Configuring VPN between AWS and ASA 5506, part 1

Configuring VPN between AWS and ASA 5506, part 1
  • Mikaël Dautrey

An overview of technology

Full benefit of cloud services requires to establish a secure connexion between the local IT infrastructure and the cloud provider. VPN tunnels are precisely designed for this purpose.

This post and the next ones offer a tour of VPN technology and a concrete configuration to set up a site-to-site VPN between a Cisco ASA-X and AWS.

GRE, site-to-site and client VPN

There are three main flavors of VPN, that correspond to different levels of integration between the two interconnected networks:

  • GRE, Generic Routing Encapsulation, is a generic protocol to encapsulate any traffic over an IP network. GRE is intuitively what one will expect a VPN to offer, a dedicated, private, secret transport tunnel over a potentially hostile, public IP network. In fact, GRE is not as common as its cousins, site-to-site and client VPN.
  • Lan-to-Lan or site-to-site VPN: it's the usual VPN, IPSec, that you will setup between two sites. The tunnel is not generic like a GRE tunnel. It carries only identified traffic between two LANs. A list of subnets is attached to each endpoint. The traffic across the VPN is restricted to these subnets.
  • Client VPN : client VPN is a remote access solution. In a client VPN, the remote station is integrated in the local network. A local address is attributed to the remote station. The remote station instantiates a virtual network interface. Rules are pushed to the remote station to split the network traffic between VPN and non-VPN. Use cases include remote work, mobile work and access to secured networks like admin networks.

The level of integration between the two endpoints increases from GRE, where the two interconnected routers may send WAN traffic, to LAN-to-LAN where the interconnected networks are distinct but tightly defined, and client VPN where the client is fully integrated in the LAN.

IPSec is the defacto standard of site-to-site VPN. SD-WAN editors offer new, proprietary solutions but there is no VPN standard for SD-WAN as of today. A standard for SDWAN will certainly emerge when the market matures.

Many VPN client technologies are available, SSL VPN (anyconnect, openvpn), L2TP, PTPT, and so on. Standardization is less a concern because VPN clients is often confined within the same organization. You'll find many resources that inventory VPN client technologies on the web.

The inherent difficulties of VPN setup

Setting up a VPN is often painful:

  • Technologies are rather obscure. They are based on advanced mathematical concepts. They rely on recent advances in the field of arithmetic and cryptography theory, that were published in the 80s or later.
  • Traffic is ciphered. Traffic monitoring offers a limite visibility on how the connexion works and why it fails. An access to debugging tools and messages is required to troubleshoot a failing connexion.
  • Exactness is a security requirement, not an option. A password is either right or wrong. One letter wrong is not different to a whole wrong password. Likewise, a VPN will fail if IP packets are modified in an unexpected, improper way, for instance in a NAT traversal, or if clocks between peers are not synchronized. Any unexpected parameter or behavior may be classified as an attempted hacker attack and may result in a connexion error, as such.
  • VPN interacts with every network layer, from address attribution to routing and encapsulation.
  • Configuration options are numerous. Understanding their outcome is no easy. Moreover, both peer ends must have a compatible configuration.

Troubleshooting a connection failure is very difficult unless you have access to debugging tools, to monitor the process at the traffic level and at the VPN software level.

Vendor flavours of VPN

Cisco

Some key facts:

  • VPN configuration differs between traditional ASA, new ASA with FTD and routers
  • Old hardware supports only SHA1 with no path to upgrade.
  • On ASA, encryption capabilities differs between K8 and K9 version. Only K9 supports strong encryption.
  • Using anyconnect (Cisco solution for VPN client) requires a specific license.

Cisco FTD VPN functionalities were added recently. Some parameters are not configurable. We'll get back to this point later.

For more information about version and license, you may read this good resource.

Microsoft : PPTP and L2TP

Microsoft VPN client is a very common solution, because, on Windows client, no software installation is necessary.

It is strongly recommended not to use PPTP because it doesn't offer strong enough encryption schema.

L2TP suffers from PPTP bad reputation, but it's a good protocol as long as you configure it with a proper encryption layer. When configuring it, you may face (or not) the following challenges:

  • Debug messages are confusing.
  • NAT traversal is sometimes difficult, or even impossible, when the client lies behind a Cisco FTD firewall - this problem is due to Cisco FTD no to Microsoft.
  • A configuration that works on Win 7 may not work on Win 10.
  • OS upgrades sometimes break the configuration. In the past, we had to reset network interfaces following a service pack upgrade.

OpenVPN

OpenVPN is a raising VPN client solution. OpenVPN offers SSL VPN, that passes through the vast majority of network equipments, firewalls, ADSL boxes. Client configuration is embedded in a text file that you copy on the client.

We tested it in many configurations:

  • On NAS (Qnap, Synology), server-side configuration is sometimes tricky, because of the linux custom distribution running on it. Some parameters are not accessible. Some options are not available.
  • Configuring a Windows client is a simple task, but, some custom configurations - for instance, if you need to bring the VPN connexion up before the user logs into his session - are not that easy to define.

As a conclusion

IPSec is a de facto free standard for site-to-site VPN.

When there are too many LANs on either side of the site-to-site tunnels, or when tracing individual LANs doesn't make sense, GRE is a good alternative.

Free VPN client applications include Windows/L2TP and OpenVPN. OpenVPN is a good solution as long as you don't rely on a custom (poor) implementation of the server side. L2TP is natively supported by Windows OS. Proprietary VPN client applications are often simpler to configure with richer functionalities, but you have to pay for the licenses.