Wednesday, October 28, 2015

EC2 VPC VPN Update – NAT Traversal, Additional Encryption Options, and More

You can use Amazon Virtual Private Cloud to create a logically isolated section of the AWS Cloud. Within the VPC, you can define your desired IP address range, create subnets, configure route tables, and so forth. You can also use a network gateway to connect the VPC to your existing on-premises network using a hardware Virtual Private Network (VPN) connection. The VPN running in the AWS Cloud (also known as a VPN gateway or VGW) communicates with a customer gateway (CGW) on your network or in your data center (read about Your Customer Gateway to learn more).

Today we are adding several new features to the VPN. Here’s a summary:

  • NAT Traversal
  • Additional Encryption Options
  • Reusable IP addresses for the CGW

In order to take advantage of any of these new features, you will need to create a new VGW and then create new VPN tunnels with the desired attributes.

NAT Traversal
Network Address Translation (NAT) maps one range of IP addresses to another. Let’s say that you have created a VPC and assigned it to a desired IP address range, and then split that range into a couple of subnets. Then you launch some EC2 instances within the VPC, each bound to one of those subnets. You can now use Network Address Translation to map the VPC’s IP address range to a different range when seen from your existing network. This mapping process takes places across the VPN connection and is known at NAT-T, or NAT Traversal. NAT-T allows you to create IP connections that originate on-premises and connect to an EC2 instance (or vice versa) using addresses that have been translated.

You can set this up when you create a new VPN connection in the AWS Management Console. You will need to open up UDP port 4500 in your firewall in order to make use of NAT-T.

Additional Encryption Options
You can now make use of several new encryption options.

When the VPC’s hardware VPN is in the process of establishing a connection with your on-premises VPN, it proposes several different encryption options, each with a different strength. You can now configure the VPN on the VPC to propose AES256 as an alternative to the older and weaker AES128. If you decide to make use of this new option, you should configure your device so that it no longer accepts a proposal to use AES128 encryption.

The two endpoints participate in a Diffie-Hellman key exchange in order to establish a shared secret. The Diffie-Hellman groups used in the exchange will determine the strength of the hash on the keys. You can now configure the use of a wider range of groups:

  • Phase 1 can now use DH groups 2, 14-18, 22, 23, and 24.
  • Phase 2 can now use DH groups 1, 2, 5, 14-18, 22, 23, and 24.

Packets that flow across the VPN connection are verified using a hash algorithm. A matching hash gives a very high-quality indicator that the packet has not been maliciously modified along the way. You can now configure the VPN on the VPC to use the SHA-2 hashing algorithm with a 256 bit digest (also known as SHA-256). Again, you should configure your device to disallow the use of the weaker hash algorithms.

Reusable CGW IP Addresses
You no longer need to specify a unique IP address for each customer gateway connection that you create. Instead, you can now reuse an existing IP address. Many VPC users have been asking for this feature and I expect it to be well-used.

To learn more, read our FAQ and the VPC Network Adminstrator Guide.

Jeff;

No comments:

Post a Comment