Tutorial: Extend VPN Connectivity to Amazon AWS VPC Using the AWS VPC VPN Gateway Service
Successfully extend your on-premise Access Server VPN connectivity to your AWS VPC using IPsec. VPN users can access AWS resources securely.
Overview
If you're utilizing Amazon Web Services (AWS), you're likely aware that Amazon Virtual Private Cloud (VPC) offers built-in functionality to connect your on-premise network to your VPC instances. However, suppose you already have an Access Server setup on-premise and wish to extend your VPN connectivity to the Amazon cloud. In that case, you can achieve this without purchasing additional hardware or expensive equipment. This tutorial will guide you through connecting your on-premise Access Server to your Amazon VPC using IPsec. Upon completion, your on-premise VPN users will have seamless access to your AWS resources without complex configurations or installations.
Important
Always ensure your configurations comply with your organization's security policies and AWS best practices. Update your systems regularly and monitor the VPN connections for optimal performance and security.
Access Server installed on your local network.
An internet-facing IP address for your Access Server instance.
Strongswan installed.
AWS Management Console access with permissions to configure VPC settings.
Non-overlapping subnets between your on-premise and AWS VPC subnets.
For this first step, you need to enable Strongswan. The process differs if you have Access Server running on a virtual appliance or installed on-premise with a software package installation.
For Access Server virtual appliance users:
Connect to your console and get root privileges.
Strongswan is pre-installed but turned off by default on the Access Server virtual appliance. Run this command to enable it:
sudo systemctl enable strongswan-starter.service
Start Strongswan:
sudo systemctl start strongswan-starter.service
For software package installation users:
If you're not using the virtual appliance, install Strongswan manually:
apt update apt install strongswan
Note
Adjust the package manager commands according to your Linux distribution (e.g.,
yum
for CentOS/RHEL).Download the following required configuration files and place them in the appropriate directories:
ipsec.sh: Save to
/sbin/
and make it executable.sudo wget -O /sbin/ipsec.sh https://your-download-link/ipsec.sh sudo chmod +x /sbin/ipsec.sh
ipsec.conf: Save to
/etc/
.sudo wget -O /etc/ipsec.conf https://your-download-link/ipsec.conf
ipsec.secrets: Save to
/etc/
.sudo wget -O /etc/ipsec.secrets https://your-download-link/ipsec.secrets
Important
Replace https://your-download-link/ with the actual URLs where these files can be downloaded.
Sign in to the AWS Management Console.
From the list of services, select VPC under the Networking & Content Delivery category.
In the VPC Dashboard, ensure you have at least one VPC listed.
If no VPC is present, you may need to create one or check if you're in the correct AWS region.
Tip
Check the top-right corner of the console to confirm your active region
In the Virtual private network (VPN) section, select Customer Gateways.
Click Create Customer Gateway.
Name Tag: Enter a descriptive name (e.g.,
OnPremiseAccessServer
).IP Address: Enter the public IP address of your on-premise Access Server.
Important
This IP must be internet-facing and not behind NAT.
Click Create Customer Gateway to save settings.
In the Virtual private network (VPN) section, click Virtual Private Gateways.
Click Create Virtual Private Gateway.
Name Tag: Enter a descriptive name (e.g.,
MyVPCGateway
).Click Create Virtual Private Gateway.
Select the newly created private gateway.
Click Actions > Attach to VPC.
Select your VPC from the dropdown.
Click Yes, Attach.
In the Virtual private cloud section, select Route Tables.
Choose the route table associated with your VPC subnets.
With the route table selected, click the Route Propagation tab.
Click Edit Route Propagation.
Click the box next to your virtual private gateway (
vgw-xxxxxxxx
).Click Save.
In the Virtual private network (VPN) section, select Site-to-Site VPN connections.
Click Create VPN Connection.
Configure the VPN connection:
Name Tag: Enter a descriptive name (e.g.,
OnPremiseVPNConnection
).Target Gateway Type: Choose Virtual Private Gateway.
Virtual Private Gateway: Select the one previously created.
Customer Gateway: Select Existing and choose your customer gateway.
Routing Options: Choose Static.
Static IP Prefixes: Enter the CIDR blocks of your on-premise and Access Server VPN networks. Example:
192.0.2.0/24
,203.0.113.0/24
.
Click Create VPN Connection.
Wait for the connection to be created.
Once the VPN connection is available, select it from the list.
Click Download Configuration.
In the dialog, select Generic for the vendor and click Download.
Save the configuration file for the next step.
Open the downloaded VPN configuration file.
Note the following for both IPSec Tunnel #1 and IPSec Tunnel #2:
Outside IP Address > Virtual Private Gateway.
Pre-shared Key (PSK).
Connect to your Access Server console and get root privileges.
Edit the Access Server IPSec configuration file:
nano /etc/ipsec.conf
Update with the following changes:
Update
right=
IPs: Replace the AWS endpiong IPs for Tunnel 1 and Tunnel 2.Update
rightsubnet=
: Set to your AWS VPC CIDR block (e.g.,198.51.100.0/16
).Example configuration snippet:
ipsec.conf - strongSwan IPsec configuration file # Amazon VPC IPsec configuration for the OpenVPN Access Server Appliance conn %default left=%any keyexchange=ikev1 keyingtries=%forever esp=aes128-sha1-modp1024 ike=aes128-sha1-modp1024 ikelifetime=8h auto=start authby=secret dpdaction=restart closeaction=restart dpddelay=10s dpdtimeout=30s leftsubnet=0.0.0.0/0 leftupdown=/sbin/ipsec.sh installpolicy=no # Enter your VPC subnet here (in CIDR format - e.g. rightsubnet=10.0.0.0/16) rightsubnet=AWS_VPC_CIDR conn VPC-CUST-GW1 # Enter the tunnel 1 endpoint here (e.g. right=205.251.233.121) right=AWS_Endpoint_IP_Tunnel1 conn VPC-CUST-GW2 # Enter the tunnel 2 endpoint here (e.g. right=205.251.233.122) right=AWS_Endpoint_IP_Tunnel2 # Remember to open ipsec.secrets and insert the PSK given to you by Amazon.
Save and exit the file.
Edit the Access Server IPsec secrets file:
nano /etc/ipsec.secrets
Add the PSKs for both tunnels:
Your_On_Premises_IP AWS_Endpoint_IP_Tunnel1 : PSK "Your_PSK_Tunnel1"1 Your_On_Premises_IP AWS_Endpoint_IP_Tunnel2 : PSK "Your_PSK_Tunnel2"2
Save and exit the file.
Start the IPsec service:
ipsec start
Check the status of the IPsec tunnels to verify the connection:
ipsec status
You should see established Security Associations (SAs), indicating the tunnels are up.
If the IPsec tunnels don't establish, run this command:
ipsec restart
Enable the IPsec service at boot:
systemctl enable ipsec
(Optional) Add the command to
rc.local
:Edit the
rc.local
file:nano /etc/rc.local
Add the following line before the
exit 0
line:ipsec start
Save and exit.
From a machine in your on-premise network, ping an instance in your AWS VPC to test the connectivity from on-premise to AWS:
ping AWS_Instance_IP
From an AWS instance, ping a machine on your on-premise network to test connectivity from AWS to on-premise:
ping On_premise_Machine_IP
Connect to your Access Server using a VPN client.
Ensure that you can access AWS resources as intended.
If you need to troubleshoot, check firewall rules on both sides to ensure ICMP (ping) is allowed and review logs for any error messages:
cat /var/log/syslog | grep ipsec