You’ve decided to join the growing group of smart, bold businesses trailblazers by moving your network operations to the “Cloud”. And, of course, you’ve done your homework and decided that AWS is the only way to go. Good for you! Now comes the big question—“How do I connect my on premise workstations to my AWS VPC (Virtual Private Cloud—click here if you need a quick VPC refresher). You can certainly get it done by using AWS’ managed VPN service. This service consists of creating a Virtual Private Gateway in your AWS VPC to establish a site-to-site connection with your on premise VPN firewall (don’t you just LOVE the smell of VPNs in the morning!!). While this is a solid solution, the rate of $0.05/VPN per hour (ouch!) can get a bit costly if you have more than one VPN tunnel running (think multiple remote offices, like a large real estate brokerage). A cheaper alternative is to use a “software VPN” like Openswan that runs on a Linux-based EC2 instance. Although the cost of an m4.large instance on a 3-year Reserved Instance convertible term is basically the same as the AWS managed firewall, you can manage several tunnels on a single Openswan instance, which results in a significant cost savings if you have multiple tunnels. If this sounds like something right up your alley (or, if you are the more adventurous type), we’ve put together a short “How to” that should have your Openswan VPN tunnels up and running in short order.
A note on sizing: We have tested using Openswan on several instance types. There was a significant amount of packet loss using any of the t2 instance types. After moving to an m4.large instance type, there was no packet loss. The different instance types have different underlying hardware so there could be a performance issue associated with the Linux kernel and/or hardware used for t2 instances.
Creating the AWS EC2 Instance
Installing and Configuring Openswan
If the tunnel was already configured on the remote device you will now have a working VPN connection. If not, you will need to configure the remote device and your tunnel should come up.
Some Helpful Openswan Commands
Trouleshooting
There are typically only a few things that can cause this process to not work correctly:
1. Your tunnels are not connecting properly.
a. Run sudo ipsec auto –status and see where the negotiation is failing.
b. Verify that the proposals are the exact same on both ends of the tunnel.
c. Verify that you have allowed UDP 4500 and UDP 500 from the remote public IP on the Openswan Security Group.
2. Tunnels are up but you are not passing traffic
a. Verify that you have the appropriate ports open from your AWS VPC on your Openswan Security Group.
b. Verify that you have the appropriate ports open from the remote network on your instance security groups.
c. Verify that you have added a route to the remote network on your routing tables that point to your Openswan instance.
The process of setting up an Openswan instance to manage all of your VPN tunnels is fairly simple. As stated previously, the cost of a single managed AWS VPN tunnel using AWS VPN Gateway is $0.05/hour. And while the cost of an m4.large instance on a 3-year Reserved Instance convertible term is also $0.05/per hour, you can manage several tunnels on a single Openswan instance. Thus, the cost savings will be substantial if you have multiple tunnels.
Additonal resources:
Ipsec options: https://linux.die.net/man/5/ipsec.conf
Additonal ipsec auto commands: https://linux.die.net/man/8/ipsec_auto
Browse Our Website
Contact Information
Phone: 972-675-5400
Email: info@red1ns.com
Address: 4310 Wiley Post Rd Ste 202E Addison, TX 75001
License Info: B07288701