# AWS - OpenSWAN Site-to-Site VPN
# 前言
今天學習了 Site-to-Site VPN 透過
# 建立 VPC-1 在 US-EAST-1
AWS Console > VPC > Create VPC
- Resource to create: VPC and more
- Name tag auto-generation: vpc1
- IPv4 CIDR Block: 10.0.0.0/16
- IPv6 CIDR Block: No IPv6 CIDR block
- Tenancy: Default
- Number of AZs: 1
- Number of public subnets: 0
- Number of private subnets: 1
- NAT Gateway: None
- VPC Endpoints: None
- DNS options:
Create VPC
# Setup Route Table
AWS Console > VPC > Route Table > Create Route Table
Name: vpc1-private-subnet-rt
VPC: vpc1-vpc
Create Route Table
修改 Private Subnet Route Table Association
VPC > Subnets > vpc1-subnet-private1-us-east-1a > Route Table > Edit route table association
把 Route Table ID
vpc1-rtb-private1-us-east-1a > vpc1-private-subnet-rt
# Setup EC2 in us-east-1
Name: ec2-vpc1
AMI: Amazon Linux
Network Settings:
- VPC: vpc1-vpc
- Subnet: vpc1-subnet-private1-us-east-1a
- SG:
- Name: EC2-SG
- Inbound Rule: ALL ICMP - IPv4 Custom 20.0.0.0/16
# 建立 VPC-2 在 US-WEST-2
AWS Console > VPC > Create VPC
注意是要使用 Public Subnet
- Resource to create: VPC and more
- Name tag auto-generation: vpc1
- IPv4 CIDR Block: 20.0.0.0/16
- IPv6 CIDR Block: No IPv6 CIDR block
- Tenancy: Default
- Number of AZs: 1
- Number of public subnets: 1
- Number of private subnets: 0
- NAT Gateway: None
- VPC Endpoints: None
- DNS options:
# Setup EC2 in us-west-2
Name: ec2-vpc2
AMI: Amazon Linux
Network Settings:
- VPC: vpc2-vpc
- Subnet: vpc2-subnet-public1-us-west-2a
- Auto-assign public IP: Enable
- SG:
- Name: VPN-EC2-SG
- Inbound Rule: SSH My IP
- Inbound Rule: All ICMP - IPv4 Custom 10.0.0.0/16
# Setup VGW is us-east-1
AWS Console > VPC > VPN > Virtual Private gateways > Create Virtual Private Gateway
Name: VPC-1-VGW
Attach to VPC
勾選 VPC-1-VGW > Actions > Attach to VPC
選擇 vpc1-vpc
# Setup CGW
創建 CGW 最重要的 Public IP
這邊要先回到 us-west-2 複製一下先前建立有 Public IP 的 EC2 IP 過來
35.XX.XX.XX
VPC > VPN > Custom gateways > Create Custom Gateway
Name: VPC2-CGW
IP: 你剛剛的 EC2 IP
Create customer gateway
# Setup Site-to-Site VPN
現在已經有 VGW 跟 CGW 了,我們把他們連接起來
VPC > VPN > Site-to-Site VPN connections > Create VPn connection
Name: VPN
VGW: VPC-1-VGW
CGW: VPC2-CGW
Routing options: Staic
Static IP Prefixs: 20.0.0.0/16
Local IPv4 CIDR: 20.0.0.0/16
Remote IPv4 CIDR: 10.0.0.0/16
# 修改 Route Table
修改 VPC 1 RT 將對應 CIDR 流量導出到 VGW
Add route
20.0.0.0/16 VGW VPC-1-VGW
# 下載配置檔案
VPC > VPN > Site-to-Site VPC connections
勾選你的 VPN > Download configuration
Manufacture: Openswan
Platform: Openswan
Software: Openswan 2.6.38+
IKE Version: ikev1
Download 會拿到一個 txt
# Configure VPN Server
連線進去 EC2
安裝 Libreswan
1 | sudo nano /etc/yum.repos.d/fedora.repo |
貼下以下內容
1 | [fedora] |
安裝 Libreswan
1 | sudo dnf --enablerepo=fedora install libreswan -y |
打開 sysctl.conf
1 | sudo nano /etc/sysctl.conf |
貼上
1 | net.ipv4.ip_forward = 1 |
執行
1 | 用於 load 系統 kernel 山去 |
檢查
1 | sudo cat /etc/ipsec.conf |
創建新檔案
1 | sudo nano /etc/ipsec.d/aws.conf |
然後根據前面建立的 VPN Connection 配置
以及修改一小部分
- 移除 auth=esp
- phase2alg=aes128-sha1;modp1024 修改為 phase2alg=aes_gcm
- ike=aes128-sha1;modp1024 修改為 ike=aes256-sha1
- leftsubnet=“LOCAL NETWORK” 的 “LOCAL NETWORK” 修改為 Data Center 的 CIDR (我的例子是 N. Virginia Region 上的 VPC 來模擬,也就是 192.168.0.0/16 )
- rightsubnet= “REMOTE NETWORK” 的 “REMOTE NETWORK” 修改為 AWS VPC 的 CIDR (我的例子是 Oregon Region 上的 VPC,也就是 10.0.0.0/16 )
1 | conn Tunnel1 |
創建 Secret
1 | sudo nano /etc/ipsec.d/aws.secrets |
重新啟動服務
1 | sudo systemctl start ipsec.service |
# 測試是否可以 Ping 到 Private Instance
1 | ping 10.0.134.16 |
成功
# Reference
- Shiun - AWS Site-to-Site VPN with Libreswan 建置教學 (Step-by-Step)
