IPSEC VPN Between Amazon VPCs
This is the world’s only existing simple example of an Openswan / Libreswan VPN between two Amazon EC2 VPCs. At least it seems that way after many fruitless searches today.
We recently needed to link a client’s two VPCs together using a VPN and decided to use Libreswan instead of OpenVPN.
Since there’s a dearth of specific examples online, I’ve decided to document a very simple configuration for a working Libreswan VPN bridge between two VPCs. This simple configuration certainly applies to other non-Amazon non-VPC configurations. Note that this also turns on dead peer detection, which is handy on unreliable networks.
This VPN was configured on two Amazon NAT instance AMIs. There’s nothing special about Amazon’s NAT instance AMis, but if you’re using them, they are likely a logical place for your VPN between VPCs.
For the sake of the example, the following addresses have been used:
East NAT external IP: 1.1.1.1
East NAT internal IP: 192.168.1.10
East NAT subnet: 192.168.1.0/24
West NAT external IP: 2.2.2.2
West NAT internal IP: 192.168.2.10
West NAT subnet: 192.168.2.0/24
“East” configuration:
conn east-west authby=secret auto=start type=tunnel left=192.168.1.10 leftid=1.1.1.1 leftsubnet=192.168.1.0/24 right=2.2.2.2 rightsubnet=192.168.2.0/24 ike=aes256-sha1;modp2048 phase2=esp phase2alg=aes256-sha1;modp2048 dpddelay=30 dpdtimeout=120 dpdaction=restart
“West” configuration:
conn east-west authby=secret auto=start type=tunnel left=192.168.2.10 leftid=2.2.2.2 leftsubnet=192.168.2.0/24 right=1.1.1.1 rightsubnet=192.168.1.0/24 ike=aes256-sha1;modp2048 phase2=esp phase2alg=aes256-sha1;modp2048 dpddelay=30 dpdtimeout=120 dpdaction=restart
Then you’ll need to create the secrets files on each end. The format is [LOCALIP] [REMOTEIP] [SECRET]. Obviously, use a better PSK than the one below or use certificates.
1.1.1.1 2.2.2.2: PSK "mysecretpsk" 2.2.2.2 1.1.1.1: PSK "mysecretpsk"
You’ll also need to make sure you have the correct Network ACLs on the VPC subnets and Security Groups on the instances you’re using for the VPN termination points. You are using Network ACLs and Security Groups, right?
You’ll need UDP ports 500 (ISAKMP) and 4500 (IPSEC) open on both ends.
Don’t hesitate to contact us if you need assistance.
February 13, 2014 @ 8:11 pm
Thank you, very clear and concise instructions… best I was able to find on the web
May 24, 2016 @ 1:56 pm
you describe openswan but use the libreswan logo? You might want to clarify that?
May 24, 2016 @ 3:05 pm
Hi Paul,
We were originally using Openswan, then later moved to Libreswan as Epel and Amazon Linux dropped it. I was remiss in fully updating the post to reflect that. Done!
P.S. Thanks for your work both!