What is Open Swan?
Openswan has been the de-facto Virtual Private Network software for the Linux community since 2005. If you are running Fedora, Red Hat, Ubuntu, Debian (Wheezy), Gentoo, or many others, it is already included in your distribution! Just start using it right away.
In the field of computer security, Openswan provides a complete IPsec implementation for Linux 2.0, 2.2, 2.4 and 2.6 kernels. Openswan, begun as a fork of the now-defunct FreeS/WAN project, continues to use the GNU General Public License. Unlike the FreeS/WAN project, it does not exclusively target the GNU/Linux operating system.
Setting up Site to Site VPN between Open Swan and AWS VPN
If you you use AWS Cloud services and want to connect Amazon Virtual Private Cloud (Amazon VPC) from your on-premises network, you can use Openswan for this purpose.
In this article, we will be showing you how you can configure site to site VPN between Openswan and AWS VPN. We will be launching Openswan Instance in AWS itself (as on-premise environment) and create VPN connection using the Elastic IP address of Openswan in AWS VPN console. We will then download the VPN configuration from the AWS VPN console and configure it in Openswan instance. Check the detailed steps given below to accomplish this:
Be sure to create and configure your Amazon VPC before you begin.
1. Launch an instance using an Amazon Machine Image (AMI) in your Openswan VPC.
2. Attach an Elastic IP address in the network interface (Eth0) of the instance you just launched. If you choose to auto-assign the IP address when launching the instance, the IP address changes after the instance is restarted. Be sure to note the instance's public IP address.
3. Now we will be configuring the prerequisite for VPN in AWS. We will need to create CGW(Customer gateway, in our case Openswan), VGW(Virtual Private gateway which is AWS VPN) and then create a VPN connection between CGW and VGW. The steps are given below:
In your preferred AWS region, create a customer gateway for your Amazon VPC. Be sure to choose the Amazon VPC that you want to connect to over a virtual connection using Openswan. Be sure to use the IP address you noted in the previous step.
5. Create an AWS VPN connection using the customer gateway and virtual private gateway you created in the previous steps.
Important: Be sure to choose Download configuration to download your VPN configuration file. When you download your VPN configuration file, be sure to specify Openswan for the vendor name, Openswan for the platform, and 2.6.38+ for the software version.
6. Enable route propagation for the VPC route table used by your instances.
7. Install Openswan packages on your AWS VPN instance. For example, on Amazon Linux, use:
sudo yum install openswan
Be sure to confirm the package installation.
8. Connect to your Openswan instance.
9. Open the file /etc/sysctl.conf in your preferred editor.
10. Change the value of net.ipv4.ip_forward = 0 and net.ipv4.conf.default.rp_filter = 0 to 1.
11. Save your changes.
12. Apply your changes:
sysctl -p
13. Open the IPSec configuration file in your preferred editor. The location varies by distribution. On Amazon Linux, the location is :
/etc/ipsec.conf
14. Add a line to the configuration file to include /etc/ipsec.d/*.conf. For example:
include /etc/ipsec.d/*.conf
15. Save your changes.
16. Create a VPN configuration file (for example, openswan-to-aws.conf) in /etc/ipsec.d/ and open it in your preferred editor.
17. Edit the VPN configuration file to include the VPN configuration that you downloaded in a previous step. For example:
conn vpc1-to-vpc2
type=tunnel
authby=secret
left=%defaultroute
leftid=52.52.227.115
leftnexthop=%defaultroute
leftsubnet=172.1.10.0/24
right=13.55.247.246
rightsubnet=172.18.0.0/16
phase2=esp
phase2alg=aes128-sha1
ike=aes-sha1
ikelifetime=28800s
salifetime=3600s
pfs=yes
auto=start
rekey=yes
keyingtries=%forever
dpddelay=10
dpdtimeout=60
dpdaction=restart_by_peer
18. Save your changes.
19. Configure your pre-shared key in /etc/ipsec.d/aws.secrets. The pre-shared key is located in the VPN configuration you downloaded in a previous step.
20. Restart IPSec. For example:
sudo service ipsec start
21. Configure the IPSec service to run when the system boots. For example:
sudo chkconfig ipsec on
22. Check the status of your VPN connection:
ipsec auto –status
23. Review the output and verify that the IPSec Security Associations (SAs) have been established.
24. Configure a route in your route tables for instances using Openswan to reach subnets in your Amazon VPC. Be sure the route for the remote network (Amazon VPC) points to the elastic network interface (ENI) of your Openswan instance.
25. Verify that your VPN configuration works. Send ping packets from site-to-site using the VPN tunnel you just established.
References:
Openswan Official Web site: https://www.openswan.org/
Wikipedia: https://en.wikipedia.org/wiki/Openswan
Ravi has a decade of experience in Networking and has worked in ISP and Datacenter. Ravi used to be Certified CCNA instructor in Softwarice college and has a passion to teach. He is responsible to help the enterprise customers to troubleshoot their VPN connections, Direct connect, Transit gateway, VPC in their Network infrastructure in AWS.
Get connected with Ravi :
0 Comments