunnels will bypass all applications and services on the Untangle server. If you disable the checkbox, traffic from IPsec tunnels will be filtered through all active applications and services.

Select the IPsec Tunnels tab and add a pair of tunnels.  You will add a pair of tunnels because the Amazon hardware VPN provides a pair of tunnels.  The configuration file you downloaded earlier in this step contains all of the configuration information you will need.  

Here is what a tunnel configuration page looks like initially:

Here is what my first tunnel configuration page looked like when I completed the configuration:

The second tunnel page is identical except that it references a different public address for the remote IPsec gateway and it has a different shared secret.

Again, the information you need to configure the IPsec Tunnels on Untangle will come from the configuration instructions you downloaded.

If you haven't already done so, enable the IPsec VPN module.  The button should be green and not grey.

If everything is working, one of your tunnels will be active.  Amazon provides a pair of tunnels but you should not expect to see both active in Untangle at any given time.  Your IPsec status tab should look like this:

Now that you have the Untangle configured, you should be able to work with instances launched into your private subnet.  The Tunnel Details tab of your Amazon VPN Connection should look something like this:

And the Static Routes tab should include the remote networks you are connecting to your Amazon VPC network.  In the example below I've got a pair of those networks.

You should have at least one tunnel that's up and with any luck you've now got a working IPsec tunnel.

If you spot any obvious mistakes in this summary please let me know and I will revise accordingly.

No comments:

Post a Comment