First let's see the picture of what we want to do:
We have VPCs Staging and live. We will use ikev2 and PSK.
Inside each VPC, create a new ec2 instance for VPN purposes. I installed Ubuntu, if you use Redhat or AMI Linux steps should be fairly similar.
Once the instance is up and running, we need to right click on it, click on Change source / destination check and disable it on all VPN servers - this parameter makes the instance to process traffic which it is the source or destination, so definitely we need it off for IPSEC.
Now go into the VPN servers. Update the package list and install StrongSwan:
- $ sudo apt-get update
- $ sudo apt-get install strongswan
On Staging VPN server, this will be the content of /etc/ipsec.conf:
#------ Begin ipsec.conf -------
config setup
plutodebug=none #change to "control" if you want to register what happens
charonstart=yes
plutostart=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn live
left=%defaultroute
leftsubnet=10.1.0.0/16
leftid=@staging.mydomain
leftfirewall=yes
right=54.54.54.2
rightsubnet=10.2.0.0/16
rightid=@live.mydomain
dpdaction=restart
auto=start
#------ End ipsec.conf -------
Content of /etc/ipsec.secrets:
#-----Begin ipsec.secrets-----
@staging.mydomain @live.mydomain : PSK "101010101010101010101010555^^^^^^^^^"
#-----End ipsec.secrets-----
On Live VPN server,
this will be the content of /etc/ipsec.conf::
#------ Begin ipsec.conf -------
config setup
plutodebug=none #change to "control" if you want to register what happens
charonstart=yes
plutostart=yes
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
authby=secret
conn staging
left=%defaultroute
leftsubnet=10.2.0.0/16
leftid=@live.mydomain
leftfirewall=yes
right=54.54.54.1
rightsubnet=10.1.0.0/16
rightid=@staging.mydomain
dpdaction=restart
auto=start
#------ End ipsec.conf -------
Content of /etc/ipsec.secrets:
#-----Begin ipsec.secrets-----
@live.mydomain @staging.mydomain : PSK "101010101010101010101010555^^^^^^^^^"
#-----End ipsec.secrets-----
On both EC2 instances we need to enable the ip forwarding, add this line:
net.ipv4.conf.all.forwarding = 1
to the file /etc/sysctl.conf and apply the changes by executing:
- $ sudo sysctl -p
Depending on your intentions, some of the following step might be optional. For me on both EC2 instance's security groups I added the following to have access to traceroutes, pings and all tcp services in general - this can be blocked later at VPC ACL's level. The minimum would be allow UDP port 500 for the configuration above.
- All ICMP incoming traffic from subnets 10.1.0.0/16, 10.2.0.0/16, 54.54.54.1 and 54.54.54.2
- All UDP incoming traffic from subnets 10.1.0.0/16, 10.2.0.0/16, 54.54.54.1 and 54.54.54.2
- All TCP incoming traffic from subnets 10.1.0.0/16, 10.2.0.0/16, 54.54.54.1 and 54.54.54.2
On both EC2 nodes you may execute ipsec restart to apply all the previous configuration. Now ping an internal IP belonging to the other VPC, if everything went well you'll get a reply - and if the traffic is allowed in the security groups of both VPN nodes and EC2 intances you are pinging to. This configuration is meant to automatically start the tunnel, but if you want to trigger it manually change the parameter auto to add and bring up the tunnel by executing:
$ sudo ipsec up live
establishing CHILD_SA live
generating CREATE_CHILD_SA request 6 [ SA No TSi TSr ]
sending packet: from 10.1.0.X[4500] to 54.54.54.2[4500]
received packet: from 54.54.54.2[4500] to 10.1.0.X[4500]
parsed CREATE_CHILD_SA response 6 [ SA No TSi TSr ]
To add more VPCs, just add more connection definitions to the ipsec.conf and keys to the ipsec.secrets. Additional reading of Strongswan at its documentation and their guide for remote VPN client.
