By Default, VPC launched in AWS can't communicate with your own VPN.VPN site-to-site connection helps you to enable the communication between AWS VPC and your own premise VPN.
Below are the important terms which we need to know about the site-to-site VPN perspective.
VPN Connection:- A secure connection between your own premise equipment and your AWS VPC.
VPN Tunnel:- An encrypted link where data can pass from your network to or from AWS VPC. Each VPN connection includes 2 VPN tunnels that can be used for high availability.
Customer Gateway:- An AWS resource that provides information to AWS about your customer gateway device.
Customer Gateway Device:- A physical device or a software application on the customer side.
Steps
I am creating VPC in North Virginia Region and Singapore Region.
1. Create a VPC in North Virginia Region with the following configurations
VPC CIDR : - 10.1.0.0/16
Public Subnet:- 10.1.0.0/24
2. Create a VPC in Singapore Region with the following configurations
VPC CIDR : - 10.2.0.0/16
Public Subnet:- 10.2.0.0/24
3. Create a public EC2 instance in the Singapore region within the same VPC and subnet.
4. Configure below in North Virginia Region.
VPN---> VPNGateway ---> Create VPN Gateway ( AWS VPN Gateway)
Attach to AWS VPC
5. Create a Customer Gateway (CGW-1) and in the IP address copy the IP address of the Singapore region's EC2 instance public IP.
6. Select Site-to-site VPN connection in N Virginia Region and Click on Create VPN VPN Connection
Select the VPGateway and CGW-1
Routing Options--> Static and provide the CIDR range of Singapore VPC (10.2.0.0/16)
Create the VPN Connection
7. Select the RouteTable of N Virginia Region and in the Route Propagation tab select the VPN Gateway and Enable it.
8. Select VPN site-site connection and Download the Configuration with Generic Vendor.
9. Select EC2 instance of the Singapore region and connect it.
Run below commands on this instance
1. Commands for Installation of Openswan
i. Change to root user:
$ sudo su
ii. Install openswan:
$ yum install openswan -y
iii. In /etc/ipsec.conf uncomment following line if not already
uncommented:
include /etc/ipsec.d/*.conf
iv. Update /etc/sysctl.conf to have following
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
v. Restart network service:
$ service network restart
2. Command for /etc/ipsec.d/aws-vpn.conf
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=Customer end Gateway VPN public IP
right=AWS Virtual private gateway ID- public IP
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet=10.2.0.0/16
rightsubnet=10.1.0.0/16
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
3. Contents for /etc/ipsec.d/aws-vpn.secrets
customer_public_ip aws_vgw_public_ip: PSK "shared secret"
4. Commands to enable/start ipsec service
$ chkconfig ipsec on
$ service ipsec start
$ service ipsec status
0 comments:
Post a Comment