AWS cross region VPN connection

Introduction

This Document will guide you to establish a connectivity between two VPCs in different regions of AWS using Openswan. AWS supports VPC peering in the same AWS account and with other AWS account with in the same region but AWS doesn’t provide any default mechanism to connect VPCs across different regions. We can achieve this type of connectivity using IPsec vpn tunnel between two regions makes VPCs in different regions can communicate using their private ip

Terms used in this document

AWS – Amazon web services is one of the cloud provider
VPC – virtual private cloud is an isolated network in aws cloud
ipsec -internet protocol security

What is IPsec?

Internet Protocol Security (IPsec), a protocol suite for secure Internet Protocol (IP) communications, works by authenticating and encrypting each IP packet of a communication session.

IPsec Tunnel mode is most commonly used between gateways (Cisco routers or ASA firewalls), or at an end-station to a gateway, the gateway acting as a proxy for the hosts behind it. Tunnel mode is used to encrypt traffic between secure IPsec Gateways

vpn1

vpn2

The packet diagram below illustrates IPsec Tunnel mode with ESP header

CROSS REGION VPC CONNECTIVITY ILLUSTRATION

The scenario

Consider two different regions in AWS with VPCs of different cidr blocks as follows

  • AWS REGION 1 (vpc cidr 192.168.0.0/16)
  • AWS REGION 2 (vpc cidr 172.18.0.0/16)

The goal is to establish connection between two VPCs in two different regions of AWS cloud

vpn7

Here we are using openswan as VPN server

Steps

Configuration at VPC 1 in Region 1

Step 1: create a vpc (considering 192.168.0.0/16 in this tutorial

vpn8

Step 2: create a security group for that vpc in region 1

SSH 22 0.0.0.0/0
UDP 500 0.0.0.0/0
UDP 4500 0.0.0.0/0
ALL ICMP TRAFFIC 0.0.0.0/0
ALL TRAFFIC 172.18.0.0/16(REMOTE VPC CIDR IN ANOTHER REGION)
ALL ICMP TRAFFIC 172.18.0.0/16(REMOTE VPC CIDR IN ANOTHER REGION)
ESP 50 0.0.0.0/0
AH 51 0.0.0.0/0

 

Step 3: Modify Network ACL associated with this vpc

ALL TRAFFIC 0.0.0.0/0 ALLOW (optional)
ALL TRAFFIC 172.18.0.0/16 (REMOTE VPC CIDR BLOCK) ALLOW
ALL ICMP 172.18.0.0/16 (REMOTE VPC CIDR BLOCK) ALLOW
ALL TRAFFIC 0.0.0.0/0 ALLOW (optional)

 

Step 4: launch an instance in that vpc

Step 5: Allocate a new elastic ip (EIP) (We are considered at as EIP1 for understanding purpose)

Step 5: Associate this EIP to the instance we launched in the above step

Step 6: Disable source/destination check in the instance by right-clicking on instance select networking and select source destination checking

Step 7: Click on Yes Disable it

vpn9

vpn10

Step 8: Configuring the route table of the vpc1

192.168.0.0/16 Local
Remote vpc cidr block

(172.18.0.0/16)

Instance in local vpc (openswan instance)
0.0.0.0/0 Internet gateway

Destination                                                               Target

Step 9: Start configuring the instance by ssh into it

Step 10:  update the repository

$ sudo yum update

Step 11: Install the openswan package

$ sudo yum install openswan   -y

Step 12: Edit the config file /etc/ipsec.conf

$ sudo vim /etc/ipsec.conf

Uncomment include /etc/ipsec.d/*.conf to add all. conf files at the bottom

Step 13: Place the custom configuration files in /etc/ipsec.d directory

Step 14: create a config file to tunnel our two VPCs in /etc/ipsec.d directory

$ sudo vim /etc/ipsec.d/vpc1-to-vpc2.conf

Conn vpc1-to-vpc2

type=tunnel

authby=secret

left=%defaltroute                                                       file contents

