Alternative VPN Configurations

Alternative VPN Software and Enhanced Configurations

This section covers modern alternatives to OpenSwan and enhanced security configurations for production environments.

StrongSwan Alternative Configuration

Why StrongSwan?

🔧 Modern IPsec Implementation

  • Active development and regular security updates
  • Better performance and stability
  • Enhanced IKEv2 support
  • Improved debugging and logging capabilities

StrongSwan Installation and Configuration

  1. Install StrongSwan on Amazon Linux 2:
# Update system
sudo yum update -y

# Install StrongSwan
sudo amazon-linux-extras install epel -y
sudo yum install strongswan -y

# Verify installation
strongswan version
  1. Configure StrongSwan IPsec settings (/etc/strongswan/ipsec.conf):
# /etc/strongswan/ipsec.conf
config setup
    charondebug="ike 1, knl 1, cfg 0"
    uniqueids=no

conn %default
    ikelifetime=28800s
    keylife=3600s
    rekeymargin=3m
    keyingtries=3
    keyexchange=ikev2
    mobike=no
    ike=aes256-sha256-modp2048s256,aes256-sha256-modp1536s256,aes256-sha256-modp1024s256!
    esp=aes256-sha256-modp2048s256,aes256-sha256-modp1536s256,aes256-sha256-modp1024s256!

conn aws-tunnel-1
    auto=start
    left=%defaultroute
    leftid=<CUSTOMER_GATEWAY_PUBLIC_IP>
    right=<AWS_VPN_TUNNEL_1_IP>
    rightid=<AWS_VPN_TUNNEL_1_IP>
    leftsubnet=10.11.0.0/16
    rightsubnet=10.10.0.0/16
    authby=secret
    leftauth=psk
    rightauth=psk
    type=tunnel
    dpddelay=10s
    dpdtimeout=30s
    dpdaction=restart
    closeaction=restart
    mark_in=100
    mark_out=100

conn aws-tunnel-2
    auto=start
    left=%defaultroute
    leftid=<CUSTOMER_GATEWAY_PUBLIC_IP>
    right=<AWS_VPN_TUNNEL_2_IP>
    rightid=<AWS_VPN_TUNNEL_2_IP>
    leftsubnet=10.11.0.0/16
    rightsubnet=10.10.0.0/16
    authby=secret
    leftauth=psk
    rightauth=psk
    type=tunnel
    dpddelay=10s
    dpdtimeout=30s
    dpdaction=restart
    closeaction=restart
    mark_in=200
    mark_out=200
  1. Configure Pre-shared Keys (/etc/strongswan/ipsec.secrets):
# /etc/strongswan/ipsec.secrets
<CUSTOMER_GATEWAY_PUBLIC_IP> <AWS_VPN_TUNNEL_1_IP> : PSK "<TUNNEL_1_PSK>"
<CUSTOMER_GATEWAY_PUBLIC_IP> <AWS_VPN_TUNNEL_2_IP> : PSK "<TUNNEL_2_PSK>"
  1. Start and Enable StrongSwan:
# Enable IP forwarding
echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
echo 'net.ipv4.conf.all.accept_redirects = 0' >> /etc/sysctl.conf
echo 'net.ipv4.conf.all.send_redirects = 0' >> /etc/sysctl.conf
sysctl -p

# Start StrongSwan
sudo systemctl enable strongswan
sudo systemctl start strongswan

# Check status
sudo systemctl status strongswan
sudo strongswan status

Enhanced Security Configurations

1. Strong Encryption Algorithms

IKEv2 with Enhanced Security:

# Enhanced IKE algorithms
ike=aes256gcm16-sha384-prfsha384-ecp384,aes256-sha256-modp2048s256!
esp=aes256gcm16-sha384-ecp384,aes256-sha256-modp2048s256!

# Perfect Forward Secrecy
pfs=yes

2. Certificate-based Authentication (Advanced)

# Generate certificates for enhanced security
sudo strongswan pki --gen --type rsa --size 4096 --outform pem > ca-key.pem
sudo strongswan pki --self --ca --lifetime 3652 --in ca-key.pem --type rsa --dn "CN=VPN CA" --outform pem > ca-cert.pem

# Customer gateway certificate
sudo strongswan pki --gen --type rsa --size 2048 --outform pem > client-key.pem
sudo strongswan pki --issue --lifetime 1826 --cacert ca-cert.pem --cakey ca-key.pem --in client-key.pem --type rsa --dn "CN=customer-gateway" --san customer-gateway --outform pem > client-cert.pem

3. Advanced DPD Configuration

# Aggressive Dead Peer Detection
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
closeaction=restart

# Connection monitoring
auto=route
keyingtries=%forever

BGP Dynamic Routing Configuration

Prerequisites for BGP

  1. Create VPN Connection with BGP:
    • In AWS Console, select Dynamic routing instead of Static
    • Configure BGP ASN (Autonomous System Number)
    • Customer Gateway ASN: 65000 (example)
    • AWS ASN: 64512 (default)

2. Configure BGP with StrongSwan

Install and Configure FRRouting:

# Install FRRouting for BGP
sudo yum install -y frr

# Configure FRRouting
sudo systemctl enable frr
sudo systemctl start frr

BGP Configuration (/etc/frr/frr.conf):

