How to configure site-to-site VPN between Amazon VPCs


AllCloud Blog:
Cloud Insights and Innovation

This guide assumes you have already configured your VPN/NAT gateways in both VPCs. We will proceed to install and configure ipsec on each of them.

*Tested on Amazon Linux

1. Install openswan on the local VPN GW machine:

yum install openswan

2. Create a conf file for the source-destination connection on the source machine  :

For the purposes of this mini tutorial , let’s consider one of the VPCs is deployed in default region Virginia (us-east-1) – this is considered the local one from now on, and the other is deployed in Sydney (ap-southeast-2) – the remote one .

In ipsec.d we need to add a {sourceregion-destregion}.conf type of file , as in the bellow:

cd  /etc/ipsec.d/ 
vim virginia-sydney.conf

Guide yourself by the bellow to add the connection details :

conn virginia-sydney
        authby=secret
        auto=start
        forceencaps=yes
        left=%defaultroute
        leftid={public IP of the virginia VPN GW}
        leftsubnets={CIDR block of the virginia VPC}
        right={public IP of the sydney VPN GW}
        rightsubnet={CIDR block of the sydney VPC}

3. Create a secrets file where you include the public address of the remote VPN GW :

-generate a PSK and place it in the secrets file, like so:

vim virginia-sydney.secrets
{public_ip_of_the_sydney_gw} %any: PSK "764t0781b76tjgher6wth89773412bdsq974gh45"

4. Configure the remote GW:

On the remote VPN GW perform steps 1 ,2 & 3 , with a mirrored config of the {destregion-sourceregion}.conf – e.g.:

conn sydney-virginia
        authby=secret
        auto=start
        forceencaps=yes
        left=%defaultroute
        leftid={public IP of the sydney VPN GW}
        leftsubnets={CIDR block of the sydney VPC}
        right={public IP of the virginia VPN GW}
        rightsubnets={CIDR block of the virginia VPC}

5. Create secrets for the remote GW:

Perform step 4 above -specify the public address of the local VPN GW; e.g.:

{public_ip_of_the_virginia_gw} %any: PSK "764t0781b76tjgher6wth89773412bdsq974gh45"  --of course, use the same PSK as in step 3. above

6. Allow traffic between the two GWs :

In the security groups of the 2 VPN GW machines open up UDP 500 & 4500 for each from the other’s public IP

*also, ensure that all the required CIDR blocks are NAT-ed properly

7. Start ipsec service in local + remote GW

Notes:
– before starting ipsec, make sure that on each machine in /etc/ipsec.conf  the “include /etc/ipsec.d/*.conf” line is uncommented .

service ipsec start

Add and start {destregion-sourceregion} connection in remote VPN GW , as in the bellow e.g. :

ipsec auto --add sydney-virginia
ipsec auto --up sydney-virginiaNotes:

Now let’s check that the site2site is working using ping :

  1. from local gw ping to remote gw private IP
  2. from remote gw ping to local gw private IP

If all has been configured properly, tests should succeed. That’s it, your ipsec tunnel is working !

8. Don’t forget to add ipsec to boot on both machines:

 chkconfig --add ipsec
 chkconfig ipsec on

Lahav Savir

Founder and CTO, Cloud Platforms

Read more posts by Lahav Savir