In this article we will demonstrates the basic steps necessary to connect your Virtual Private Cloud to your office network. Our VPC network topology will look like this:
Our private server will be accessible from all devices on the office network (192.168.1.0/24) by connecting the office Cisco ASA to Binary Lane VPC.
In this example we are extending an existing VPC by adding site-to-site VPN connectivity to it. The existing VPC consists of a private database server.
Create a new Ubuntu 14.04 server, the VPN end point, as a member of the existing VPC.
Here is what my configuration looks like in mPanel:
Note that db.example does not have a public IP address.
Configuring remote (Binary Lane) VPN endpoint
To provide site-to-site connectivity between the VPC and the office network, we need to make three changes on Binary Lane:
- Use mPanel to enable the VPN server to route
- Configure our VPC route table to send requests through our VPN server
- Configure our linux server to provide the desired VPN functionality
Enable routing in mPanel
Click into the mPanel dashboard for the VPN server. Down the left hand side there is a section labelled Network:
To let our web server provide NAT functionality, Source/Dest Check must be disabled. Click the "Enabled" link and disable the check.
Configure the VPC route table
From the "Services" page in mPanel, click the "Configure Routes" button. This displays the following screen, which I have already filled out:
Enter a new route with destination set to 0.0.0.0/0, and the target as the internal IP of the VPN server. Click "Save and Apply" to update the VPC configuration.
Configure linux server to enable VPN endpoint
To configure VPN on the linux server, use mPanel to deploy our IPSEC VPN deployment script:
This deployment script installs and configures OpenSwan, which is the linux implementation of IPSEC. The script requires two arguments:
Local network: The network range of the corporate office that is connecting, for eg 192.168.1.0/24
Pre-Shared Key: This is a passphrase, that you will configure on both the remote (Binary Lane) and local (Cisco ASA) end.
The deployment script will also set up your VPN server to provide outgoing NAT, allowing your private servers to fetch software updates from the internet.
Configuring local (Cisco ASA) VPN endpoint
Connect to your Cisco ASA using the ASDM-IDM launcher or Java WebStart. For a default ASA installation, you will find this at https://192.168.1.1/
After connecting, click the "Wizards" menu and select "IPsec VPN Wizard...". This will begin a six-step wizard process to configure the VPN:
Select site-to-site VPN on the "outside" tunnel interface, and click Next.
For Peer IP Address enter the VPN server's external IP, select pre-shared key and enter the same passphrase you configured earlier. Click Next.
The Encryption method should be set to AES-192, Authentication to SHA and Diffie-Hellman Group to 2. Click Next.
Similar to step 3, set Encryption to AES-192, Authentication to SHA, enable Perfect Forwarding Secrecy and set Diffie-Hellman Group to 2. Click Next.
The Local Networks should be set to your office IP range, e.g. 192.168.1.0/24 ; while Remote Networks should be the VPC IP range which defaults to 10.240.0.0/16 . Exempt ASA side/host network from address translation should be enabled as we do not require NAT. Click Next.
On the last step, review the configuration and make sure it is correct; then click Finish.
At this point the VPN will be ready for use. You can test the VPN by using one of the office computers (on the 192.168.0.0/24 range) to try and ping the private VPC server (10.240.0.29 in this example; will be different for your own setup).
If everything is working correctly, you will get a ping reply and can now utilise bidirectional connectivity between your office and Binary Lane VPC.