VPN to the Amazon Cloud behind a NAT Device

A customer asked me to help him set up an IPsec tunnel to the Amazon cloud. The set up is described in the Amazon VPN page. This document clearly states that Customer Gateways must have a static IP adress but may be located behind a NAT device. Only NAT-T is not supported. Since the test network of my customer was located behind a NAT device, that we did not control, we just tried to set up the tunnel with a strongSwan gateway on our side.

Configuration

The configuration was quite simple and is described in the documentation by Amazon quite good. The the gateways identify each other by their IP addresses and share a secret password for authentication. After the configuration in the web interface of Amazon you can download the configuration details for every connection. Since our Customer Gateway was located behind a NAT device, we loked for our outside IP address on an external web page.

The configuration of strongSwan also seemed to be very simple:

conn %default
  auto=add
  authby=secret
  right=<IP address of the Amazon gateway>
  rightsubnet=<Network of our VPC at Amazon>

conn amazon
  left=<Our external IP address>
  leftsubnet=<Our internal network>
  leftfirewall=yes

The Connection

After starting ipsec and taking the connection up, everything seemed to be OK. The logs showed a nice IPsec SA beeing established:

charon: 12[IKE] initiating IKE_SA amazon[1] to <Amazon IP>
charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
charon: 12[NET] sending packet: from <my IP>[500] to <Amazon IP>[500] (1084 bytes)
charon: 13[NET] received packet: from <Amazon IP>[500] to <my IP>[500] (248 bytes)
charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No ]
charon: 13[CFG] no IDi configured, fall back on IP address
charon: 13[IKE] authentication of '<my IP>' (myself) with pre-shared key
charon: 13[IKE] establishing CHILD_SA amazon
charon: 13[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
charon: 13[NET] sending packet: from <my IP>[500] to <Amazon IP>[500] (364 bytes)
charon: 14[NET] received packet: from <Amazon IP>[500] to <my IP>[500] (204 bytes)
charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
charon: 14[IKE] authentication of '<Amazon IP>' with pre-shared key successful
charon: 14[IKE] IKE_SA amazon[1] established between <my IP>[<my IP>]...<Amazon IP>[<Amazon IP>]
charon: 14[IKE] scheduling reauthentication in 9771s
charon: 14[IKE] maximum IKE_SA lifetime 10311s
charon: 14[IKE] CHILD_SA amazon{1} established with SPIs cec2fc9e_i 67a2c2fc_o and TS <my net> === <Amazon net>

The Connetion

The IPsec conenction was established but the ping from one of our internal clients to one of our servers at Amazon did not work. The tcpdump showed that the ICMP requests were properly encrypted, but not encapsulated in UDP/4500. Of course, the firewall and the NAT device on the way to the Internet messed up these packets. In fact, they just dropped it.

The Reason

I thought, the problems with NAT devices in VPN path was solved with IKEv2 that supports NAT detection. But if you have a close look to the logs from the erection of the tunnel you will notice, that my VPN gateway asks for the NAT detection:

charon: 12[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]

but Amazons gateway does not reply with the proper options:

charon: 13[ENC] parsed IKE_SA_INIT response 0 [ SA KE No ]

the options N(NATD_S_IP) and N(NATD_D_IP) are missing the answer packet from Amazon. So my gateway does not properly detect the NAT in the path and the transform policy is set up with encryption and no encapsulation. Of course, the tcpdump only shows ESP packets.

So the tunnel is set up, but no connection between the internet network and the cloud is possible. As a result of these tests, we are looking for a connection with a routable IP address for our external interface of our Customer VPN Gateway.


Comments

Comments are closed.