Setup Site-To-Site VPN Between AWS Platform and Third Party Network Using OpenSwan

Sometime third party applications or web services are restricted to access through the public internet based on the security concerns. They will allow you to access the services if you are in their network only.

The way of getting access to these kind of networks is create site-to-site VPN between two parties. Here we are explaining the steps to create site-to-site VPN connection between AWS instances and third party CISCO ASA router. To achieve this we have to create VPN tunnel between AWS VPC and third party network(CISCO ASA).

There are several ways to do that :

1. Create VPN tunnel using openswan.(This option explain in this article).
2. Using AWS managed VPN — Main drawback of this option is when you are using AWS Managed VPNs, the VPN tunnel can only be initiated from the Third party network.

Setup a VPN Tunnel on AWS platform using Openswan.

Here is the Scenario used on this article. We have a Java application deployed on multiple EC2 instances. These Instances are located inside private subnet. Therefore they have only private IP addresses. Java application needs to retrieve some data from third party web service with API calls. But we are unable to access this third party API via public internet. So we have to create site-to-site VPN tunnel between Java application instances and third party web service. Here we are using Openswan to create VPN tunnel. We have to follow these steps to achieve this task. We will explain widely this steps later in this article.

01. Create EC2 instance inside public subnet and install openswan inside the instance.(we are calling this instance as Openswan instance here onwards)

02. Add IP-SEC configuration for two parties in side the Openswan instance.

03. Route all the traffic from private subnet to Openswan instance using route table of the private subnet.(Your java applications are located in side the private subnet).

04. Test the VPN tunnel.

Design Architecture

Before create the VPN tunnel, You have to create VPC, subnets,route tables and Internet gateways. Here I will mention the steps briefly. If you need to get complete guidance for this step, use the link.

1. Create VPC with 10.1.0.0/24 CIDR block.
2. Create public subnet inside the VPC with 10.1.0.0/25 CIDR block.
3. Create Private subnet inside the VPC with 10.1.0.128/25 CIDR block.
4. Create EC2 instances inside private subnet to install your java application. you will get private IP address for the each instance (in this scenario we have 10.1.0.160, 10.1.0.179 for private instances).
5. Create route table and associate with private subnet.
6. Create another route table and associate with public subnet.
7. Create Internet gateway for your VPC and attach with the public route table.

Now you are ready to proceed with VPN tunnel creation. Let’s go..

Step 01 : Create EC2 instance to install Openswan

1. Go to AWS management console, go to EC2 services and Create EC2 instance with Selecting the same VPC (10.1.0.0/24) and public subnet(10.1.0.0/25) which we are created above steps.(used Redhat as OS in this scenario). This instance is responsible for establishing the VPN tunnel to the third-party.
2. Select EC2 instance and choose: “Actions -> Network -> Change Source/Dest Checking” and set it as disable.
3. Normally instance in public subnet is getting public IP address from AWS. But for the safer side we are creating elastic IP and assign it to the EC2 instance.(54.32.58.45 for our scenario)
4. Go to the security group of the EC2 instance and add inbound rules to allow traffic from HTTP and HTTPS.
5. Now you need to route traffic from private subnet to Openswan instance and route traffic from openswan instance to third party network.

Go to the Route Tables from the side bar and select your route table of private subnet. Go to Routes tab and add inbound rule. Edit routes and add another route.

Destination -> private IP of third party/32 (172.25.75.98/32 in our scenario)

Target -> select Openswan instance from the list.

Now all the traffics received with third party IP address as destination will route to the Openswan instance.

Again go to the Route Tables from the side bar and select your route table of public subnet. Go to Routes tab and add inbound rule. Edit routes and add another route.

Destination -> private IP of third party/32 (172.25.75.98/32 in our scenario)

Target -> select openswan instance from the list.

This will direct traffic between Openswan instance and Third party network.

Now you have public EC2 instance to install Openswan and all the traffic routes are configured as needed.

Step 02 : Install Openswan inside the EC2 instance and configure the tunnel.

1. Log in to the EC2 instance with SSH( for Linux users — ssh ec2-user@<Elastic IP of EC2>) or Putty (for Windows users).
2. Install Openswan → sudo yum install openswan
3. We need to allow read configuration files from /etc/ipsec.d/. To do that you have to uncomment the following line from /etc/ipsec.conf file.

include /etc/ipsec.d/*.conf

4. Go to sudo vi /etc/sysct1.conf and update net.ipv4.ip_forward record as follow.

net.ipv4.ip_forward = 1

5. Create new configuration file for IP-SEC VPN.

sudo vi /etc/ipsec.d/cisco-vpn.conf

Now you have to add configurations for the VPN tunnel into the cisco-vpn.conf file. Here I have added configuration according the above diagram. You have to change the values based on your IP addresses.

conn cisco-vpn
type=tunnel
authby=secret
left=10.1.0.6 # private ip of openswan instance
leftid= 54.32.58.45 #public ip of openswan instance
leftsubnets={10.1.0.6/32,10.1.0.160/32,10.1.0.179/32} # private ip of #openswan/32 and private ip of java application instances/32
right=125.10.1.100 # public ip of the third party network
rightsubnets=172.25.75.98/32 # private ip of the third party network
esp=aes192-sha1
keyexchange=ike
ike=aes192-sha1
salifetime=42200s
pfs=yes
auto=start
dpdaction=restart

Before proceed with the next steps, You have to do some configurations at the CISCO side also. Contact the system admin of your third party network and do the following task with him/her.

1. Cross check the values of esp, keyexchange, ike, salifetime, pfs, auto, dpdaction parameters.These configuration needs to match what the third-party has set up on their side of the VPN connection.do the changes if needed.
2. Get the Third party fire wall access for the public IP of Openswan instance and private IP addresses of the private instances.
3. Ask him to create Pre Shared Key(PSK) and share with you.

Create following file.

vi /etc/ipsec.d/cisco-vpn.secrets

And add following record.

<Public IP of Openswan instance> <Public IP of third party network : PSK “<PSK>”

Eg : 54.32.58.45 125.10.1.100 : PSK “CGhdgddgheehehs” (This is for our scenario)

All the configurations are done. We have to test our VPN up and running well.

Note : You can call third party network using DNS or private IP address. If you are use DNS, you have to add record to the /etc/hosts file as follow. Otherwise it cannot be resolved the DNS.

<private IP of Third party> <DNS name of the third party>

Step 3 : Test the VPN tunnel.

There are 3 steps to test your VPN connection.

1. Check the VPN tunnel established or not

Give the following commands.

sudo service ipsec start

sudo chkconfig ipsec on

sudo service netwaork restart

Give the follwing command to test VPN tunnel up or not

sudo ipsec auto — status

If everything goes well, you’ll receive log with “IPsec SA established”. If you are not getting this log, Try following commands. They will explain the reason for fail.

sudo ipsec auto — replace cisco-vpn
sudo ipsec auto — up cisco-vpn

2. Check the VPN tunnel can connect from Openswan instance to Third party network.

Telnet from Openswan instance to Third party network

telnet <Private IP of third party> 443 or use cURL command

3. Check the connection between private application instances to third party network.

telnet <Private IP of third party> 443 or use cURL command

If your are connected through telnet, you are successfully created site-to-site VPN between AWS platform and Third party CISCO ASA network.

If you getting any error, Check again the Security Group rules,Route Tables and VPN configuration. Keep good communication with system admin of Third party network. Then you can cross check the configuration are matching with other side. If you need any support feel free to add a comment here.

If you are wish to fix any thing related to aws please contact through fiverr- https://www.fiverr.com/s2/2587ecc953?utm_source=CopyLink_Mobile