How to use IPSec / Openswan with Amazon's Virtual Private Cloud (VPC) and EC2?

amazon-ec2 amazon-web-services ipsec vpc amazon-vpc
13,238

Update

AWS has just dropped the requirement to establish Border Gateway Protocol (BGP) peerings in order to use the built in VPN connectivity to an Amazon Virtual Private Cloud (VPC), see Amazon VPC - Additional VPN Features:

You can now create Hardware VPN connections to your VPC using static routing. This means that you can establish connectivity using VPN devices that do not support BGP such as Cisco ASA and Microsoft Windows Server 2008 R2. You can also use Linux to establish a Hardware VPN connection to your VPC. In fact, any IPSec VPN implementation should work. [emphasis mine]

The outlined reason for this change specifically highlights BGP as a previous barrier to adoption of this otherwise very appealing VPN connectivity to a VPC:

First, BGP can be difficult to set up and to manage, [...]. Second, some firewalls and entry-level routers support IPSec but not BGP. These devices are very popular in corporate branch offices. As I mentioned above, this change dramatically increases the number of VPN devices that can be used to connect to a VPC. [...]

I couldn't agree more - accordingly you should now be able to facilitate Openswan (or the built in Linux IPSec stack) to connect to the respective built in VPC IPSec functionality.

Initial Answer

A related tutorial based on Racoon is available at Amazon VPC with Linux. However, before you dive into that, I highly recommend to read the referring article Connecting to Amazon VPC first, at least section Using Linux as VPN Server:

Let us say you have decided to use some linux for your VPN server. For an IPSec newbie there is no obvious reason that this is a bad idea. And because one soon finds a tutorial like http://openfoo.org/blog/amazon_vpc_with_linux.html it seems possible to perform that task. Following this tutorial you should be able to ping the two BGP servers from your VPN server. [...] But after that point you will start to get in trouble. Maybe you are able to connect to a server in your VPC. But there is one thing you won’t get working stable: Connecting from the VPC to some server in your home net 192.168.1.1/24. That is because linux has a policy-based IPSec implementation. [...]

Consequently the author concludes:

And the last and most important reason is that Openswan is not intended to be used that way. Abusing software in a security relevant place doesn’t seem to be a good idea. [emphasis mine]

YMMV as usual, but you have been warned ;)

Share:
13,238
Tucker
Author by

Tucker

upvote

Updated on June 18, 2022

Comments

  • Tucker
    Tucker almost 2 years

    Does anyone know how to use Openswan to create an IPSec tunnel to a Cisco router on EC2?

    I keep reading that people can or they cannot set up the IPSec tunnels on Amazon's cloud. Is it possible or not?

    If so, can someone point me to a tutorial where it was successful?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to connect to outside world from amazon vpc?
Amazon ELB for EC2 instances in private subnet in VPC
Amazon ELB in VPC
Multiple VPC and Subnet with same CIDR blocks
AWS:EC2 enable dns-hostname for host in non default vpc
How to assign EIP to Autoscaling Group of VPC in Cloudformation template
can't connect aws VPC private instance to internet through NAT
Routing between the instances in AWS
Why does port 6379 need to be opened on the security group for elasticache?
Can you connect to Amazon VPC VPN from Windows 7 without a hardware VPN on your end?