Amazon Web Services provides a service whereby you can extend your corporate network into the Amazon Cloud using an IPSEC VPN. They call this Virtual Private Cloud, and its a nifty solution when you need to connect something that you can’t put in the Cloud with something that you can put in the Cloud.
The premise is quite simple.
Amazon allows you to create an IP subnet with a CIDR of your own chosing, and then creates a sort of virtual router for you that both terminates a VPN to your corporate network and provides the necessary routing table to route packets between that CIDR and your corporate network.
Once the setup is complete, the Amazon interface spurts out configuration syntax for various types of devices (Cisco, Juniper) which you then apply on your end to bring the VPN between the network to life.
Fine, except here’s the problem.
These technologies are not available on all Cisco routers, and in particular on mid-range Cisco ASA routers, which are still in common usage around the Internet. Where these routers are used to create VPNs, they typically use the traditional “crypto map” method, which is a little less intuitive that using VTI and BGP.
So, what can you do?
Well, the good news is that it is still possible to create an IPSEC connection between your corporate network and use a CIDR of your own choosing (as opposed to the randomly allocated one that Amazon gives you when you create a server instance).
The process is as follows:
Create a VPC in the normal way, and choose your CIDR. It doesn’t matter what kind of VPC you create. When asked for the peer address on your side, give the public address of your router (although we won’t actually use this).
Create a server instance in that VPC
Create an Internet Gateway for that VPC
Allocate an Elastic IP Address for the VPC and associate with your server instance
Make sure you can connect to your instance and open a shell
Install the OpenSource IPSEC package, OpenSwan, and configure your Cisco router, as described in this post.
Make sure that this establishes a VPN between the server instance and your Cisco ASA (be careful with ACLs).
Now, go back to your VPC configuration in Amazon, and look at the route table that has been created for you. The target for your local CIDR should be “local”, and the target for everything else (0.0.0.0/0) should be your Internet Gateway (igw-something). Delete any other entries.
If you want other server instances in the VPC to use the VPN, you will have to set up local routes (to your coporate LAN CIDR) on them to route to the server instance hosting the VPN.
And that should be it.
So what is actually happening here?
Basically, you’re setting up a VPC so that you can use a CIDR of your own choosing, but then you’re replacing the VTI-dependent VPN that Amazon creates for you with an OpenSwan-Cisco ASA VPN. As such, the Amazon VPN is actually obsolete, although you will have to keep the VPC running (and pay for it) in order that you can use the CIDR of your own choosing.
The reason that many people need to choose their own CIDRs is that they are setting up permanent services, which need to have fixed ip addresses which they can create permanent routes to.
If this isn’t required for your project, and you’re happy for Amazon to change the private ip address of your server instance when it is stopped/started, you don’t need to worry about creating (or paying for) a VPC.
You can just deploy OpenSwan on your server instance and away you go.