Post

IPSec Tunnel

How to set up an IPSec site-to-site tunnel between a local network and an AWS EC2 instance, including routing and redirect configuration.

Posted Updated
Preview Image
By Jan Toth
2 min read
IPSec Tunnel

Laptop-side IPSec configuration

This is the IPSec configuration file for the laptop (local) side of the tunnel. It defines the tunnel parameters including authentication, key exchange settings, and the local/remote subnets.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# LAPTOP
cat /etc/ipsec.conf
config setup

conn laptop
     authby=secret
     pfs=yes
     auto=start
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     ikelifetime=8h
     ikev2=no
     keylife=1h
     #phase2alg=aes128-sha1;modp1024
     #ike=aes128-sha1;modp1024
     type=tunnel
     left=%defaultroute
     leftsubnet=192.168.1.0/24
     leftid=88.212.33.167  # u mna doma verejna na routeri
     rightsubnet=172.31.0.0/20
     right=18.237.195.235   # EC2 v AWS

AWS EC2-side IPSec configuration

This is the corresponding IPSec configuration on the AWS EC2 instance. Note that left/right are swapped compared to the laptop configuration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

# AWS EC2
cat /etc/ipsec.conf.bavi
config setup

conn aws-ec2
     authby=secret
     pfs=yes
     auto=start
     keyingtries=3
     dpddelay=30
     dpdtimeout=120
     dpdaction=clear
     ikelifetime=8h
     keylife=1h
     #phase2alg=aes128-sha1;modp1024
     #ike=aes128-sha1;modp1024
     type=tunnel
     ikev2=no
     right=88.212.33.167  # u mna doma verejna na routeri
     rightsubnet=192.168.1.0/24
     left=%defaultroute   # EC2 v AWS
     leftid=18.237.195.235   # EC2 v AWS
     leftsubnet=172.31.0.0/20

Shared secret

Both sides must share the same pre-shared key (PSK). This is stored in /etc/ipsec.secrets on each host.

1
2

cat /etc/ipsec.secrets
88.212.33.167 18.237.195.235 : PSK "..."

Set route via IPSec tunnel node

  • Run on other hosts in the network to route traffic destined for the remote subnet through the IPSec tunnel node.
1
2

sudo ip r add  172.31.0.0/20 via 192.168.1.144 dev wlan0
ip r get 172.31.12.119

Disable redirects to allow all hosts in the network to access the remote network

  • Run on the IPSec node. Disabling ICMP send redirects prevents the kernel from redirecting traffic away from the tunnel.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

echo 0 | sudo tee /proc/sys/net/ipv4/conf/*/send_redirects


sudo ip r flush cache
openssl rand -hex 32

# Check this setting on your PC (laptop)
sysctl net.ipv4.ip_forward=1


cat  /etc/sysctl.d/97-vpn.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.send_redirects = 0


# 91.127.47.154 88.212.33.167 : PSK "a...22959da18"
%any : PSK "a...22959da18"


conn vpn
     authby=secret
     auto=start
     type=tunnel
     ikev2=insist

     left=%defaultroute
     leftsubnet=192.168.2.0/24
     leftid=88.212.33.167

     rightsubnet=192.168.1.0/24
     right=91.127.47.154
Machine Learning
ml ipsec tunnel
This post is licensed under CC BY 4.0 by the author.