1.Create a VPC.
Mumbai region is your work env just assume as for this demo.
Step-1:(Ensure your work VPC CIDR & onprem CIDR are differ)
Create a VPC & 1 simple private subnet + a route table.
Note: After route table creation ensure you need to associated subnet with VPC
Step-2:
Create virtual private gateway.
Step-3:
After VGW creation attach to VPC
Step-4:
Next we need to create CGW(Customer Gateway) but before that we need on-prem setup as we currently don't have on-prem setup assume your N.Virginia region as on-prem
Choose N.Virginia region --> Go to EC2.
Create an ec2 machine with public ip.
Ensure select the RHEL9 machine as your on-prem server.
After creation of machine copy the public ip
Step-5:Create CGW:
Step-6:
Create S2S:
Click on create.
Before validating s2s you can login to to N.virginia machine to configure the VPN server.
a. SSH into EC2-VPN from your workstation using PuTTy or any SSH client
***In Rhel9
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/securing_networks/configuring-a-vpn-with-ipsec_securing-networks#con_authentication-methods-in-libreswan_configuring-a-vpn-with-ipsec
** dnf install libreswan -y
Open the downloaded VPN server configuration file and follow the instructions.
Instructions in this file should be like the following steps e. through step i.:
Open vi /etc/sysctl.conf and ensure that its values match the following:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
Apply the changes in step 1 by executing the command 'sysctl -p'
Open cat /etc/ipsec.conf and look for the line below. Ensure that the # in front of the line has been removed, then save and exit the file.
#include /etc/ipsec.d/*.conf
*** Ensure include /etc/ipsec.d/*.conf the mentioned command is un commented
Ensure choose the openswarm
Download the configuration.
Leftid: It belongs to the onprem public ip in our scenarion its our N/Verginia region ec2 machine public ip
right: It belongs aws tunnel we don't need to worry about just you can copy the value the fron download configuration file from the site2site configuration
Leftsubnet: belons to the Onprem CIDR range in our situation it is n.v vpc CIDR
rightsubnet: Its our AWS workload VPC CIDR where our VGW & Site2Site deployed
Create a file in the mentioned path
vi /etc/ipsec.d/aws.conf
paste the content
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=18.206.168.185
right=3.108.138.15
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes_gcm
ike=aes256-sha1
keyingtries=%forever
keyexchange=ike
leftsubnet=172.31.0.0/16
rightsubnet=10.0.0.0/16
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
encapsulation=yes
save the file
Create the file in below path:
vi /etc/ipsec.d/aws.secrets --> this value you can get from the downloaded s2s VPN configuration
Step-7:
Change the route table configuration in the account of where you created VGW in mumbai region.
Ensure all traffic goes via the virtual private gateway.
save the changes.
Step-8:
In same n.versiona ec2 machine login as root & finally start the vpn service.
sudo systemctl start ipsec.service
sudo systemctl status ipsec.service
Step-9:
Lets validate the site 2 site VPN tunnel.
The below ip address which we mentioned while setuping the tunnel & the tunnel is currently up & running.
Step-10:
Communication test from onprem to cloud aws.
as we didn't created any ec2 machine in aws mumbai region kindly create one test machine & copy the private ip address for the testing.
Ensure you need to deploy your machine on same VPC where virtual private gateway got created in our situation the VPC is workenv vpc like below.
Essure deploy in private subnet
After creation of machine in security group change inbound traffic to allow all for testing in realtime allow only the specific CIDr.
Finally copy the private ip of the machine
go to the nvregion on prem machine run the below command
ping 10.0.199.112
====================Used Text Content==================
a. SSH into EC2-VPN from your workstation using PuTTy or any SSH client
b. Add Libreswan repository. For this create /etc/yum.repos.d/fedora.repo and add
fedora repository.
Note: If you want, you can avoid using sudo in every command by changing current
ec2-user to root using sudo su command (optional)
***In Rhel9
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/securing_networks/configuring-a-vpn-with-ipsec_securing-networks#con_authentication-methods-in-libreswan_configuring-a-vpn-with-ipsec
** dnf install libreswan -y
Open the downloaded VPN server configuration file and follow the instructions.
Instructions in this file should be like the following steps e. through step i.:
Open vi /etc/sysctl.conf and ensure that its values match the following:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
Apply the changes in step 1 by executing the command 'sysctl -p'
Open /etc/ipsec.conf and look for the line below. Ensure that the # in front of the line has been removed, then save and exit the file.
#include /etc/ipsec.d/*.conf
*** Ensure nclude /etc/ipsec.d/*.conf the mentioned command is un commented
Now in S2S in AWS you need to download the configurations.
Create a new file at /etc/ipsec.d/aws.conf if doesn't already exist, and then open it.
Append the following configuration to the end in the file:
The below file you will get from S2s configuring in the catefory of openswarm
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=18.206.168.185
right=3.108.138.15
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes_gcm
ike=aes256-sha1
keyingtries=%forever
keyexchange=ike
leftsubnet=172.31.0.0/16
rightsubnet=10.0.0.0/16
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
encapsulation=yes
*** Create a new file at /etc/ipsec.d/aws.secrets if it doesn't already exist, and append
this line to the file (be mindful of the spacing!):
You will get from the download configuration file --> this also you will get from s2s downlaod configuration
184.73.1.101 13.232.7.88: PSK "BbO4GaeAaQbrk3.Z_moK325TOE.ovaZk"
systemctl stop ipsec
sudo systemctl start ipsec.service
sudo systemctl status ipsec.service
ping 10.0.0.x (Ping the aws private ec2 instance ip)
Check the tunnels in S2S it should be in up
0 Comments