leftid=<EIP1> (EIP of local Instance)

leftnexthop=%defaultroute

leftsudnet=<vpc 1 CIDR>

right=<EIP2> (EIP of remote instance)

rightsubnet=<vpc 2 CIDR>

pfs=yes

auto=start

Save and exit the file

Step 15: create file to hold preshared key in /etc/ipsec.d directory

$ sudo vim /etc/ipsec.d/vpc1-to-vpc2.secrets

<EIP1> <EIP2>:  PSK “preshared key” ——-Generate a random key online

Save and the exit the file

Configuration at region 2 (considering vpc2 (172.18.0.0/16))

Step 1: create a vpc in second region (172.18.0.0/16 in our case)

Step 2: create a security group for the vpc2

 

SSH 22 0.0.0.0/0 (or specific cidr)
UDP 500 0.0.0.0/0
UDP 4500 0.0.0.0/0
ALL ICMP TRAFFIC 0.0.0.0/0 (optional)
ALL TRAFFIC 192.168.0.0/16(REMOTE VPC CIDR IN FIRST REGION)
ALL ICMP TRAFFIC 192.168.0.0/16(REMOTE VPC CIDR IN FIRST REGION)
ESP 50 0.0.0.0/0
AH 51 0.0.0.0/0

 

Step 3: Modify Network ACL associated with this vpc2

ALL TRAFFIC 0.0.0.0/0 ALLOW (optional)
ALL TRAFFIC 192.168.0.0/16 (REMOTE VPC CIDR BLOCK) ALLOW
ALL ICMP 192.168.0.0/16 (REMOTE VPC CIDR BLOCK) ALLOW
ALL TRAFFIC 0.0.0.0/0 ALLOW (optional)

 

Step 4: Configuring the route table in VPC2 in second region

Destination                       Target

172.18.0.0/16 local
Remote vpc cidr

192.168.0.0/16(VPC1 in first region)

Instance in local vpc(openswan)
0.0.0.0/0 Internet gateway

 

Step 5: Launch instance in the vpc 2 in second region

Step 6: Disable source/destination check in the network settings of instance as shown in the step 7

Start configuring the instance by ssh into it

Repeat step 12 to place our custom configurations in /etc/ipsec.d directory

Step 7: create tunnel file in /etc/ipsec.d/vpc2-vpc1.conf

$ sudo vim /etc/ipsec.d/vpc2-to-vpc1.conf

Conn vpc2-to-vpc1

type=tunnel

authby=secret

left=%defaltroute

leftid=<EIP2> (EIP of local Instance in VPC2)                 file contents

leftnexthop=%defaultroute

leftsudnet=<vpc 2 CIDR>

right=<EIP1> (EIP of remote instance in VPC1)

rightsubnet=<vpc 1 CIDR>

pfs=yes

auto=start

Save and exit the file

Step 8: create file as /etc/ipsec.d/vpc2-to-vpc1.secrets

<EIP 2> <EIP 1> : PSK “preshared key”

Save and exit

Step 9: Start IPsec service on both instances

$ sudo service ipsec start

Step 10: Enable service on both instances

$ sudo chkconfig ipsec on

Step 11: Configure both instances to forward ip packets by do following changes in /etc/sysctl.conf

$ sudo vim /etc/sysctl.conf

net.ipv4.ip_forward = 1

net.ipv4.conf.all.accept_redirects = 0 (add this line after above line)

net.ipv4.conf.all.send_redirects = 0 (add this line after above line)

save and exit the file

Step 12: Restart network service on both instances to take effect   $ sudo service network start

Verify and check status of ipsec by typing following commands on any one instance

$ sudo ipsec verify

$sudo ipsec status

we find two tunnels if configured properly

Testing

Test the Connectivity by pinging instances in VPCs using their private ips

vpn11

CONCLUSION

We have established a connection between two VPCs in two different regions of AWS cloud

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s