AWS VPC VPN Strongswan configuration
Create the VPN Connection in the VPC Management console on AWS, using static routing, then download the Generic configuration. The downloaded text file contains some values that you’ll need. There are two VPN configurations in it. I just hook up one on the server. Perhaps if you have two VPN servers you could set up one VPN on each.
These are the values of interest in the downloaded text file:
- Pre-Shared Key
- Outside IP Addresses
- Customer Gateway
- Virtual Private Gateway
- Inside IP Addresses
- Customer Gateway
- Virtual Private Gateway
My server has an internal IP address, and sits behind a router, which has a public IP address. AWS VPC supports NAT-T so this is no problem. You just set “left” (below) to your internal IP and “leftid” (also below) to your public IP.
Here is the example /etc/ipsec.conf:
conn vpc
mobike=no
type=tunnel
compress=no
keyexchange=ikev1
ike=aes128-sha1-modp1024!
ikelifetime=28800s
esp=aes128-sha1-modp1024!
lifetime=3600s
rekeymargin=3m
keyingtries=3
installpolicy=yes
dpdaction=restart
authby=psk
left=<ip address of your server>
leftid=<public ip address of your server>conn vpc1
also=vpc
auto=add
right=<Outside IP Addresses: Virtual Private Gateway>
leftsubnet=<your subnet>
rightsubnet=<VPC subnet>conn vpc1a
also=vpc
auto=add
right=<Outside IP Addresses: Virtual Private Gateway>
leftsubnet=<Inside IP Addresses: Customer Gateway>
rightsubnet=<Inside IP Addresses: Virtual Private Gateway>
Here is the example /etc/ipsec.secrets:
<Outside IP Addresses: Virtual Private Gateway> : PSK “<Pre-Shared Key>”
Then in your AWS VPC configuration edit the route table and add a static route for your internal subnet to the Virtual Gateway device.
Check your security groups on your instances to make sure they allow connectivity from your internal subnet IPs. It can be useful to allow ICMP so you can test using ping.
Restart Strongswan:
service strongswan restart
Then try to bring up the VPN interface:
ipsec up vpc1
If all is going well you should see a successful connection result in a second or two. If not, something is wrong :-(
Try to connect to one of the servers in your VPC. If you can’t, check the security groups on them, or perhaps any firewall rules on your own machine.
Then bring up the vpc1a connection. This should result in the VPN showing as UP on the AWS VPC VPC Connection configuration page.
Once you’re happy, change “auto=add” to “auto=start” in /etc/ipsec.conf and restart Strongswan and the VPN would come up automatically.