Closed ckamps closed 4 years ago
On the strongSwan side:
https://wiki.strongswan.org/projects/strongswan/wiki/IntroductionTostrongSwan#PKI
And more specifically, and example set of configuration files:
https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples#Site-To-Site-Scenario
On the AWS side
https://aws.amazon.com/premiumsupport/knowledge-center/vpn-certificate-based-site-to-site/
CloudFormation Templates Changes:
Here's an example config that has been shown to work.
Key differences as compared to not using cert auth include:
'leftauth=psk
-> leftauth=pubkey
'rightauth=psk
-> rightauth=pubkey
Addition of the following fields in each tunnel:
rightid
leftcert
config setup
charondebug=2
conn %default
leftauth=pubkey
rightauth=pubkey
ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024!
ikelifetime=28800s
aggressive=no
esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024!
lifetime=3600s
type=tunnel
dpddelay=10s
dpdtimeout=30s
keyexchange=ikev1
rekey=yes
reauth=no
dpdaction=restart
closeaction=restart
left=%defaultroute
leftsubnet=0.0.0.0/0,::/0
rightsubnet=0.0.0.0/0,::/0
leftupdown=/etc/strongswan/ipsec-vti.sh
installpolicy=yes
compress=no
mobike=no
conn AWS-VPC-TUNNEL-1
left=%any
right=nn.nn.nn.nn
rightid="CN=vpn-0...db.endpoint-1"
auto=start
mark=100
leftcert=vpn.acme.cloud.pem
conn AWS-VPC-TUNNEL-2
left=%any
right=nn.nn.nn.nn
rightid="CN=vpn-0...db.endpoint-0"
auto=start
mark=200
leftcert=vpn.acme.cloud.pem
Support for certificate-based authentication has been added to the template.
The current CloudFormation template doesn't support certificate authentication.
A person who attempted to modify a working non-cert auth configuration based on this template was unable to get the connection to work towards the end of phase 2 (no meaningful error messages from charon.log).
This issue will collect notes on how to get this working so that we can eventually enhance the CloudFormation template to support it.