How do I configure a site-to-site VPN to between AWS VPN and Openswan Instance
j

Ravi Nakarmi

October 4, 2021

What is Open Swan?

Openswan has been the de-facto Virtual Private Network software for the Linux community since 2005. If you are running Fedora, Red Hat, Ubuntu, Debian (Wheezy), Gentoo, or many others, it is already included in your distribution! Just start using it right away.

In the field of computer security, Openswan provides a complete IPsec implementation for Linux 2.0, 2.2, 2.4 and 2.6 kernels. Openswan, begun as a fork of the now-defunct FreeS/WAN project, continues to use the GNU General Public License. Unlike the FreeS/WAN project, it does not exclusively target the GNU/Linux operating system.

Setting up Site to Site VPN between Open Swan and AWS VPN

If you you use AWS Cloud services and want to connect Amazon Virtual Private Cloud (Amazon VPC) from your on-premises network,  you can use Openswan for this purpose.

In this article, we will be showing you how you can configure site to site VPN between Openswan and AWS VPN. We will be launching Openswan Instance in AWS itself (as on-premise environment) and create VPN connection using the Elastic IP address of Openswan in AWS VPN console. We will then download the VPN configuration from the AWS VPN console and configure it in Openswan instance. Check the detailed steps  given below to accomplish this:

Be sure to create and configure your Amazon VPC before you begin.

1. Launch an instance using an Amazon Machine Image (AMI) in your Openswan VPC.

2. Attach an Elastic IP address in the network interface (Eth0) of the instance you just launched. If you choose to auto-assign the IP address when launching the instance, the IP address changes after the instance is restarted. Be sure to note the instance's public IP address.

3. Now we will be configuring the prerequisite for VPN in AWS. We will need to create CGW(Customer gateway, in our case Openswan), VGW(Virtual Private gateway which is AWS VPN) and then create a VPN connection between CGW and VGW. The steps are given below:
In your preferred AWS region, create a customer gateway for your Amazon VPC. Be sure to choose the Amazon VPC that you want to connect to over a virtual connection using Openswan. Be sure to use the IP address you noted in the previous step.

5. Create an AWS VPN connection using the customer gateway and virtual private gateway you created in the previous steps.
Important: Be sure to choose Download configuration to download your VPN configuration file. When you download your VPN configuration file, be sure to specify Openswan for the vendor name, Openswan for the platform, and 2.6.38+ for the software version.

6. Enable route propagation for the VPC route table used by your instances.

7. Install Openswan packages on your AWS VPN instance. For example, on Amazon Linux, use:

sudo yum install openswan

Be sure to confirm the package installation.

8. Connect to your Openswan instance.

9. Open the file /etc/sysctl.conf in your preferred editor.

10. Change the value of net.ipv4.ip_forward = 0 and net.ipv4.conf.default.rp_filter = 0 to 1.

11. Save your changes.

12. Apply your changes:

sysctl -p

13. Open the IPSec configuration file in your preferred editor. The location varies by distribution. On Amazon Linux, the location is :

/etc/ipsec.conf

14. Add a line to the configuration file to include /etc/ipsec.d/*.conf. For example:

include /etc/ipsec.d/*.conf

15. Save your changes.

16. Create a VPN configuration file (for example, openswan-to-aws.conf) in /etc/ipsec.d/ and open it in your preferred editor.

17. Edit the VPN configuration file to include the VPN configuration that you downloaded in a previous step. For example:

conn vpc1-to-vpc2
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=52.52.227.115
        leftnexthop=%defaultroute
        leftsubnet=172.1.10.0/24
        right=13.55.247.246
        rightsubnet=172.18.0.0/16
        phase2=esp
        phase2alg=aes128-sha1
        ike=aes-sha1
        ikelifetime=28800s
        salifetime=3600s
        pfs=yes
        auto=start
        rekey=yes
        keyingtries=%forever
        dpddelay=10
        dpdtimeout=60
        dpdaction=restart_by_peer

18. Save your changes.

19. Configure your pre-shared key in /etc/ipsec.d/aws.secrets. The pre-shared key is located in the VPN configuration you downloaded in a previous step.

20. Restart IPSec. For example:

sudo service ipsec start

21. Configure the IPSec service to run when the system boots. For example:

sudo chkconfig ipsec on

22. Check the status of your VPN connection:

ipsec auto –status

23. Review the output and verify that the IPSec Security Associations (SAs) have been established.

24. Configure a route in your route tables for instances using Openswan to reach subnets in your Amazon VPC. Be sure the route for the remote network (Amazon VPC) points to the elastic network interface (ENI) of your Openswan instance.

25. Verify that your VPN configuration works. Send ping packets from site-to-site using the VPN tunnel you just established.

References:
Openswan Official Web site: https://www.openswan.org/ 
Wikipedia: https://en.wikipedia.org/wiki/Openswan

 

Ravi has a decade of experience in Networking and has worked in ISP and Datacenter. Ravi used to be Certified CCNA instructor in Softwarice college and has a passion to teach. He is responsible to help the enterprise customers to troubleshoot their VPN connections, Direct connect, Transit gateway, VPC in their Network infrastructure in AWS.

Ravi Nakarmi

Cloud Network Engineer L5 , Amazon Web Services (AWS)

Get connected with Ravi :

0 Comments

Related Articles