OpenSwan on AWS

A common use case for using a third party VPN solution such as OpenSwan is to connect two regions VPCs through the use of an IPSec VPN server.  

First, set up a VPC in both regions with, here is what I did:

Region 1 (US-West-2) - VPC 10.0.0.0/16 with private subnet 10.0.0.0/24

Region 2 (Australia)- VPC 172.0.0.0/16 with private subnet 172.0.0.0/24

==================================================================================================================

Configure the VPN server software for the EC2 instances - Region 1

==================================================================================================================

Step 1
------
sudo yum install openswan

Step 2
------
nano /etc/ipsec.conf

Step 3
------
sudo vi /etc/ipsec.d/vpc1-to-vpc2.conf

Step 4
------
conn vpc1-to-vpc2
 type=tunnel
 authby=secret
 left=%defaultroute
 leftid=<EIP1>
 leftnexthop=%defaultroute
 leftsubnet=<VPC1 CIDR>
 right=<EIP2>
 rightsubnet=<VPC2 CIDR>
 pfs=yes
 auto=start

Step 5
------
sudo vi /etc/ipsec.d/vpc1-to-vpc2.secrets

Step 6
------
<EIP1> <EIP2>: PSK "<TYPE A KEY HERE>"

==================================================================================================================

Configure the VPN server software for the EC2 instances - Region 2

==================================================================================================================

Step 7
------
sudo vi /etc/ipsec.d/vpc2-to-vpc1.conf

Step 8
------
conn vpc2-to-vpc1
 type=tunnel
 authby=secret
 left=%defaultroute
 leftid=<EIP2>
 leftnexthop=%defaultroute
 leftsubnet=<VPC2 CIDR>
 right=<EIP1>
 rightsubnet=<VPC1 CIDR>
 pfs=yes
 auto=start

Note the CIDR needs to include the block range. For example: 10.0.0.0/16

Step 9
------
sudo vi /etc/ipsec.d/vpc2-to-vpc1.secrets

Step 10
-------
<EIP2> <EIP1>: PSK "<TYPE THE SAME KEY FROM STEP 6 HERE>"

==================================================================================================================

Configuration in each region

==================================================================================================================

Step 11
-------
a-
sudo service ipsec start

b-
sudo chkconfig ipsec on

c-
sudo vi /etc/sysctl.conf

net.ipv4.ip_forward = 1

d-
sudo service network restart


==================================================================================================================

Test your connections

==================================================================================================================

Step 1 - Region 1
------
ping 172.0.0.50

Step 2 - Region 2

ping 10.0.0.50

VPN costs for connections and data

VPC has no cost associated. However, if you want to extend your data center or provide a secure IPSec tunnel through a VPN client, you need to add in costs for the VPN connection and data transfer costs over the VPN tunnel.   This is the first place to look at to decipher VPN connection cost: http://aws.amazon.com/vpc/pricing/.  The cost is $0.05 per VPN Connection-hour + standard AWS data transfer charges for all data transferred via the VPN Connection. For example, if you have 2 VPN connections the cost for those connections would be:  .05x24x365.25x2(2 connections) / 12 = ~73.05 + data transfer.

Now for the data transfer out piece:  On data transfer out for VPN connection, the cost is .12 per GB for less then 10 TB a month per connection..  So, two connection each at 1 TB a month would be $245.76 a month.  

Extending your home or small business network to AWS VPC

Extending you home, small business, data center, co lo, or enterprise offices to AWS running VPC, you will probably want to run an IPSEC tunnel.  AWS lists the certified VPN devices here:  http://aws.amazon.com/vpc/faqs/#C9.  However, if you are doing this from a home or small office connection, you may not want to use an expensive dedicated device.  In this case the open source pfSense makes sense: www.pfsense.org. It can used to create an inexpensive IPSEC tunnel to AWS VPC using any hardware you have 'laying around'.