Need to get cert-based authentication working

[ckamps]

The current CloudFormation template doesn't support certificate authentication.

A person who attempted to modify a working non-cert auth configuration based on this template was unable to get the connection to work towards the end of phase 2 (no meaningful error messages from charon.log).

This issue will collect notes on how to get this working so that we can eventually enhance the CloudFormation template to support it.

[ckamps]

On the strongSwan side:

https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#PKI

And more specifically, and example set of configuration files:

https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario

On the AWS side

https://aws.amazon.com/premiumsupport/knowledge-center/vpn-certificate-based-site-to-site/

CloudFormation Templates Changes:

• Add optional parameters for the client certificate and CA cents to be available in an S3 bucket.
• if cert based with parameters are present:
  • download files from S3: https://aws.amazon.com/blogs/infrastructure-and-automation/amazon-s3-authenticated-bootstrapping-in-aws-cloudformation/
  • adjust ipsec.conf per above
  • address whether or not ipsec.secrets file is needed. Normally contains private shared keys

[ckamps]

Here's an example config that has been shown to work.

Key differences as compared to not using cert auth include:

• 'leftauth=psk -> leftauth=pubkey
• 'rightauth=psk -> rightauth=pubkey

Addition of the following fields in each tunnel:

• rightid
• leftcert

    config setup
      charondebug=2

    conn %default
      leftauth=pubkey
      rightauth=pubkey
      ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024!
      ikelifetime=28800s
      aggressive=no
      esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024!
      lifetime=3600s
      type=tunnel
      dpddelay=10s
      dpdtimeout=30s
      keyexchange=ikev1
      rekey=yes
      reauth=no
      dpdaction=restart
      closeaction=restart
      left=%defaultroute
      leftsubnet=0.0.0.0/0,::/0
      rightsubnet=0.0.0.0/0,::/0
      leftupdown=/etc/strongswan/ipsec-vti.sh
      installpolicy=yes
      compress=no
      mobike=no

    conn AWS-VPC-TUNNEL-1
      left=%any
      right=nn.nn.nn.nn
      rightid="CN=vpn-0...db.endpoint-1"
      auto=start
      mark=100
      leftcert=vpn.acme.cloud.pem

    conn AWS-VPC-TUNNEL-2
      left=%any
      right=nn.nn.nn.nn
      rightid="CN=vpn-0...db.endpoint-0"
      auto=start
      mark=200
      leftcert=vpn.acme.cloud.pem

[ckamps]

Support for certificate-based authentication has been added to the template.