Blogs

AWS VPC to VPC connections over IPSEC VPN

Learn how to build a secure VPN with security and failover between multiple VPCs using Openswan as a software-based VPN solution. Today, we will be going through how to set up a full-mesh topology (where every region has its own unique connection to all other regions). Openswan is a great choice because first of all it is free to use, and it is quite versatile for different use cases.
Also, if you haven't had a chance to familiarize yourself with Amazon Web Services (AWS) and VPC, I would highly recommend reading up on it. You may be surprised what it can offer your company!

Below this video we provided, configs, and instruction

# Install openswan

$ sudo su
$ yum update -y && yum install openswan -y

# Make sure the service start at reboot 

$ chkconfig ipsec on

# Turn on ip forwarding and other needed directives

$ vi /etc/sysctl.conf 

(make sure the these directives are set like what you see below)

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0 
net.ipv4.conf.eth0.accept_redirects = 0

# save the file and apply the changes

$ sysctl -p /etc/sysctl.conf

# Modify the /etc/ipsec.conf file

$ vim /etc/ipsec.conf

# Below is the template for what you would set in your connection config. Fill in the brackets with your own info

virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8  <---(you can replace these subnets with your own)


conn <CONNECTION NAME>
   authby=secret
   auto=start
   type=tunnel
   left=<LOCAL PRIVATE IP>
   leftid=<Local PUBLIC IP>
   leftsubnet=<LOCAL PRIVATE SUBNET>
   right=<REMOTE PUBLIC IP>
   rightsubnet=<REMOTE PRIVATE SUBNET>
   ike=aes256-sha1;modp2048
   phase2=esp
   phase2alg=aes256-sha1;modp2048

# Modify the /etc/ipsec.secrets file with the preshared key you want to use between your peers

<Local (LEFT) PUblic IP> <Remote (RIGHT) Public IP>: PSK "mypassword"

example:
54.45.58.87 45.65.128.69: PSK "mypassword"


You can enable PAT/NAT for your private servers that need internet access by using the following command:

iptables --table nat --append POSTROUTING --source <LOCAL PRIVATE VPC CIDR> -j MASQUERADE

No comments

XML response sample: HTTP/1.1 200 OK Content-Length: 0