AWS site-to-site VPN high availability

Question

I have two FreeBSD servers working as firewalls configured with carp IP address which can float between the two servers to achieve high availability.

Now I have setup ipsec tunnels to my VPC on AWS with racoon and ipsec-tools. I had to configure the two 169.254.x.x IP addresses on my public network interface to make the tunnel work.

The problem with this is that if my firewall failover, I will have to add the two 169.254.x.x ip addresses on the other firewall.

I tried adding 169.254.x.x ip addresses on the loopback interface, but it didn't work.

My current solution is add one of the ip addresses(169.254.33.120) on my first server and the other ip address(169.254.35.140) on the second server. But with this solution, I lose redundancy because only one tunnel is up.

Has anyone got a better solution?

Answer 1

You can have your own private ranges 10.x.x.x/16 not necessarily use the Link-local range 169.254.0.0/16.

For setting up the VPN, AWS provides 2 endpoints per VPN the ones you will have to configure and ensure they both are working, both tunnels should show UP(green) in the AWS GUI but only one will be active routing the traffic https://docs.aws.amazon.com/vpc/latest/adminguide/Introduction.html

Now the tricky part (HA/failover IPSEC_NAT_T) is how to route the traffic between tunnels when they go down. If using raccon, from https://docs.netgate.com/pfsense/en/latest/solutions/aws-vpn-appliance/vpc-wizard-faq.html:

Amazon provides two tunnel endpoints that will allow traffic to be sent between your networks and the remote VPC you are connected to. The racoon daemon in pfSense is only capable of establishing an active phase 2 association for a particular source/destination pair on a single tunnel. Phase 2 associations between the local subnets and the remote VPC subnet are configured in the pfSense GUI for both tunnels, but racoon will only actually establish an association for the first tunnel. This means that racoon will only ever try to send traffic destined for the remote VPC subnet over the first tunnel. If that tunnel goes down, the second tunnel may be up and inbound traffic from the remote VPC may be sent to your local networks over that tunnel automatically. But outbound traffic to your remote VPC would not automatically fail over to the second tunnel. In order for you to send your outbound traffic over the second tunnel, you would need to disable the phase 2 associations for the first tunnel and apply the changes.

You will be available to have both tunnels up but need to find a way on which one to use (route traffic through)

strongswan is another option, I think simplifies the handling when a tunnel is down.

Just as a reference and get a better idea of the concepts, here is how it is done with a paloalto appliance: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFiCAK

So pretty much you will need a VR (virtual router), promote your routes, etc. If possible post back your solution.