VPC by example: IPSEC VPN with Cisco ASA

Follow

In this article we will demonstrates the basic steps necessary to connect your  Virtual Private Cloud to your office network. Our VPC network topology will look like this:

Our private server will be accessible from all devices on the office network (192.168.1.0/24) by connecting the office Cisco ASA to Mammoth  Cloud.

 

Server Provisioning

In this example we are extending an existing VPC by adding site-to-site VPN connectivity to it.  The existing VPC consists of a private database server.

Create a new Ubuntu 14.04 server, the VPN end point, as a member of the existing VPC. The plan should be "ns.micro" (25% CPU, 256MB memory, 5GB disk) for a dedicated VPN endpoint.

 Here is what my configuration looks like in mPanel:

Note that db.example does not have a public IP address.

 

Configuring remote (Mammoth) VPN endpoint

To provide site-to-site connectivity between the Mammoth VPC and the office network, we need to make three changes on the Mammoth end:

  1. Use mPanel to enable the VPN server to route
  2. Configure our VPC route table to send requests through our VPN server
  3. Configure our linux server to provide the desired VPN functionality

Enable routing in mPanel

Click into the mPanel dashboard for the web server. Down the left hand side there is a section labelled Network:

To let our web server provide NAT functionality, Source/Dest Check must be disabled. Click the "Enabled" link and disable thecheck.

Configure the VPC route table

From the "Services" page in mPanel, click the "Configure Routes" button. This displays the following screen, which I have already filled out:

Enter a new route with destination set to 0.0.0.0/0 , and the target as the internal IP of the VPN server. Click "Save and Apply" to update the VPC configuration.

 

Configure linux server to enable VPN endpoint

To configure VPN on the linux server, use mPanel to deploy our IPSEC VPN deployment script:

This deployment script installs and configures OpenSwan, which is the linux implementation of IPSEC. The script requires two arguments:

  • Local network: The network range of the corporate office that is connecting, for eg 192.168.1.0/24
  • Pre-Shared Key: This is a passphrase, that you will configure on both the remote (Mammoth) and local (Cisco ASA) end.

The deployment script will also set up your VPN server to provide outgoing NAT, allowing your private servers to fetch software updates from the internet. 

 

Configuring local (Cisco ASA) VPN endpoint

Connect to your Cisco ASA using the ASDM-IDM launcher or Java WebStart.  For a default ASA installation, you will find this at https://192.168.1.1/

After connecting, click the "Wizards" menu and select "IPsec VPN Wizard...". This will begin a six-step wizard process to configure the VPN:

 Select site-to-site VPN on the "outside" tunnel interface, and click Next.

For Peer IP Address enter the VPN server's external IP, select pre-shared key and enter the same passphrase you configured earlier. Click Next.

The Encryption method should be set to AES-192, Authentication to SHA and Diffie-Hellman Group to 2. Click Next.

Similar to step 3, set Encryption to AES-192, Authentication to SHA, enable Perfect Forwarding Secrecy and set Diffie-Hellman Group to 2. Click Next.

The Local Networks should be set to your office IP range, e.g. 192.168.1.0/24 ; while Remote Networks should be the VPC IP range which defaults to 10.240.0.0/16 . Exempt ASA side/host network from address translation should be enabled as we do not require NAT. Click Next.

On the last step, review the configuration and make sure it is correct; then click Finish.

At this point the VPN will be ready for use. You can test the VPN by using one of the office computers (on the 192.168.0.0/24 range)  to try and ping the private VPC server (10.240.0.143 in this example; will be different for your own setup).  

If everything is working correctly, you will get a ping reply and can now utilise bidirectional connectivity between your office and Mammoth VPC.

Have more questions? Submit a request

Comments

Powered by Zendesk