AWS Site-to-Site VPN

By mikado on

From xmpie-master as AWS VPC (ACCOUNT 1) to On-premises – AWS JAH account (ACCOUNT 2)

1. Create  two linux2 instances in ACCOUNT 2: OpenSwan and a server

2. For OpenSwan, disable source/destination check – for the instance to forward connections

3. On AWS VPC, create an instance (so we can test ping)

4. Create a Customer Gateway: specify the OpenSwan public IP

5. Create a Virtual Private Gateway

6. Go to Action / Attach to VPC

7. Create a Site-to-Site VPN Connection

8. Specify the VGW and the existing CGW

9. Change Routing options to Static and enter the IP prefixes CIDR for both the on-prem and AWS VPC

10.Go to Route Tables, select the RT and choose Route propagation, Edit route

11. Enable propagation from the VGW

12. Go back to Site-to-Site VPN Connections, download the configuration file:

13. SSH to the OpenSwan server, and run following commands:

sudo su
nano /etc/sysctl.conf and copy the following and save     
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0

sysctl -p

14. Install OpenSwan: yum install openswan -y

nano /etc/ipsec.d/aws.conf to copy the following
conn Tunnel1
	authby=secret
	auto=start
	left=%defaultroute
	leftid=3.238.158.191
	right=35.172.32.25
	type=tunnel
	ikelifetime=8h
	keylife=1h
	phase2alg=aes128-sha1;modp1024
	ike=aes128-sha1;modp1024
	keyingtries=%forever
	keyexchange=ike
	leftsubnet=172.31.0.0/16
	rightsubnet=10.222.0.0/16
	dpddelay=10
	dpdtimeout=30
	dpdaction=restart_by_peer

nano /etc/ipsec.d/aws.secrets to add:

3.238.158.191 35.172.32.25: PSK “HggpNLStcGeSSp08k9_2wF6dwni3Y9qT”

Start the ipsec:

systemctl start ipsec
systemctl status ipsec

15. The status is displayed as Active (running)

16. Test by pinging from 172.31.X.X to 10.222.X.X or vice-versa.

Price:

  • per Site-to-Site VPN connection per hour ($0.05 in most regions)
  • per GB of Data transfer out ($0.09 / GB) – 1st GB is free

Hypothesis:

The connection is active for 30 days, 24 hours a day. 1,000 GB are transferred in and 500 GB are transferred out through that connection.

  • STS VPN cost:                         0.05*24*30 = $36
  • Data Transfer out cost:             499*0.09 = $44.91
  • Apparently no tranfer in cost

Total                                                   $80.91

Category: AWS Topics