2

I want to connect a VPC to an on premise server via one VPN connection. This needs to be only one-way (from AWS to on-premise, outgoing) connection NOT site-to-site.

I have set up AWS VPN Connection, Virtual Private Gateway and Customer Gateway(Cisco-ASA). But as I found it is both way connection and it requires the customer to open connection toward us and keep it open so that we can have VPN connection to them.

This is what I have implemented on AWS side:

https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/

As we found for outgoing connection, the only way is Cisco AnyConnect it means in VPC, we need a server which has Cisco AnyConnect installed then we will be able to make this connection.

I'm wondering if there is any better way to have a one-way(outgoing) VPN connection for this case?(Only from VPC to on-premise)

Any help would be appreciated.

Second question:

If I use VPN connection of AWS for connecting to our data center, how can I connect multi VPC to one VPN connection? I have one main VPC that VPN has been established on it, and I made another VPC with a server in it and peered the two VPCs. I don't have any connection from my second VPC towards the data center. The route tables look like below:

VPN-VPC1 route table: 

Destination          Target
privateIP(VPC1)       local
0.0.0.0/0             igw
datacenter-network1   vgw
datacenter-network2   vgw
privateIP(VPC2)       pcx

VPC2 route table: (Subnet association:10.0.1.0/24)

Destination          Target   
privateIP(VPC2)       local
0.0.0.0/0             igw
privateIP(VPC1)       pcx

there is no connection between datacenter to 10.0.1.10/24

Am I missing something here?

Matrix
  • 241
  • 1
  • 5
  • 15
  • 1
    TCP requires packets to flow in both directions. I think you'll need to implement this at the application level. Please edit your question to provide more context of what you're trying to achieve, rather than just how you're trying to achieve it? – Tim Jul 11 '17 at 19:06
  • @Tim, you're correct, the actual bytes would flow both directions. Here, it means something else... "outgoing" and "one-way" are referring to which side of the tunnel initiates the connection and keeps it alive. Also, in this case, it seems the third party insists on having assignment control for the secret, and presumably the authentication mechanism, cipher, pfs, key lifetimes, and all the other joyous configurable parameters that make IPSec so unwieldy. – Michael - sqlbot Jul 11 '17 at 20:32

1 Answers1

1

There is no native support in VPC for what you need.

The root of the problem is that VPC's Hardware VPN isn't really designed for connections to third party networks. It's designed for interconnecting to your VPC to your physical data center network -- a trusted connection. A VPC VPN connection is effectively wide open, subject only to the limitations of your security groups and Network ACLs -- it doesn't have a route table or any filtering of its own, and has some other limitations, so it's really not the best choice for external connections. For connections to your data center, of course... it's excellent.

As we found for outgoing connection, the only way is Cisco AnyConnect

That isn't the only way... but it does have to be done with an EC2 instance running IPSec VPN software. There are three packages I'm familiar with, all of which are similar: openswan, libreswan, and strongswan. You can build your own tunnel server.

If you go this route, it's a little bit tricky to get the IP addresses configured correctly, but it's a viable solution. This is how I establish IPSec with external companies.

The circumstances aren't the same, but the idea of your address being split between the instance's private IP and the instance's Elastic IP (EIP) would be similar to what I suggested for the "left" side ("our" side, by my convention) in Strongswan VPN tunnel between two AWS instances won't connect:

left=10.10.10.10         # instance private IP of local system
leftsourceip=10.10.10.10 # instance private IP of local system
leftid=203.x.x.x         # elastic IP of local system
leftsubnet=10.x.x.x/xx

Alternately, there are probably other offerings in the AWS Marketplace that will provide you with an EC2 instance that terminates IPSec tunnels... but there isn't another alternative, unless you have an offsite hardware gateway, outside of AWS, and you want to spoke both a VPC Hardware VPN connection and your third-party connections out of that device.

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81
  • Thanks for your informative comment. So it means that I should create an ec2 server(linux) and install and configure openswan on it? like the following link: https://aws.amazon.com/articles/5472675506466066 or this one seems good? http://www.getfareye.com/in/blog/establishing-ipsec-tunnel-using-openswan-tool-on-amazon-ec2 In this case I create a tunnel on the ec2 server, and the tunnel would be always open toward the external network? – Matrix Jul 12 '17 at 13:45
  • Yes. That's exactly the idea. – Michael - sqlbot Jul 12 '17 at 17:48
  • Thanks. Can you also please check my second question and let me know if you have any idea about it? – Matrix Jul 13 '17 at 12:07
  • @Sarah, that's a separate question that should be asked separately. The answer is... VPC peering was not designed to work that way. [Peering relationships are not transitive and don't route edge-to-edge through gateways](http://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/invalid-peering-configurations.html#edge-to-edge-vgw). – Michael - sqlbot Jul 13 '17 at 20:21