# /etc/frr/frr.conf
frr version 7.5
frr defaults traditional
hostname customer-gateway
log syslog informational
no ipv6 forwarding
service integrated-vtysh-config

router bgp 65000
 bgp router-id 169.254.12.1
 neighbor 169.254.12.2 remote-as 64512
 neighbor 169.254.12.2 timers 10 30
 neighbor 169.254.12.2 timers connect 10
 neighbor 169.254.13.2 remote-as 64512
 neighbor 169.254.13.2 timers 10 30
 neighbor 169.254.13.2 timers connect 10
 
 address-family ipv4 unicast
  network 10.11.0.0/16
  neighbor 169.254.12.2 soft-reconfiguration inbound
  neighbor 169.254.13.2 soft-reconfiguration inbound
 exit-address-family

line vty

3. BGP Monitoring Commands

# Check BGP status
sudo vtysh -c "show bgp summary"
sudo vtysh -c "show ip route bgp"
sudo vtysh -c "show bgp neighbors"

# Debug BGP
sudo vtysh -c "debug bgp events"
sudo vtysh -c "debug bgp updates"

Advanced Monitoring and Troubleshooting

1. CloudWatch Integration

Enable VPN Logs in AWS Console:

  • Navigate to VPN Connection
  • Actions → Modify VPN tunnel options
  • Enable Tunnel activity log
  • Select CloudWatch Log Group
  • Set output format to json for structured logging

2. Custom CloudWatch Metrics

# Install CloudWatch agent
sudo yum install -y amazon-cloudwatch-agent

# Create custom metrics script
cat > /opt/vpn-metrics.sh << 'EOF'
#!/bin/bash
# Custom VPN monitoring script

# Check tunnel status
TUNNEL1_STATUS=$(sudo strongswan status | grep "aws-tunnel-1" | grep -c "ESTABLISHED")
TUNNEL2_STATUS=$(sudo strongswan status | grep "aws-tunnel-2" | grep -c "ESTABLISHED")

# Send metrics to CloudWatch
aws cloudwatch put-metric-data \
    --namespace "Custom/VPN" \
    --metric-data MetricName=Tunnel1Status,Value=$TUNNEL1_STATUS,Unit=Count \
    --region ap-southeast-1

aws cloudwatch put-metric-data \
    --namespace "Custom/VPN" \
    --metric-data MetricName=Tunnel2Status,Value=$TUNNEL2_STATUS,Unit=Count \
    --region ap-southeast-1

# Check BGP sessions if using dynamic routing
if command -v vtysh &> /dev/null; then
    BGP_SESSIONS=$(sudo vtysh -c "show bgp summary" | grep -c "Established")
    aws cloudwatch put-metric-data \
        --namespace "Custom/VPN" \
        --metric-data MetricName=BGPSessions,Value=$BGP_SESSIONS,Unit=Count \
        --region ap-southeast-1
fi
EOF

chmod +x /opt/vpn-metrics.sh

# Add to crontab for regular monitoring
echo "*/5 * * * * /opt/vpn-metrics.sh" | sudo crontab -

3. Comprehensive Troubleshooting Guide

Common Issues and Solutions:

# 1. Check tunnel status
sudo strongswan status
sudo strongswan statusall

# 2. Check logs
sudo journalctl -u strongswan -f
sudo tail -f /var/log/messages | grep charon

# 3. Test connectivity
ping -c 4 169.254.12.2  # AWS tunnel endpoint
ping -c 4 10.10.1.10    # AWS instance

# 4. Check routing
ip route show
ip route get 10.10.0.0/16

# 5. Verify IPsec SAs
sudo strongswan listall
sudo ip xfrm state
sudo ip xfrm policy

# 6. Network troubleshooting
sudo tcpdump -i any esp
sudo tcpdump -i any host <AWS_TUNNEL_IP>

# 7. BGP troubleshooting (if using dynamic routing)
sudo vtysh -c "show bgp neighbors"
sudo vtysh -c "show ip route"
sudo vtysh -c "show bgp"

4. Performance Optimization

# Optimize network parameters
echo 'net.core.rmem_default = 262144' >> /etc/sysctl.conf
echo 'net.core.rmem_max = 16777216' >> /etc/sysctl.conf
echo 'net.core.wmem_default = 262144' >> /etc/sysctl.conf
echo 'net.core.wmem_max = 16777216' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_rmem = 4096 65536 16777216' >> /etc/sysctl.conf
echo 'net.ipv4.tcp_wmem = 4096 65536 16777216' >> /etc/sysctl.conf
sysctl -p

# Optimize StrongSwan performance
echo 'charon.threads = 16' >> /etc/strongswan/strongswan.conf
echo 'charon.processor.priority_threads.high = 4' >> /etc/strongswan/strongswan.conf

Production Deployment Checklist

Security Hardening

  • Use strong encryption algorithms (AES-256-GCM, SHA-384)
  • Enable Perfect Forward Secrecy
  • Implement certificate-based authentication for high-security environments
  • Regular PSK rotation schedule
  • Network segmentation and firewall rules

Monitoring and Alerting

  • CloudWatch VPN tunnel metrics
  • Custom application metrics
  • BGP session monitoring (if using dynamic routing)
  • Automated alerting for tunnel failures
  • Log aggregation and analysis

High Availability

  • Both tunnels configured and active
  • BGP for automatic failover (recommended)
  • Health checks and automated recovery
  • Disaster recovery procedures
  • Regular failover testing

Documentation and Procedures

  • Network diagrams and IP addressing
  • Troubleshooting runbooks
  • Change management procedures
  • Security incident response plan
  • Regular security assessments

💡 Pro Tip: For production environments, always use BGP dynamic routing for automatic failover and load balancing across both VPN tunnels. This ensures maximum availability and optimal traffic distribution.