Skip to main content

Tutorial: Extend VPN Connectivity to Amazon AWS VPC Using the AWS VPC VPN Gateway Service

Abstract

Successfully extend your on-premise Access Server VPN connectivity to your AWS VPC using IPsec. VPN users can access AWS resources securely.

Overview

If you're utilizing Amazon Web Services (AWS), you're likely aware that Amazon Virtual Private Cloud (VPC) offers built-in functionality to connect your on-premise network to your VPC instances. However, suppose you already have an Access Server setup on-premise and wish to extend your VPN connectivity to the Amazon cloud. In that case, you can achieve this without purchasing additional hardware or expensive equipment. This tutorial will guide you through connecting your on-premise Access Server to your Amazon VPC using IPsec. Upon completion, your on-premise VPN users will have seamless access to your AWS resources without complex configurations or installations.

Important

Always ensure your configurations comply with your organization's security policies and AWS best practices. Update your systems regularly and monitor the VPN connections for optimal performance and security.

Prerequisites

  • Access Server installed on your local network.

  • An internet-facing IP address for your Access Server instance.

  • Strongswan installed.

  • AWS Management Console access with permissions to configure VPC settings.

  • Non-overlapping subnets between your on-premise and AWS VPC subnets.

Step 1: Prepare your Access Server

For this first step, you need to enable Strongswan. The process differs if you have Access Server running on a virtual appliance or installed on-premise with a software package installation.

For Access Server virtual appliance users:

  1. Connect to your console and get root privileges.

  2. Strongswan is pre-installed but turned off by default on the Access Server virtual appliance. Run this command to enable it:

    sudo systemctl enable strongswan-starter.service

  3. Start Strongswan:

    sudo systemctl start strongswan-starter.service

For software package installation users:

  1. If you're not using the virtual appliance, install Strongswan manually:

    apt update
apt install strongswan

    Note

    Adjust the package manager commands according to your Linux distribution (e.g., yum for CentOS/RHEL).

  2. Download the following required configuration files and place them in the appropriate directories:

    • ipsec.sh: Save to /sbin/ and make it executable.

      sudo wget -O /sbin/ipsec.sh https://your-download-link/ipsec.sh
sudo chmod +x /sbin/ipsec.sh

    • ipsec.conf: Save to /etc/.

      sudo wget -O /etc/ipsec.conf https://your-download-link/ipsec.conf

    • ipsec.secrets: Save to /etc/.

      sudo wget -O /etc/ipsec.secrets https://your-download-link/ipsec.secrets

      Important

      Replace https://your-download-link/ with the actual URLs where these files can be downloaded.

Step 2: Configure Amazon VPC for VPN connectivity

  1. Sign in to the AWS Management Console.

  2. From the list of services, select VPC under the Networking & Content Delivery category.

  3. In the VPC Dashboard, ensure you have at least one VPC listed.

    • If no VPC is present, you may need to create one or check if you're in the correct AWS region.

      Tip

      Check the top-right corner of the console to confirm your active region

Step 3: Set up the customer gateway on AWS

  1. In the Virtual private network (VPN) section, select Customer Gateways.

  2. Click Create Customer Gateway.

    • Name Tag: Enter a descriptive name (e.g., OnPremiseAccessServer).

    • IP Address: Enter the public IP address of your on-premise Access Server.

      Important

      This IP must be internet-facing and not behind NAT.

    • Click Create Customer Gateway to save settings.

Step 4: Create a virtual private gateway

  1. In the Virtual private network (VPN) section, click Virtual Private Gateways.

  2. Click Create Virtual Private Gateway.

    • Name Tag: Enter a descriptive name (e.g., MyVPCGateway).

    • Click Create Virtual Private Gateway.

  3. Select the newly created private gateway.

  4. Click Actions > Attach to VPC.

  5. Select your VPC from the dropdown.

  6. Click Yes, Attach.

Step 5: Update route tables in AWS

  1. In the Virtual private cloud section, select Route Tables.

  2. Choose the route table associated with your VPC subnets.

  3. With the route table selected, click the Route Propagation tab.

  4. Click Edit Route Propagation.

  5. Click the box next to your virtual private gateway (vgw-xxxxxxxx).

  6. Click Save.

Step 6: Create the VPN connection

  1. In the Virtual private network (VPN) section, select Site-to-Site VPN connections.

  2. Click Create VPN Connection.

  3. Configure the VPN connection:

    • Name Tag: Enter a descriptive name (e.g., OnPremiseVPNConnection).

