Results 1 to 9 of 9
  1. #1
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default Site to Site with Amazon VPC

    It seems like it has been a while since anyone addressed the feasibility of establishing a site-to-site IPsec VPN to an Amazon Web Services Virtual Private Cloud. Has anyone had any success or do I need to either give up on untangle or perhaps run my untangle device behind another device that can readily establish the connection.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    IPSec is IPSec

    Getting two different vendors to play isn't always easy, but usually possible.

    And before you ask, no I don't know how. No I'm not going to test it. It'll be a cold day in Satan's realm before I trust AWS. I know some of the people who wrote it, and exactly how dysfunctional that dev environment is.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    Thanks for your reply. Let's set aside the AWS VPC IPSec bundled tools then and focus on what you think might be the path of least resistance.

    It sounds like if you were to attack this problem you'd deploy an instance in the VPC that provides IPSec and avoid the AWS tooling for this. Would you recommend installing Untangle on an AWS instance and then create a site-to-site connection between the AWS/Untangle instance my Untangle appliance on my home lab? That would address the two vendor comment you made. Would you deploy some other IPSec solution in an AWS instance and then attempt to create an IPSec connection to my Untangle appliance?

    And no, I'm not asking you, or anyone else, to test anything for me. I'm just trying to get my bearings before I dig in.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    If you've got a full VPS running a Linux or Windows OS you could use OpenVPN, or the built in L2TP client to connect to the IPSec module as a soft client. There's no need for a virtual Untangle.

    Now, if you're managing an entire virtual cluster of VMs, then sure... it might make sense to have your own virtual firewall at the "edge" of it, if you did I'd stick with the same software you use at home (Untangle), to make your life easier. That's one of the wonderful advantages of using a software based solution for network security, that isn't hardware locked. You can VM it when it makes sense to do so.

    But, all of that aside, AWS does have IPSec tools, and they should be able to hook to Untangle's IPSec module. Just be aware that Untangle's IPSec module is designed for site-to-site tunnels, not end point termination. So you have to figure out which type of VPN AWS is using.

    This is more about ensuring the method is sane than the actual mechanics.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    I am extending a private network into an AWS VPC. I really only need an IPSec site to site tunnel and not a full blown UTM solution.

    I've never needed to build a site to site connection before. I have had great success with the OpenVPN tools built into Untangle for point to site connections. I wanted to learn more about the OpenVPN access server so I disabled the OpenVPN application from the Untangle rack and deployed an OpenVPN VMware appliance with the requisite port forwarding from my Untangle gateway. That has also been working very well. The only reason I'd keep the OpenVPN appliance in place is if it allowed me an easier path to deploy the site to site IPSec I want. I do not have a sense as to the relative merits of running from IPSec from an OpenVPN access server AWS instance to the Untangle IPSec module on the one hand or an OpenVPN access server AWS instance to an OpenVPN access server that resides on the network with the Untangle device at the edge. I've read descriptions of people who have managed to get the Untangle IPSec module working with the AWS tools but it seems that the Untangle GUI doesn't offer all of the flexibility needed to get the settings working correctly for an AWS VPN connection without border gateway protocol. Their solutions end up requiring some fiddling with the ipsec.conf file and then locking down that file so the Untangle GUI doesn't overwrite it.

    For those reasons, AWS to Untangle IPSec module seems a bit less than ideal to me.

    I need to consider whether AWS IPSec tooling to OpenVPN access server appliance is a better approach or OpenVPN access server on AWS to either Untangle IPSec module (which at least put the IPSec connection on my side of things on the gateway device rather than behind a firewall with port forwarding) or to an Open VPN access server virtual machine sitting behind the Untangle device.

    So many possibilities. It's making my head spin.

  6. #6
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,542

    Default

    Yeah, which is yet another reason why I like Untangle. You have OpenVPN and you have IPSec / L2TP. You've got three different protocols, with different implementations. Which one will work? One of them surely will. But the options are all there.

    Now you have AWS running behind Untangle, and that's fine. But you should be aware that you really don't want to be using IPSec unless the devices doing it are at the edges of the respective networks. NAT and IPSec can get very annoying, very quickly.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  7. #7
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    Quote Originally Posted by sky-knight View Post
    Yeah, which is yet another reason why I like Untangle. You have OpenVPN and you have IPSec / L2TP. You've got three different protocols, with different implementations. Which one will work? One of them surely will. But the options are all there.

    Now you have AWS running behind Untangle, and that's fine. But you should be aware that you really don't want to be using IPSec unless the devices doing it are at the edges of the respective networks. NAT and IPSec can get very annoying, very quickly.
    Ok, so I will focus my initial efforts on using an OpenVPN Access Server instance to forge an IPSec connection to the IPSec module of the Untangle device. That will keep activity on the edge of the network.

    I've got a hunch that VyOS might be easier to use for the site to site connection, especially because AWS is set up with their tooling to support Vyetta and successor devices. Would it be ridiculous to run Untangle in transparent mode behind a VyOS appliance? I hope it doesn't come to that. I suppose I could always just build an Untangle instance in AWS to connect to me Untangle device even though I don't need all that functionality in my VPC.

    As an aside, I really appreciate your input.

  8. #8
    Untangle Junkie dmorris's Avatar
    Join Date
    Nov 2006
    Location
    San Carlos, CA
    Posts
    17,486

    Default

    I would just connect your untangle to whatever your (virtual) firewall device in AWS is.

    You have near infinite number of protocols to choose from. IPsec, Xauth, L2TP, OpenVPN, GRE. Take your pick.
    Its hard to theorycraft about what hypothetical problems you may have.
    Attention: Support and help on the Untangle Forums is provided by volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  9. #9
    Untangler
    Join Date
    Oct 2015
    Posts
    54

    Default

    I've got things working now and will post the steps I took shortly. I have a working AWS VPC site to site connection from my AWS VPC to my lab network using the Amazon hardware VPN to the IPSec module on my untangle. Thanks to those who helped me.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2