page contents

About the Post

Author Information

VIDEO: VPC to VPC with OpenSWAN

The information provided in this video is meant as a tutorial. It is not the final word on security or setup for your particular case. In Simpler terms: USE at your own risk. That said, I hope it helps.
Loading the player …


Notes for VPC-to-VPC-with-OpenSWAN:
yum install openswan
chkconfig ipsec on

***********************************************************

Singapore Setup

Singapore OpenSWAN config:

# /etc/ipsec.conf – Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

config setup
nat_traversal=yes
# we should exclude ourselves, but that’s dynamic.
# The other end should not be behind NAT anyway. If it is via port forward, avoid 10/8 that Amazon uses
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
# amazon kernels have no KLIPS support
protostack=netkey

conn singapore-tokyo
authby=secret
auto=start
type=tunnel
left=172.16.0.100
leftid=x.x.x.x(EIP singapore)
leftsubnet=172.16.0.0/16
right=y.y.y.y (EIP Tokyo)
rightsubnet=10.0.0.0/16
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048

————-/etc/ipsec.secrets

#include /etc/ipsec.d/*.secrets
x.x.x.x y.y.y.y: PSK “mysecret488”

*********************************************

Tokyo Setup

# /etc/ipsec.conf – Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

config setup
nat_traversal=yes
# we should exclude ourselves, but that’s dynamic.
# The other end should not be behind NAT anyway. If it is via port forward, avoid 10/8 that Amazon uses
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/16
# amazon kernels have no KLIPS support
protostack=netkey

conn singapore-tokyo
authby=secret
auto=start
type=tunnel
left=10.0.0.100
leftid=y.y.y.y (EIP Tokyo)
leftsubnet=10.0.0.0/16
right=x.x.x.x (EIP Singapore)
rightsubnet=172.16.0.0/16
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048

—- /etc/ipsec.secrets

#include /etc/ipsec.d/*.secrets
y.y.y.y x.x.x.x: PSK “mysecret488”

****************************************************

service ipsec start

echo 1 > /proc/sys/net/ipv4/ip_forward (add to /etc/rc.local)
iptables –table nat –append POSTROUTING -s 172.16.0.0/16 –out-interface eth0 -j MASQUERADE (add to /etc/rc.local)
(For Singapore 172.16.0.100 is you want this to be a NAT instance for access to the internet.)

iptables –table nat –append POSTROUTING -s 10.0.0.0/16 –out-interface eth0 -j MASQUERADE
(For Tokyo 10.16.0.100 is you want this to be a NAT instance for access to the internet.)

route add -net 10.0.0.0 netmask 255.255.0.0 gw 172.16.0.100 (For Tokyo instance in the same subnet as OpenSWAN instance)

Be sure to set SRC/DST to disabled on OpenSWAN instance. otherwise no forwarding to backend instances. To do this, right click on instance and select “Change Source/Dest Check”.

https://smattie-download.s3.amazonaws.com/OpenSWAN-Notes.txt
https://smattie-download.s3.amazonaws.com/VPC-to-VPC-via-OpenSWAN.png

Tags: , , , ,

11 Responses to “VIDEO: VPC to VPC with OpenSWAN”

  1. Crash #

    Just want to say THANK YOU. I spent about 14 hours troubleshooting what appeared to be an ip forwarding issue. Turns out it was because of the SRC/DST check on my openswan instance. Finally, I can sleep.

    October 12, 2012 at 8:04 PM
  2. Dear Scott,

    Awesome video tutorial … hats off !!!!
    Would like to request if you can share the downloadable video link

    Thanks Regards,

    S. Venkata Ramana.

    April 11, 2013 at 3:07 AM
  3. Justin #

    Awesomesauce.

    June 13, 2013 at 6:09 PM
  4. Mohan #

    Hi Scott,

    the video was too good, and i am trying to follow your video to setup the same as per my requirement..

    Could you please let me know if i can have the openswan configuration file, so that i can edit as per my values and configure it..

    Thanks in advance

    June 29, 2013 at 8:23 AM
    • Scott Mattie #

      I will reach out to Lance and see if he can assist here.

      June 29, 2013 at 4:56 PM
      • Mohan #

        Thanks, awaiting for your response.

        June 30, 2013 at 11:06 PM
          • Mohan #

            HI Scoot,

            Thanks for your response, i didn’t observed the download link which was already there. now i modified conf file and , I could successfully setup VPN between two VPC’s that are in different AWS accounts

            Now, my next wish is to add one more VPC to this environment (VPN connectivity for multiple VPC’s). can you please guide me if there is any way that we can have multiple VPC’s connected together using Openswan/ Ipsec ?

            thanks very much.

            Regards,
            Mohan

            July 3, 2013 at 10:46 PM
  5. Mohan #

    Hi Scoot,

    As per your step by step video, i could setup the vpc-vpc vpn connection. able to ping both private IP’s of openswan instances, also instances in the private subnets.

    But issue is if i launch any instance in public subnet (where openswan subnet) Ex: 172.16.0.0/24 or 10.0.0.0/24, from that instance i am not able to ping other vpc instances.

    openswan to openswan able to ping, private subnet to private subnet able to ping, but if we ping from any instance in public subnet it is not pinging and not visible to other vpc instances as well

    can you please suggest me if i missed any thing in route tables or any other things.

    thanks in advance.

    Regards,
    Mohan

    July 10, 2013 at 9:15 AM
  6. Matthias #

    Awesome Guide! Thanks a lot for it. And have fun with the College football, which starts soon 🙂

    July 17, 2013 at 7:47 AM
  7. I’ve study quite a few fantastic products in this article. Definitely worth book-marking with regard to revisiting. I actually amaze exactly how so much attempt you add to generate this kind of magnificent informative internet site.

    July 21, 2013 at 2:51 AM
Copy Protected by Chetan's WP-Copyprotect.