    • Target Gateway Type: Choose Virtual Private Gateway.

    • Virtual Private Gateway: Select the one previously created.

    • Customer Gateway: Select Existing and choose your customer gateway.

    • Routing Options: Choose Static.

    • Static IP Prefixes: Enter the CIDR blocks of your on-premise and Access Server VPN networks. Example: 192.0.2.0/24, 203.0.113.0/24.

  4. Click Create VPN Connection.

    • Wait for the connection to be created.

  5. Once the VPN connection is available, select it from the list.

  6. Click Download Configuration.

  7. In the dialog, select Generic for the vendor and click Download.

  8. Save the configuration file for the next step.

Step 7: Configure IPsec on your Access Server

  1. Open the downloaded VPN configuration file.

  2. Note the following for both IPSec Tunnel #1 and IPSec Tunnel #2:

    • Outside IP Address > Virtual Private Gateway.

    • Pre-shared Key (PSK).

  3. Connect to your Access Server console and get root privileges.

  4. Edit the Access Server IPSec configuration file:

    nano /etc/ipsec.conf

  5. Update with the following changes:

    • Update right= IPs: Replace the AWS endpiong IPs for Tunnel 1 and Tunnel 2.

    • Update rightsubnet=: Set to your AWS VPC CIDR block (e.g., 198.51.100.0/16).

    • Example configuration snippet:

      ipsec.conf - strongSwan IPsec configuration file
# Amazon VPC IPsec configuration for the OpenVPN Access Server Appliance
conn %default
    left=%any
    keyexchange=ikev1
    keyingtries=%forever
    esp=aes128-sha1-modp1024
    ike=aes128-sha1-modp1024
    ikelifetime=8h
    auto=start
    authby=secret
    dpdaction=restart
    closeaction=restart
    dpddelay=10s
    dpdtimeout=30s
    leftsubnet=0.0.0.0/0
    leftupdown=/sbin/ipsec.sh
    installpolicy=no
    # Enter your VPC subnet here (in CIDR format - e.g. rightsubnet=10.0.0.0/16)
    rightsubnet=AWS_VPC_CIDR

conn VPC-CUST-GW1
    # Enter the tunnel 1 endpoint here (e.g. right=205.251.233.121)
    right=AWS_Endpoint_IP_Tunnel1

conn VPC-CUST-GW2
    # Enter the tunnel 2 endpoint here (e.g. right=205.251.233.122)
    right=AWS_Endpoint_IP_Tunnel2

# Remember to open ipsec.secrets and insert the PSK given to you by Amazon.

  6. Save and exit the file.

  7. Edit the Access Server IPsec secrets file:

    nano /etc/ipsec.secrets

  8. Add the PSKs for both tunnels:

    Your_On_Premises_IP AWS_Endpoint_IP_Tunnel1 : PSK "Your_PSK_Tunnel1"1
Your_On_Premises_IP AWS_Endpoint_IP_Tunnel2 : PSK "Your_PSK_Tunnel2"2

    1

    Replace with the PSK for Tunnel 1.

    2

    Replace with the PSK for Tunnel 2.

  9. Save and exit the file.

Step 8: Start the VPN connection

  1. Start the IPsec service:

    ipsec start

  2. Check the status of the IPsec tunnels to verify the connection:

    ipsec status

    • You should see established Security Associations (SAs), indicating the tunnels are up.

    • If the IPsec tunnels don't establish, run this command:

      ipsec restart

Step 9: Automate VPN startup on system boot

  1. Enable the IPsec service at boot:

    systemctl enable ipsec

  2. (Optional) Add the command to rc.local:

    1. Edit the rc.local file:

      nano /etc/rc.local

    2. Add the following line before the exit 0 line:

      ipsec start

    3. Save and exit.

Step 10: Test the connection

  1. From a machine in your on-premise network, ping an instance in your AWS VPC to test the connectivity from on-premise to AWS:

    ping AWS_Instance_IP

  2. From an AWS instance, ping a machine on your on-premise network to test connectivity from AWS to on-premise:

    ping On_premise_Machine_IP

  3. Connect to your Access Server using a VPN client.

  4. Ensure that you can access AWS resources as intended.

  5. If you need to troubleshoot, check firewall rules on both sides to ensure ICMP (ping) is allowed and review logs for any error messages:

    cat /var/log/syslog | grep ipsec
In this section: