You will need 2 VPCs. The Internet VPC will have the Internet Gateway and the OpenSwan EC2 instance. The Project VPC will have your application or Kubernetes cluster.
- VPC CIDR: 10.230.30.0/24
- Private Subnet: 10.230.30.128/25 - Route Table with 0.0.0.0/0 to NAT
- Public Subnet: 10.230.30.0/25 - Route Table with 0.0.0.0/0 to IGW, 10.224.36.0/23 to OpenSwan Instance
- NAT Gateway in the public subnet with an IP of 52.15.61.171
- IGW attached to the VPN
- VPC CIDE: 10.224.36.0/23
- Private Subnets: Any - Route Table with 0.0.0.0/0 to NAT
- Public Subnets: Any - Route Table with 0.0.0.0/0 to VGW
- Customer Gateway to NAT in Internet VPC: 52.15.61.171
- VPN Connection with static route of: 0.0.0.0/0
Once the VPN Connection is active, download the configuration for OpenSwan.
Launch an Amazon Linux 1 AMI in the public subnet of the Internet VPC, make sure it gets a public IP. You'll need to enable Auto-Assign IP for the subnet. Make sure you can SSH into the instance. Security Group - Inbound: SSH in from your IP. Security Group - Outbound: All
Launch an Amazon Linux 1 AMI in the public subnet of the Project VPC.
- Security Group - Inbound: SSH in from your Internet VPC: 10.230.30.0/24
- Security Group - Outbound: All
Launch an Amazon Linux 1 AMI in the private subnet of the Internet VPC.
- Security Group - Inbound: SSH in from your Internet VPC: 10.230.30.0/24
- Security Group - Outbound: All
- Disable Source/Destination Check in AWS
# SSH into the Jumpbox. Then SSH into the OpenSwan Server.
# Install OpenSwan.
sudo yum install openswan
# Follow the instructions from the downloaded config.
# Open the config file.
sudo nano /etc/sysctl.conf
# Ensure these values match:
# net.ipv4.ip_forward = 1
# net.ipv4.conf.default.rp_filter = 0
# net.ipv4.conf.default.accept_source_route = 0
# Apply the changes.
sudo sysctl -p
# Restart the network services.
sudo service network restart
# Open the ipsec config file.
sudo nano /etc/ipsec.conf
# Uncomment the line at the bottom.
# include /etc/ipsec.d/*.conf
# Create a new config file.
sudo nano /etc/ipsec.d/aws.conf
# Paste in the contents from the downloaded config.
# Replace leftsubnet=<LOCAL NETWORK> with leftsubnet=0.0.0.0/0
# Replace rightsubnet=<REMOTE NETWORK> with rightsubnet=10.224.36.0/23 (Project VPC CIDR)
# Create a new secret file.
sudo nano /etc/ipsec.d/aws.secrets
# Paste in the contents from the downloaded config.
# Start the ipsec service.
sudo service ipsec start
# Check the logs.
sudo service ipsec status
sudo ipsec auto --status
# The tunnel in the VPC connection in AWS should now be "up".
You can now access the Project Server from any server in the Internet VPC. The Project Server can also access the internet because it's routing through the OpenSwan server.
First of all - appreciate the detailed notes.
I have made in total of 8 attempts with this lab. However, I just couldn't make the tunnel up with openswan on linux. On the other hand, I was following cloud guru Adv Network course. I was able to make the tunnel up with windows server. I am using AWS Linux 2 and openswan 3.25.
One observation:
Failed to add connection "Tunnel1", esp="aes128-sha1;modp1024" is invalid: ESP encryption algorithm 'aes' is not supported
If anyone has any clue, please share with me.