Site-to-Site VPN Connection

 

For Site-to-site VPN Connection 

We required one AWS site and one Client site (On-premises or on AWS but in other regions).

AWS Site (Mumbai Region)

1.       Create VPC and put CIDR 10.1.0.0/16     - VPC > Create VPC >VPC Name (Ex: AWS_site_VPC_Mumbai)

2.       Create Subnet and put CIDR 10.1.0.0/24   - Subnet >Create Subnet > Subnet Name (Ex: AWS_site_subnet_Mumbai)

3.       Create Internet Gateways    - VPC > Internet Gateways >Name (Ex: AWS_Site_IGW_Mumbai)

4.       Attach Internet Gateways to VPC (Ex: vpc-01e23b4b87c5c2586 |AWS_Site_VPC_Mumbai)

5.       Create Route Table   - VPC > Route Table > Create Route Table > Tag Name and Select VPC(Ex: AWS_Site_RT_Mumbai)

6.       Define Internet Gateway Route in the Route table (Ex:0.0.0.0/0)

7.       Associate Subnet> subnet associations > Edit subnet associations >Save

8.       Create Virtual private gateways and attach them with VPC

9.       Create Customer gateways and put the Public IP of the Client EC2 Machine (Customer_Site_EC2_Tokyo 3.112.18.180)

Customer gateways > Create customer gateway (Ex: Customer_Site_CGW_Mumbai)

10.   Create a site-to-site VPN connection (Ex : VPN_Connection_Mumbai_to_Tokyo)

 

site-to-site VPN connection > VPN Connection > Create VPN connection

 

Select Virtual private gateway, Customer gateway, and Static IP prefixes (put Customer_Site_subnet_Tokyo  IP -10.2.0.0/16 through which Customer can Access AWS Site from clients site)

11.   Download configuration-when VPN connection available then Download configuration. Select Vendor Generic Type.(Ex: vpn-01163e6dc4d63c416)

12.   Enable Route Propagation in the route table of AWS_Site_RT_Mumbai. When we enable route propagation it suggests the route for the tunnel.

Client site (AWS Tokyo Region)

Here we create VPC for the customer's end (office/home)

13.   Create VPC and put CIDR 10.2.0.0/16     - VPC > Create VPC >VPC Name (Ex: Customer_Site_VPC_Tokyo)

14.   Create Subnet and put CIDR 10.2.0.0/24   - Subnet >Create Subnet > Subnet Name (Ex: Customer_Site_Subnet_Tokyo)

15.   Create Internet Gateways    - VPC > Internet Gateways >Name (Ex: Customer_Site_IGW_Tokyo)

16.   Attach Internet Gateways to VPC (Ex: vpc-05181a9e9d91a39e7 | Customer_Site_VPC_Tokyo)

17.   Create Route Table   - VPC > Route Table > Create Route Table > Tag Name and Select VPC(Ex: Customer_Site_RT_Tokyo)

18.   Define Internet Gateway Route in the Route table (Ex:0.0.0.0/0       vpc-05181a9e9d91a39e7 | Customer_Site_VPC_Tokyo)

19.   Associate Subnet> subnet associations > Edit subnet associations >Save

20.   Create EC2 Machine, Select VPC, Subnet and Enable public IP, Security group name-Customer_Site_SG_Tokyo , Inbound Security Group Rules -SSH, All TCP(for VPN), All ICMP -IPv4(for ping) (Ex: Customer_Site_EC2_Tokyo)

21.   Access EC2 Machine through ssh.

C:\Users\DELL\OneDrive\Desktop>ssh ec2-user@3.112.18.180 -i Tokyo_Key.pem

22.   Install  openswan software

 

LOGIN AS-ec2-user

1.     Commands for Installation of Openswan

i.                Change to root user:

$ sudo su

ii.                   Install openswan:

$ yum install openswan -y

iii.                 In /etc/ipsec.conf uncomment following line if not already

uncommented:

 include /etc/ipsec.d/*.conf

iv.                 Update /etc/sysctl.conf to have following

net.ipv4.ip_forward = 1

net.ipv4.conf.all.accept_redirects = 0

net.ipv4.conf.all.send_redirects = 0

v.                   Restart network service:

$ service network restart

2.     Command for /etc/ipsec.d/aws-vpn.conf

conn Tunnel1

authby=secret

auto=start

left=%defaultroute

leftid=Customer end Gateway VPN public IP

right=AWS Virtual private gateway ID- public IP

type=tunnel

ikelifetime=8h

keylife=1h

phase2alg=aes128-sha1;modp1024

ike=aes128-sha1;modp1024

keyingtries=%forever

keyexchange=ike

leftsubnet=Customer end VPN CIDR

leftsubnet=Customer end VPN CIDR

dpddelay=10

dpdtimeout=30

dpdaction=restart_by_peer

 

3.     Contents for /etc/ipsec.d/aws-vpn.secrets

customer_public_ip aws_vgw_public_ip: PSK "shared secret"

4.     Commands to enable/start ipsec service

$ chkconfig ipsec on

$ service ipsec start

$ service ipsec status


***************Happy Learning*******************

Comments

Post a Comment

Popular posts from this blog

                                                                 Cross Account Access of S3 1. Login into the  Root Account   URL: https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fap-northeast-1.console.aws.amazon.com%2Fconsole%2Fhome%3FhashArgs%3D%2523%26isauthcode%3Dtrue%26region%3Dap-northeast-1%26state%3DhashArgsFromTB_ap-northeast-1_bd682a7e73e1b5fc&client_id=arn%3Aaws%3Asignin%3A%3A%3Aconsole%2Fcanvas&forceMobileApp=0&code_challenge=lDm7WaCJ6pO8nxyAVOEZy424BsqTJSnoP8RoqTySBBU&code_challenge_method=SHA-256 Username: Email id Password: *********** 2. Create a Bucket and upload an object . EX: Bucket: ec2tos3bucket       Object: Hello1.jpg             Hello2.doc 3. Create User IAM Username:...
Read more
Image
  NACL (Network Access Control List) NACL and the security group both act as a firewall . NACL is used on the Subnet level and Security Group on the instance level. Ø   NACL allows or denies ( Stateless ) specific inbound or outbound traffic at the subnet level. You can use the default network ACL for your VPC, or you can create a custom network ACL for your VPC with rules similar to the rules for your security groups to add an additional layer of security to your VPC.   Ø   Each subnet in your VPC must be associated with a network ACL. You can associate a network ACL with multiple subnets . However, a subnet can be associated with only one network ACL at a time . The previous association is removed when you associate a network ACL with a subnet.   Ø   A network ACL has inbound rules and outbound rules . Each rule can either allow or deny traffic. Each rule has a number from 1 to 32766 . evaluate the network ACL rules when traffic ente...
Read more
  VPC Endpoint VPC Endpoint issue in place of NAT gateway because when we use NAT gateway services, charges are higher as AWS charge for NAT gateway, Download and Upload data charge. VPC Endpoint is free and AWS charges nominal for services access. 1.        Create VPC 2.        Create Two subnets: one for public IP and one for private IP. 3.        Create an IGW gateway 4.        Attach IGW gateway with VPC. 5.        Create a Route Table 6.        Define the IGW gateway path in the route table. 7.          Define the path for the public subnet to go to the internet i.e. Subnet association select subnet which have public access. 8.        Create two EC2 instances: one with Public IP in one subnet and one with private IP ...
Read more