AWS Setup Site To Site VPN Connection
AWS Setup Site To Site VPN Connection
AWS Setup Site To Site VPN Connection
Basic Architecture
Typically the Site to Site VPN setup looks like above diagram where at one end its
AWS VPC and other end its corporate network with edge router.
However as we don’t have access to corporate network; for this exercise, we will
simulate the corporate network by using another AWS VPC in another AWS region.
We will configure EC2 in this VPC which acts as the router at customer end. For this
router we will use OpenSWAN software.
The AWS network diagram would like like following. VPC A acts as AWS side of the
network and VPC B acts as a customer network
Our Goal:
On successful VPN connection, we should be able to reach to EC2-A instance from
our simulated corporate network (EC2-B) using EC2-A private IP address.
VPCs
Steps to setup IPSec VPN between AWS VPC and Customer Network with
Static Routing
$ sudo su
include /etc/ipsec.d/*.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=<Customer end VPN Public IP>
right=<AWS VPN Tunnel 1 Public IP>
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet=<Customer end VPN CIDR>
rightsubnet=<AWS end VPN CIDR>
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
If you have completed all the steps properly then your VPN Connection
should be setup at this point
2. From VPC-B EC2 instance, you should be able to connect to instance in VPC-
A on private IP
[root@ip-10-200-0-166 ipsec.d]# ping 10.100.0.42
PING 10.100.0.42 (10.100.0.42) 56(84) bytes of data.
64 bytes from 10.100.0.42: icmp_seq=1 ttl=254 time=1.43 ms
64 bytes from 10.100.0.42: icmp_seq=2 ttl=254 time=1.52 ms