Connecting Amazon VPCs in different regions using OpenSwan VPN

I’ve recently been working with Chef automation, and have needed to create two VPC in different regions (for risk purposes). AWS doesn’t support VPC pairing across region yet, so we’ve had to find a workaround.

The simplest solution has been to create two Linux instances (Ubuntu 14.04) in each region, and configure a VPN tunnel. Here are the steps we took, and some configuration gotchas to help anyone who might have this issue along the way.

Create VPCs with non-overlapping subnets

I’ve created two, one with the range and the other with


Create Linux instances in each VPC to serve as our VPN tunnel.

I’ve called mine OpenSwanA and OpenSwanB for the purpose of this tutorial.

Give them BOTH an elastic public IP.

OpenSwanA (

OpenSwanB (


Setup AWS instances (disable source destination check)

Very important! Go to each OpenSWAN instance and go to Actions -> Change Source/Dest. Check and set to DISABLE on both instances, or they won’t be able to see anything other than each other.


Configure route tables to send traffic for “VPC2” to the Linux VPN instance 

VPC1 -> local -> Internet Gateway (igw_xxxx) -> remote (select your OpenSwanB AWS Linux, start typing its Id)


VPC2 -> local -> Internet Gateway (igw_xxxx) -> remote (select your OpenSwanA AWS Linux, start typing its Id)


Now, any traffic designated for the 172.32.x for any instance in VPC1 will go out to the Linux instance, and vice-versa. Now, we just need to configure the VPN tunnel for the Linux boxes and they will forward all traffic for us.


Configuring the OpenSwan VPN tunnel.

Start off with a base Linux instance (14.04 max supported version at time of writing).

Run the following command to install OpenSwan.

apt-get install openswan


Edit /etc/ipsec.conf (sudo nano /etc/ipsec.conf) add following line

include /etc/ipsec.d/*.conf

Replace the following line





This will cause logging to end up in /tmp/pluto.log, which is exceptionally handy for debugging issues.



Edit /etc/ipsec.secrets

Comment out any previous includes (/var/lib/openswan/


add following line

include /etc/ipsec.d/*.secrets

The above basically redirects all ipsec settings to look within the ipsec.d folder, in which we will put our customisations below.

Private key exists in /etc/ipsec.d/private/ip-x-x-x-xKey.pem but we won’t use it here as authby=secret not rsakey


Create /etc/ipsec.d/vpc1-to-vpc2.conf

conn vpc1-to-vpc2

Create /etc/ipsec.d/vpc1-to-vpc2.secrets PSK "myprivatetopsecretcode"

(Same baseline configuration as above, up to the VPC1 line)

Create /etc/ipsec.d/vpc2-to-vpc1.conf

conn vpc2-to-vpc1

Create /etc/ipsec.d/vpc2-to-vpc1.secrets PSK "myprivatetopsecretcode"


Configure routing

The following settings will turn the Linux instance into a router, accepting all incoming packets and routing them via the OpenSwan VPN.
Edit /etc/sysctl.conf, add the following settings

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Persist the settings

sysctl -p /etc/sysctl.conf

You can check a value has persisted post reboot with this command:-

cat /proc/sys/net/ipv4/ip_forward


Set up Firewall rules and NAT on both Linux VPCs

This must be configured on both Linux VPCs to forward to the other. Replace [VPNHostIP] with the corresponding side of the VPN.

iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source [VPNHostIP]

iptables -A INPUT -p udp --dport 500 --j ACCEPT
iptables -A INPUT -p udp --dport 4500 --j ACCEPT
iptables -A INPUT -p esp -j ACCEPT


Restart IPSEC

sudo service ipsec restart

Checking VPN Status
The following commands can be helpful in checking or troubleshooting your VPN status:

sudo ipsec verify

(checks the status of the services required for OpenSWAN to run properly)

sudo service ipsec status

(checks the status of the OpenSWAN service and the VPN tunnels)