This is the world’s only existing simple example of an Openswan / Libreswan VPN between two Amazon EC2 VPCs. At least it seems that way after many fruitless searches today.
We recently needed to link a client’s two VPCs together using a VPN and decided to use Libreswan instead of OpenVPN.
Since there’s a dearth of specific examples online, I’ve decided to document a very simple configuration for a working Libreswan VPN bridge between two VPCs. This simple configuration certainly applies to other non-Amazon non-VPC configurations. Note that this also turns on dead peer detection, which is handy on unreliable networks.
This VPN was configured on two Amazon NAT instance AMIs. There’s nothing special about Amazon’s NAT instance AMis, but if you’re using them, they are likely a logical place for your VPN between VPCs.
For the sake of the example, the following addresses have been used:
East NAT external IP: 18.104.22.168
East NAT internal IP: 192.168.1.10
East NAT subnet: 192.168.1.0/24
West NAT external IP: 22.214.171.124
West NAT internal IP: 192.168.2.10
West NAT subnet: 192.168.2.0/24
conn east-west authby=secret auto=start type=tunnel left=192.168.1.10 leftid=126.96.36.199 leftsubnet=192.168.1.0/24 right=188.8.131.52 rightsubnet=192.168.2.0/24 ike=aes256-sha1;modp2048 phase2=esp phase2alg=aes256-sha1;modp2048 dpddelay=30 dpdtimeout=120 dpdaction=restart
conn east-west authby=secret auto=start type=tunnel left=192.168.2.10 leftid=184.108.40.206 leftsubnet=192.168.2.0/24 right=220.127.116.11 rightsubnet=192.168.1.0/24 ike=aes256-sha1;modp2048 phase2=esp phase2alg=aes256-sha1;modp2048 dpddelay=30 dpdtimeout=120 dpdaction=restart
Then you’ll need to create the secrets files on each end. The format is [LOCALIP] [REMOTEIP] [SECRET]. Obviously, use a better PSK than the one below or use certificates.
18.104.22.168 22.214.171.124: PSK "mysecretpsk" 126.96.36.199 188.8.131.52: PSK "mysecretpsk"
You’ll also need to make sure you have the correct Network ACLs on the VPC subnets and Security Groups on the instances you’re using for the VPN termination points. You are using Network ACLs and Security Groups, right?
You’ll need UDP ports 500 (ISAKMP) and 4500 (IPSEC) open on both ends.
Don’t hesitate to contact us if you need assistance.