Create the VPN Connection in the VPC Management console on AWS, using static routing, then download the Generic configuration. The downloaded text file contains some values that you’ll need. There are two VPN configurations in it. I just hook up one on the server. Perhaps if you have two VPN servers you could set up one VPN on each.

These are the values of interest in the downloaded text file:

Pre-Shared Key
Outside IP Addresses
Customer Gateway
Virtual Private Gateway
Inside IP Addresses
Customer Gateway
Virtual Private Gateway

My server has an internal IP address, and sits behind a router, which has a public IP address. AWS VPC supports NAT-T so this is no problem. You just set “left” (below) to your internal IP and “leftid” (also below) to your public IP.

Here is the example /etc/ipsec.conf:

conn vpc
       left=<ip address of your server>
       leftid=<public ip address of your server>

conn vpc1
       right=<Outside IP Addresses: Virtual Private Gateway>
       leftsubnet=<your subnet>
       rightsubnet=<VPC subnet>

conn vpc1a
       right=<Outside IP Addresses: Virtual Private Gateway>
       leftsubnet=<Inside IP Addresses: Customer Gateway>
       rightsubnet=<Inside IP Addresses: Virtual Private Gateway>

Here is the example /etc/ipsec.secrets:

<Outside IP Addresses: Virtual Private Gateway> : PSK “<Pre-Shared Key>”

Then in your AWS VPC configuration edit the route table and add a static route for your internal subnet to the Virtual Gateway device.

Check your security groups on your instances to make sure they allow connectivity from your internal subnet IPs. It can be useful to allow ICMP so you can test using ping.

Restart Strongswan:

service strongswan restart

Then try to bring up the VPN interface:

ipsec up vpc1

If all is going well you should see a successful connection result in a second or two. If not, something is wrong 🙁

Try to connect to one of the servers in your VPC. If you can’t, check the security groups on them, or perhaps any firewall rules on your own machine.

Then bring up the vpc1a connection. This should result in the VPN showing as UP on the AWS VPC VPC Connection configuration page.

Once you’re happy, change “auto=add” to “auto=start” in /etc/ipsec.conf and restart Strongswan and the VPN would come up automatically.

To deploy and setup Strongswan. Ansible is very handy to do this task:


Comments are closed.