All geek questions in one place

How to use IPSec / Openswan with Amazon Virtual Private Cloud (VPC) and EC2?

Does anyone know how to use Openswan to create an IPsec tunnel for a Cisco router on EC2?

I continue to read that people may or may not configure IPSec tunnels on the Amazon cloud. Is this possible or not?

If so, can someone point me to a tutorial where it was successful?

+6
source share
1 answer

Update

AWS has just waived the requirement to set up a Border Gateway Protocol (BGP) to use the Amazon VPN's Virtual Private Cloud (VPC) VPN connection, see Amazon VPC - Advanced VPN Features :

Now you can create hardware VPN connections to VPC using static routing. This means that you can connect using VPN devices that do not support BGP , such as Cisco ASA and Microsoft Windows Server 2008 R2 . You can also use Linux to establish a Hardware VPN connection to the VPC. In fact, any IPSec VPN implementation should work . [emphasis mine]

The described reason for this change specifically emphasizes BGP as a previous barrier to accepting this otherwise very attractive VPN feature for connecting to VPCs:

First, BGP can be difficult to configure and manage, [...]. Secondly, some firewalls and entry-level routers support IPSec, but not BGP. These devices are very popular in corporate branches. As I mentioned above, this change significantly increases the number of VPN devices that can be used to connect to the VPC. [...]

I could not agree more - accordingly, now you can facilitate Openswan (or the Linux IPSec embedded stack) to connect to the corresponding IPsec built-in VPC functions.

Original answer

A related Racoon- based tutorial is available at Amazon VPC with Linux . However , before you dive into this, I highly recommend that you first read the link article Connecting to Amazon VPC , at least the section Using Linux as a VPN Server:

Suppose you decide to use some kind of Linux for your VPN server. For an IPsec newbie, there is no obvious reason that this is a bad idea. And because soon you will find a tutorial like http://openfoo.org/blog/amazon_vpc_with_linux.html seems possible to complete this task. After this lesson, you will be able to ping two BGP servers from your VPN server. [...] But after that you will start to get into trouble. Perhaps you can connect to the server in your VPC. But there is one thing that you will not get stable operation: Connecting from a VPC to some server on the home network 192.168.1.1/24. This is because linux has a policy-based IPSec implementation. [...]

Consequently, the author concludes:

And the last and most important reason is that Openswan is not intended for use in this way . Abusing software in an appropriate security place does not seem like a good idea. [emphasis mine]

YMMV, as usual, but you were warned;)

+9
source

Source: https://habr.com/ru/post/903713/

More articles:


All Articles