In this article we will demonstrates the basic steps necessary to connect your  Virtual Private Cloud to your office network. Our VPC network topology will look like this:


https://www.binarylane.com.au/res/images/binarylane/vpc/private-vpn.png 


Our private server will be accessible from all devices on the office network (192.168.1.0/24) by connecting the office Cisco ASA to Binary Lane VPC.


 

Server Provisioning

In this example we are extending an existing VPC by adding site-to-site VPN connectivity to it.  The existing VPC consists of a private database server.


Create a new Ubuntu 14.04 server, the VPN end point, as a member of the existing VPC.


Here is what my configuration looks like in mPanel:


mpanel.png


Note that db.example does not have a public IP address.


 

Configuring remote (Binary Lane) VPN endpoint

To provide site-to-site connectivity between the VPC and the office network, we need to make three changes on Binary Lane:

  1. Use mPanel to enable the VPN server to route
  2. Configure our VPC route table to send requests through our VPN server
  3. Configure our linux server to provide the desired VPN functionality



Enable routing in mPanel

Click into the mPanel dashboard for the VPN server. Down the left hand side there is a section labelled Network:


network.png


To let our web server provide NAT functionality, Source/Dest Check must be disabled. Click the "Enabled" link and disable the check.



Configure the VPC route table

From the "Services" page in mPanel, click the "Configure Routes" button. This displays the following screen, which I have already filled out:


route.png


Enter a new route with destination set to 0.0.0.0/0, and the target as the internal IP of the VPN server. Click "Save and Apply" to update the VPC configuration.



Configure linux server to enable VPN endpoint

To configure VPN on the linux server, use mPanel to deploy our IPSEC VPN deployment script:


This deployment script installs and configures OpenSwan, which is the linux implementation of IPSEC. The script requires two arguments:

  • Local network: The network range of the corporate office that is connecting, for eg 192.168.1.0/24

  • Pre-Shared Key: This is a passphrase, that you will configure on both the remote (Binary Lane) and local (Cisco ASA) end.


The deployment script will also set up your VPN server to provide outgoing NAT, allowing your private servers to fetch software updates from the internet.  


 

Configuring local (Cisco ASA) VPN endpoint

Connect to your Cisco ASA using the ASDM-IDM launcher or Java WebStart.  For a default ASA installation, you will find this at https://192.168.1.1/


After connecting, click the "Wizards" menu and select "IPsec VPN Wizard...". This will begin a six-step wizard process to configure the VPN:


wizard1.png


Select site-to-site VPN on the "outside" tunnel interface, and click Next.


wizard2.png


For Peer IP Address enter the VPN server's external IP, select pre-shared key and enter the same passphrase you configured earlier. Click Next.


wizard3.png


The Encryption method should be set to AES-192, Authentication to SHA and Diffie-Hellman Group to 2. Click Next.


wizard4.png


Similar to step 3, set Encryption to AES-192, Authentication to SHA, enable Perfect Forwarding Secrecy and set Diffie-Hellman Group to 2. Click Next.


wizard5.png


The Local Networks should be set to your office IP range, e.g. 192.168.1.0/24 ; while Remote Networks should be the VPC IP range which defaults to 10.240.0.0/16 . Exempt ASA side/host network from address translation should be enabled as we do not require NAT. Click Next.


wizard6.png


On the last step, review the configuration and make sure it is correct; then click Finish.


At this point the VPN will be ready for use. You can test the VPN by using one of the office computers (on the 192.168.0.0/24 range)  to try and ping the private VPC server (10.240.0.29 in this example; will be different for your own setup).  


If everything is working correctly, you will get a ping reply and can now utilise bidirectional connectivity between your office and Binary Lane VPC.