So you went through the trouble to dual-stack your AWS VPC and get everything talking over native IPv6, only to find out that the AWS managed VPC VPN service doesn’t support IPv6 as the tunneled or the underlay protocol, bummer.
Fortunately there may be hope for you yet. While AWS may not natively support IPv6 for its VPN service, Linux certainly does. Here we will review a workaround solution for this limitation by using an EC2 Ubuntu instance enabled with the strongSwan IPSEC packages to terminate an IPv6 VPN tunnel between an AWS VPC and a remote VPN concentrator. The Cisco ASA platform is used in the examples as the remote or ‘right’ side VPN concentrator.
This blog post covers a section of my GitHub repo on this procedure located here.
Approx Setup Time: 30 Minutes
- Example Settings
- Launch a VPN Gateway EC2 instance
- Configure your VPC for new VPN
- Configure the remote VPN concentrator
- Install and configure strongSwan
- OPTIONAL: IPv4 and IPv6 over the New Tunnel
Below are the details used in the examples in this post
|AWS EC2 AMI||Ubuntu Linux 18.04 LTS Bionic|
|EC2 Instance Size||t3a.nano|
|AWS-Side Peer IP||2001:DB8:0:A::10|
|Customer Peer IP||2001:DB8:0:C::10|
|AWS-Side Tunneled Network||2001:DB8:A::/48|
|Customer Tunneled Network||2001:DB8:C::/48|
|IPSEC Pre-Shared Key||somesupersecretkey|
Launch a VPN Gateway EC2 instance
The particular Linux distribution/version and the instance type you use for this can vary. The Ubuntu t3a.nano instance used in this example has a cost of $0.0047 per hour
Since this instance will need to be accessible from the internet for the underlay (with either IPv4 or IPv6), make sure you are using an Internet Gateway for the default route for the instance’s subnet (you should see something similar to ::/0 igw-1a2b3c4d or 0.0.0.0/0 igw-1a2b3c4d in the route table).
The purpose of all this is to make sure a host on the internet can properly reach the EC2 instance on the IPSEC ports using its public IPv6 or IPv4 address.
Make sure to set up and attach a security group to your instance’s interface so you can reach it via SSH using its public IPv4 or IPv6. You will also need to allow the appropriate IPSEC ports through the security group, although I just allow all protocols from the specific public peer IP of the remote side.
For the example, make sure to assign the IPv6 address 2001:DB8:0:A::10 to the Ubuntu instance.
Configure your VPC for new VPN
- Adjust the network settings on the instance by disabling source address checking
- This needs to be done to allow the instance to de-encapsulate VPN packets and let them emerge onto the VPC from the instance’s interface
- This can be found by selecting the EC2 instance and going to Actions > Networking > Change Source/Dest. Check
- Adjust the route tables for your subnets to route the customer tunneled /48 network toward the instance, but route the customer VPN concentrator peer IP towards the Internet Gateway for the subnet holding the Ubuntu instance
- This would look something like:
- If you are already routing ::/0 towards an Internet Gateway and the Customer Tunneled Network does not overlap with the Customer Peer IP, then the /128 route is not necessary
Configure the remote VPN concentrator
Use the below configuration as a template for your ASA configuration
crypto ipsec ikev1 transform-set AES_SHA_HMAC esp-aes esp-sha-hmac
crypto ikev1 policy 10
access-list ACL_AWS_IPV6_VPN extended permit ip 2001:DB8:C::/48 2001:DB8:A::/48
tunnel-group 2001:DB8:0:A::10 type ipsec-l2l
tunnel-group 2001:DB8:0:A::10 ipsec-attributes
ikev1 pre-shared-key somesupersecretkey
crypto map VPN_MAP 10 match address ACL_AWS_IPV6_VPN
crypto map VPN_MAP 10 set pfs group2
crypto map VPN_MAP 10 set peer 2001:DB8:0:A::10
crypto map VPN_MAP 10 set ikev1 transform-set AES_SHA_HMAC
crypto map VPN_MAP 10 set security-association lifetime seconds 3600
crypto ikev1 enable OUTSIDE
crypto map OUTSIDE_MAP interface OUTSIDE
Install and configure strongSwan
Once the Linux instance is up and running and accessible via SSH, we need to install and configure strongSwan
- Install the strongSwan package with the command sudo apt install strongswan -y
- Modify the IPv6 forwarding functionality on the server in the /etc/sysctl.conf file with sudo vi /etc/sysctl.conf
- Uncomment the below line
- Reboot the server after this change to have it take effect
- Set the IPSEC PSK in /etc/ipsec.secrets with sudo vi /etc/ipsec.secrets
- Add the below line to the file
2001:DB8:0:C::10 : PSK "somesupersecretkey"
- Set the VPN connection settings in /etc/ipsec.conf with sudo vi /etc/ipsec.conf
- Add the below config to the bottom of the file
- Restart the IPSEC service with sudo ipsec restart
- Check the VPN status with sudo ipsec status
- Once the VPN comes up, you should be able to test end-to-end IPv6 reachability
You now have private IPv6 reachability into your AWS VPC from your on-prem network!