This article is in draft/beta; if you have any questions, please email us at help@firewalla.com
This is a brief introduction to a Site-to-Site IPsec VPN connection between Firewalla Gold Box and AWS VPC using Firewalla MSP.
To follow this guide, ensure that you have:
- AWS VPN with a site-to-site VPN connection setup.
- Firewalla MSP version 2.8.0 or later
- Firewalla Gold series box on your Firewalla MSP instance
In this guide, we use Firewalla Gold and AWS VPC as the 2 sites of the IPsec VPN connection. We use a Firewalla Gold as one site, and an AWS server as the peer site. Both sites have public (WAN) IP addresses. Subnets on both sites can access each other, and devices on the Firewalla Gold can access the internet via the server site.
The following settings are assumed by this example:
| Firewalla Gold | AWS VPC | |
|---|---|---|
| WAN IP | 203.0.113.123 | 3.16.1.123 |
| LAN Subnets |
192.168.213.0/24 10.180.217.0/24 |
192.168.80.0/24 |
STEP 1: AWS Server Configuration
In this guide, we assume you already have an existing AWS VPC with a site-to-site VPN server set up.
If you need help setting up VPN connections on AWS, please consult their user guide: https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html
After the VPN is set up successfully, in the AWS VPC navigation pane, choose Site-to-Site VPN connections, select your VPN connection, and choose Download configuration.
Select the options as follows:
- Vendor: Strongswan
- Platform: Ubuntu 16.04
- Software: Strongswan 5.5.1+
- IKE version
Then download the configuration file. It will be a "vpn_xxxx.txt" file starting with this:
Amazon Web Services
Virtual Private Cloud
AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned an identifier and is
associated with two other identifiers, namely the
Customer Gateway Identifier and Virtual Private Gateway Identifier.
xxx
STEP 2: MSP VPN Client Configuration
You can create the IPsec VPN configuration in single box view by clicking the button "Create VPN Connection" -> IPsec.
In the file downloaded from Step 1, search for "conn Tunnel1", copy the entire section and paste it into the configuration text area on MSP UI.
conn Tunnel1
type=tunnel
auto=add/start
keyexchange=ikev2
authby=psk
leftid=<WAN IP of Firewalla>
leftsubnet=<LAN Subnet CIDR of Firewalla>(separate with commas)
right=<WAN IP of Server>
rightsubnet=<LAN Subnet CIDR of AWS>(separate with commas)
aggressive=no
ikelifetime=28800s
lifetime=3600s
margintime=270s
rekey=yes
rekeyfuzz=100%
fragmentation=yes
replay_window=1024
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
keyingtries=%forever
MSP UI:
- Use 0.0.0.0/0 for the rightsubnet to access the Internet using any device on the VPN connection. In this example, we change the following lines to:
leftid=203.0.113.123
leftsubnet=192.168.213.0/24,10.180.217.0/24
right=3.16.1.123
rightsubnet=0.0.0.0/0
- In this example, we have two subnets on Firewalla Gold (Client) that we'd like to access AWS (Server). If we only want one subnet (192.168.213.0/24) to access the Server, we would do this:
leftsubnet=192.168.213.0/24
- Set dpdaction to be restart. This means it will automatically attempt to re-establish a new connection if the remote site is detected as down.
For Secrets, search for "psk" in the txt file, then copy and paste it into the text field on MSP UI. Example:
: PSK "<Pre-Shared Key value>"
After entering your Configuration and Secrets files (no Additional files needed), click Save in the top right corner to finish creating your 3rd-party VPN Connection.
On your new VPN connection, click Apply To to select the devices you'd like to apply the VPN and toggle on the VPN switch to establish the new connection. Once established, devices under your Firewalla Gold box can access devices behind the AWS server and access the Internet.
STEP 3: Verify Connection
When the connection is successfully established. You can see the status showing connected in the VPN client list on MSP.
When it is successfully connected and applied to a specific device, you can test if the device can access the subnet of AWS.
Additionally, you can try access internet using the VPN-connected devices, and then on Firewalla MSP UI, go to Flows page, locate the corresponding flows generated, and check the outbound Interface. If the flow is going through VPN, then the outbound interface will be your AWS IPsec VPN.
Comments
0 comments
Please sign in to leave a comment.