When you launch instances into an Amazon Virtual Private Cloud (VPC), they cannot, by default, communicate with your on-premises network. To enable secure communication between your on-premises network and AWS resources, you need to establish a Site-to-Site VPN connection. This article will guide you through the key concepts involved in setting up a Site-to-Site VPN connection, ensuring secure and reliable connectivity.
Project Overview:
The goal is to create a secure communication channel between the AWS side in the Mumbai region and the customer end in Singapore through a site-to-site VPN. This connection enables seamless data transfer between an on-premises network and the AWS cloud. Below is a step-by-step guide for setting up this VPN connection using AWS services.
What is a VPN Connection?
A VPN connection creates a secure, encrypted communication channel between your on-premises equipment (such as servers or devices) and your AWS VPC. This connection enables your on-premises network and AWS to communicate securely over the internet, protecting sensitive data from exposure to public networks.
Understanding VPN Tunnel
A VPN tunnel is an encrypted link through which data can pass from the customer network to or from AWS. Each VPN connection includes two VPN tunnels that can be used simultaneously for high availability, ensuring that even if one tunnel fails, the other continues to function.
What is a Virtual Private Gateway?
A Virtual Private Gateway (VGW) is the AWS side of a VPN connection that acts as an entry point for traffic coming from an on-premises network via a Site-to-Site VPN. It's a critical component that enables communication between your VPC and your Customer Gateway (CGW), facilitating a secure connection.
Customer Gateway
The Customer Gateway is an AWS resource that provides information about your on-premises network, such as the public IP address, and facilitates the secure connection between the AWS and customer sides.
Step 1: Setting up the Singapore VPC (Customer End)
First, create a VPC in the Singapore region for the customer or on-premises end with CIDR 192.168.0.0/24. Be sure to attach a public subnet to this VPC.
EC2 Instance Configuration
Launch an EC2 instance in the Singapore region using AMI 2 Amazon Linux machine available under the free tier. And make sure you enable these three mentions protocols for security group ICMP,SSH,TCP
Now create another VPC on aws-side Mumbai region with CIDR 172.16.100.0/24
After the creation of virtual private gateway on Mumbai region attach it with your VPC which is in Mumbai region.
Now select you vpc from here which you have established in Mumbai region and attach to your virtual private gateway
After that create a customer gateway in your Mumbai region and allocate the public ip pf EC2 instance which is in Singapore region that we have recently created.
Give public ip of on premises instance which is in Singapore region at customer end
Copy it from here and provide to your customer gateway which is in aws-side Mumbai region
Paste it here
Now in Mumbai region create a site-to-site vpn connection
Select your virtual private gateway that you have created earlier and customer gateway
After that provide Routing: static
static ip prefix: Singapore region VPC CIDR as prefix which is 192.168.0.0/24. **
Also provide your AWS-side CIDR which is 172.16.100.0/24 on remote CIDR.** And provide your customer-end CIDR which is 192.168.0.0/24 on local CIDR block.
After the creation of vpn-site-site connection. wait for 2 to 3 minutes after the status become available and click on download configuration open it on your notepad. This configuration will help you all over this lab.
*Now the next step is to go to route table and edit route propagations on Mumbai region make sure to enable it
*
Make it enable by checking the box
Copy the ip of signapore EC2 instance for ssh
Now open your terminal from which you want to SSH I am using mobaxterm and it is friendly to use . Paste your public ip on remote host and specify user name ec2-user and check private key and provide your private key and click on okay
Now you have SSH your EC2 machine which is in Singapore region
At the end of the article i will attached all the Commands that will help you to established vpn-site-site.
First use sudo -i as a root user login to give admin rights
After that use yum install libreswan -y to install openswan vpn
Finally you have installed your vpn I have used the command yum install libreswan –y in my case.
After the installation of openswan use second comamnd Vim /etc/ipsec.conf For security configuration save file on vim:
After that press :wq and then press enter
now after coming to the main screen enter new command which is System control configuration command
Vim /etc/sysctl.conf
Paste this command on your file
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
*Then after that press escape button and write -> :wq then press enter
Press I to insert your command on next line then after that press escape *
After that use this command Restart network service:
service network restart
Also open your configuration on notepad that you have *downloaded from Mumbai region site-to-site vpn connection
*
Now in this configuration file you will see outside ip address and inside ip address.*outside ip address is public ip address of your customer end and aws end *
Now next step you have to do is you have making some chnges in your command for tunnel 1 to make it up available so for that take all your configuration for tunnel 1 and open separate in notepad just like below
Four changes you have to make on this notepad tunnel configuration file
First chnge provide left id:
Left id=customer gateway outside ip address which is in your configuration file.
Second change provide right id:
right=virtual private gateway outside ip address in configuration files
Third change: provide left subnet which is your Singapore region VPC IP customer end or on premises Left subnet is Singapore region customer or on-premises end subnet in this case 192.168.0.0/28
Fourth change: provide right subnet which is your Mumbai region VPC IP AWS-side.
*Make you your configuration is similar to this for tunnel 1 *
Paste in the terminal press :wq and then press enter
Now the next step is to make change in your next command three things we need in this first out customer gateway outside ip address and virtual gateway outside ip address that we used earlier. The new thing we need in this case pre-shared key. All these items are present in our Download configuration file just paste it here
*Copy the pre-shared key *
Now you just have to *paste these three inside your vim /etc/ipsec.d/aws-vpn.secrets
*
NOW After that enter these three commands one by one to make the vpn active and running and make your tunnel1 status up
- Commands to enable/start ipsec service $ chkconfig ipsec on $ service ipsec start $ service ipsec status
END .....................
Finally site –to –site vpn connection is established active and running.
You can also check your tunnel is active and running. As there are two tunnel you can also configure second tunnel. The main of both tunnel is to make it available on every time and provide not any down time while connecting your customer end with aws side
Here is the list of commands that will be required to you to established this site-to-site vpn connection.
Commands for Installation of Openswan
i. Change to root user:
$ sudo su
ii. Install openswan:
$ yum install openswan -y
iii. In /etc/ipsec.conf uncomment following line if not already
uncommented:
include /etc/ipsec.d/*.conf
iv. Update /etc/sysctl.conf to have following
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
v. Restart network service:
$ service network restartCommand for /etc/ipsec.d/aws-vpn.conf
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=Customer end Gateway VPN public IP
right=AWS Virtual private gateway ID- public IP
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet=Customer end VPN CIDR
rightsubnet=AWS end VPN CIDR
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peerContents for /etc/ipsec.d/aws-vpn.secrets
customer_public_ip aws_vgw_public_ip: PSK "shared secret"Commands to enable/start ipsec service
$ chkconfig ipsec on
$ service ipsec start
$ service ipsec status
END .....................
Top comments (0)