Linux IPSec Site-to-Site VPN: AWS VPC & Cisco Router

In this tutorial, we will use the Site-to-Site VPN scenario with the modification and one of the customer site that is using Cisco router, which is also acting as gateway for LAN plus the vpn gateway while from the AWS side, we are using the exact same Ubuntu Linux router.

Please review the previous tutorial before starting this tutorial, as I’ll use the previous tutorial as the base for this one.

topologyNote: Please don’t waste your time in hacking, all these public devices and IP(s) are Temporary, I have destroyed them after finished this tutorial.

VPN Configuration on Cisco Site:

First step is to configure an ISAKMP Phase 1 policy:

crypto isakmp policy 1
encryption aes 128
hash sha
authentication pre-share
group 2

1

Next, we need to set the pre-shared key for authentication with the AWS peer:

crypto isakmp key $VER_SEC_PSK address 54.219.146.242

2

Next step is to create the transform set (We have named it AWSTrans), which will be used to protect the data:

crypto ipsec transform-set AWSTrans esp-aes esp-sha-hmac

3

After that we have to define the Traffic to be protected through the VPN Tunnel using the access-list:

ip access-list extended VPN-TRAFFIC
permit ip 192.168.168.0 0.0.0.255 10.100.0.0 0.0.255.255

5

Now, we need to define the Crypto Map which will connect the ISAKMP and IPSec configuration together, that we have defined above:

crypto map AWSMAP 10 ipsec-isakmp
 set peer 54.219.146.242
 set transform-set AWSTrans
 match address VPN-TRAFFIC

4

Apply the Crypto Map to the outgoing interface of the router (In our case, it is FastEthernet 0/0)

interface FastEthernet0/0
crypto map AWSMAP

7

Check the NAT access-list before proceeding:

NAT Show

Add the NAT Bypass entry inside the NAT access-list before the NAT entry, to exclude the AWS VPC Private Subnet(s) to be NAT’d:

ip access-list extended NAT-TRAFFIC
5 deny ip 192.168.168.0 0.0.0.255 10.100.0.0 0.0.255.255

6

NAT access-list after modification:

NAT after Change

VPN Configuration on AWS VPC:

Also allow the ICMP packet on internal subnet security group from the remote LAN for testing purpose:

0

Edit the ipsec.conf file:

vi /etc/ipsec.conf

Here is the addition to the ipsec.conf file (please refer to the ipsec.conf file from previous tutorial):

conn AWS2CiscoConnection
 left=10.100.10.10
 leftsubnets=10.100.0.0/16
 leftid=54.219.146.242
 leftsourceip=10.100.10.10
 right=25.109.210.75
 rightsubnets=192.168.168.0/24
 rightid=25.109.210.75
 pfs=no
 forceencaps=yes
 authby=secret
 auto=start

2

Edit the shared secret file:

vi /etc/ipsec.secrets

3

Mine ipsec.secrets file as an example:

4

Restart the IPSec Service & verify the Tunnel status on both Sides:

Restart the IPSec service on Ubuntu at AWS VPC:

service ipsec restart

6

Verify the status of IPSec service on Ubuntu at AWS VPC:

service ipsec status

5Note: Please don’t panic, just restart the service one more time if it didn’t come up.

Verify the status of IPSec Tunnel on Cisco:

show crypto isakmp sa

8

Verify that the Traffic is passing through the Tunnel:

Ping from the AWS vpn gateway to the Cisco LAN IP:

7

Ping from AWS VPC private Subnet to Cisco’s LAN for verification:

8

Ping from the Local machine to the machine on VPC Private subnet:

9

10