Connecting Amazon VPCs in different regions using OpenSwan VPN

I’ve recently been working with Chef automation, and have needed to create two VPC in different regions (for risk purposes). AWS doesn’t support VPC pairing across region yet, so we’ve had to find a workaround.

The simplest solution has been to create two Linux instances (Ubuntu 14.04) in each region, and configure a VPN tunnel. Here are the steps we took, and some configuration gotchas to help anyone who might have this issue along the way.

Create VPCs with non-overlapping subnets

I’ve created two, one with the 172.31.0.0/16 range and the other with 172.32.0.0/16.

 

Create Linux instances in each VPC to serve as our VPN tunnel.

I’ve called mine OpenSwanA and OpenSwanB for the purpose of this tutorial.

Give them BOTH an elastic public IP.

OpenSwanA (152.211.162.245)

OpenSwanB (135.156.170.225)

 

Setup AWS instances (disable source destination check)

Very important! Go to each OpenSWAN instance and go to Actions -> Change Source/Dest. Check and set to DISABLE on both instances, or they won’t be able to see anything other than each other.

 

Configure route tables to send traffic for “VPC2” to the Linux VPN instance 

VPC1

172.31.0.0/16 -> local

0.0.0.0/0 -> Internet Gateway (igw_xxxx)

172.32.0.0/16 -> remote (select your OpenSwanB AWS Linux, start typing its Id)

 

VPC2

172.32.0.0/16 -> local

0.0.0.0/0 -> Internet Gateway (igw_xxxx)

172.31.0.0/16 -> remote (select your OpenSwanA AWS Linux, start typing its Id)

 

Now, any traffic designated for the 172.32.x for any instance in VPC1 will go out to the Linux instance, and vice-versa. Now, we just need to configure the VPN tunnel for the Linux boxes and they will forward all traffic for us.

 

Configuring the OpenSwan VPN tunnel.

Start off with a base Linux instance (14.04 max supported version at time of writing).

Run the following command to install OpenSwan.

apt-get install openswan

 

Edit /etc/ipsec.conf (sudo nano /etc/ipsec.conf) add following line

include /etc/ipsec.d/*.conf

Replace the following line

#plutostderrlog=/dev/null

with

plutostderrlog=/tmp/pluto.log

 

This will cause logging to end up in /tmp/pluto.log, which is exceptionally handy for debugging issues.

 

 

Edit /etc/ipsec.secrets

Comment out any previous includes (/var/lib/openswan/ipsec.secrets.inc)

 

add following line

include /etc/ipsec.d/*.secrets

The above basically redirects all ipsec settings to look within the ipsec.d folder, in which we will put our customisations below.

Private key exists in /etc/ipsec.d/private/ip-x-x-x-xKey.pem but we won’t use it here as authby=secret not rsakey

VPC 1

Create /etc/ipsec.d/vpc1-to-vpc2.conf

conn vpc1-to-vpc2
type=tunnel
authby=secret
left=172.31.39.196
leftid=152.211.162.245
leftnexthop=172.31.39.196
leftsubnet=172.31.0.0/16
right=135.156.170.225
rightsubnet=172.32.0.0/16
pfs=yes
auto=start

Create /etc/ipsec.d/vpc1-to-vpc2.secrets

152.211.162.245 135.156.170.225: PSK "myprivatetopsecretcode"

VPC2
(Same baseline configuration as above, up to the VPC1 line)

Create /etc/ipsec.d/vpc2-to-vpc1.conf

conn vpc2-to-vpc1
type=tunnel
authby=secret
left=172.32.43.98
leftid=135.156.170.225
leftnexthop=172.32.43.98
leftsubnet=172.32.0.0/16
right=152.211.162.245
rightsubnet=172.31.0.0/16
pfs=yes
auto=start

Create /etc/ipsec.d/vpc2-to-vpc1.secrets

135.156.170.225 152.211.162.245: PSK "myprivatetopsecretcode"

 

Configure routing

The following settings will turn the Linux instance into a router, accepting all incoming packets and routing them via the OpenSwan VPN.
Edit /etc/sysctl.conf, add the following settings

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Persist the settings

sysctl -p /etc/sysctl.conf

You can check a value has persisted post reboot with this command:-

cat /proc/sys/net/ipv4/ip_forward

 

Set up Firewall rules and NAT on both Linux VPCs

This must be configured on both Linux VPCs to forward to the other. Replace [VPNHostIP] with the corresponding side of the VPN.

iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source [VPNHostIP]

iptables -A INPUT -p udp --dport 500 --j ACCEPT
iptables -A INPUT -p udp --dport 4500 --j ACCEPT
iptables -A INPUT -p esp -j ACCEPT

 

Restart IPSEC

sudo service ipsec restart

Checking VPN Status
The following commands can be helpful in checking or troubleshooting your VPN status:

sudo ipsec verify

(checks the status of the services required for OpenSWAN to run properly)

sudo service ipsec status

(checks the status of the OpenSWAN service and the VPN tunnels)