This guide assumes you have already configured your VPN/NAT gateways in both VPCs. We will proceed to install and configure ipsec on each of them.
*Tested on Amazon Linux
1. Install openswan on the local VPN GW machine:
yum install openswan
2. Create a conf file for the source-destination connection on the source machine :
For the purposes of this mini tutorial , let’s consider one of the VPCs is deployed in default region Virginia (us-east-1) – this is considered the local one from now on, and the other is deployed in Sydney (ap-southeast-2) – the remote one .
In ipsec.d we need to add a {sourceregion-destregion}.conf type of file , as in the bellow:
cd /etc/ipsec.d/ vim virginia-sydney.conf
Guide yourself by the bellow to add the connection details :
conn virginia-sydney authby=secret auto=start forceencaps=yes left=%defaultroute leftid={public IP of the virginia VPN GW} leftsubnets={CIDR block of the virginia VPC} right={public IP of the sydney VPN GW} rightsubnet={CIDR block of the sydney VPC}
3. Create a secrets file where you include the public address of the remote VPN GW :
-generate a PSK and place it in the secrets file, like so:
vim virginia-sydney.secrets
{public_ip_of_the_sydney_gw} %any: PSK "764t0781b76tjgher6wth89773412bdsq974gh45"
4. Configure the remote GW:
On the remote VPN GW perform steps 1 ,2 & 3 , with a mirrored config of the {destregion-sourceregion}.conf – e.g.:
conn sydney-virginia authby=secret auto=start forceencaps=yes left=%defaultroute leftid={public IP of the sydney VPN GW} leftsubnets={CIDR block of the sydney VPC} right={public IP of the virginia VPN GW} rightsubnets={CIDR block of the virginia VPC}
5. Create secrets for the remote GW:
Perform step 4 above -specify the public address of the local VPN GW; e.g.:
{public_ip_of_the_virginia_gw} %any: PSK "764t0781b76tjgher6wth89773412bdsq974gh45" --of course, use the same PSK as in step 3. above
6. Allow traffic between the two GWs :
In the security groups of the 2 VPN GW machines open up UDP 500 & 4500 for each from the other’s public IP
*also, ensure that all the required CIDR blocks are NAT-ed properly
7. Start ipsec service in local + remote GW
Notes:
– before starting ipsec, make sure that on each machine in /etc/ipsec.conf the “include /etc/ipsec.d/*.conf” line is uncommented .
service ipsec start
Add and start {destregion-sourceregion} connection in remote VPN GW , as in the bellow e.g. :
ipsec auto --add sydney-virginia ipsec auto --up sydney-virginiaNotes:
Now let’s check that the site2site is working using ping :
- from local gw ping to remote gw private IP
- from remote gw ping to local gw private IP
If all has been configured properly, tests should succeed. That’s it, your ipsec tunnel is working !
8. Don’t forget to add ipsec to boot on both machines:
chkconfig --add ipsec chkconfig ipsec on