aws · ipsec · network · vpc · vpn

AWS VPC to VPC connections over IPSEC VPN


Learn how to build a secure VPN with security and failover between multiple VPCs using Openswan as a software-based VPN solution. Today, we will be going through how to set up a full-mesh topology (where every region has its own unique connection to all other regions). Openswan is a great choice because first of all it is free to use, and it is quite versatile for different use cases.
Also, if you haven’t had a chance to familiarize yourself with Amazon Web Services (AWS) and VPC, I would highly recommend reading up on it. You may be surprised what it can offer your company!

Below this video we provided, configs, and instruction
http://ift.tt/1DPJt7K

# Install openswan

$ sudo su
$ yum update -y && yum install openswan -y

# Make sure the service start at reboot

$ chkconfig ipsec on

# Turn on ip forwarding and other needed directives

$ vi /etc/sysctl.conf

(make sure the these directives are set like what you see below)

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0

# save the file and apply the changes

$ sysctl -p /etc/sysctl.conf

# Modify the /etc/ipsec.conf file

$ vim /etc/ipsec.conf

# Below is the template for what you would set in your connection config. Fill in the brackets with your own info

virtual_private=%v4:192.168.0.0/16,%v4:10.0.0.0/8 <---(you can replace these subnets with your own)


conn <CONNECTION NAME>
authby=secret
auto=start
type=tunnel
left=<LOCAL PRIVATE IP>
leftid=<Local PUBLIC IP>
leftsubnet=<LOCAL PRIVATE SUBNET>
right=<REMOTE PUBLIC IP>
rightsubnet=<REMOTE PRIVATE SUBNET>
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048

# Modify the /etc/ipsec.secrets file with the preshared key you want to use between your peers

<Local (LEFT) PUblic IP> <Remote (RIGHT) Public IP>: PSK "mypassword"

example:
54.45.58.87 45.65.128.69: PSK "mypassword"


You can enable PAT/NAT for your private servers that need internet access by using the following command:

iptables --table nat --append POSTROUTING --source <LOCAL PRIVATE VPC CIDR> -j MASQUERADE

from Blogger http://ift.tt/1Fvfe6J
via IFTTT

Advertisements

2 thoughts on “AWS VPC to VPC connections over IPSEC VPN

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s