Hi. It was very helpful. I want to know whether VPC flow logs will capture the traffic of VPN or not. If not, request you to share steps to capture logs. Thanks in advance. Note: A small suggestion, many videos are available over internet but no one will talk about capturing logs, troubleshooting common problems. So request you to even include these also in your videos. Please don't think otherwise. I am sorry if I am wrong.
Typically you would want to add the destination cidr of other side of the network that means only 10.200.0.0/16 in this case. However if you want that all the traffic should be routed to other network you can also put 0.0.0.0/0. However you need to then make sure that the internet traffic is routed further to internet via that network router.
There two segments in the Create VPN connection which is not in your presentation. After the Tunnel Inside Ip version.. there are these Local Ipv4 Network CIDR (Customer Gateway CIDR range) and Remote IPv4 Network CIDR range. Are these 10.200.0.0/16 and 10.100.0.0/16?
VPN is not directly linked to EC2 IPs if you are talking about VGW side. In this video I also showed customer side using another EC2 with Public IP. Now this IP in this setup will change if you restart customer gateway side EC2. However in ideal world you should have router on customer side with fixed public IP.
@AWS Training Center Thanks I want to know based on example you given.. right side public ip (VPG) will not change and it is constant? I know left side ip will change if ec2 restart.
Can you please put hybrid dns resolution on top of this? may be create private hosted zone per vpc, add inbound and outbound endpoint resolvers and try resolving dns from other vpc?
If I want to Virtual isolation of network from customers using the web application then is it possible to do with VPC peering or I have to use VPN connectivity?
Thank you very much sir, I really need this. One question sir, is it possible to other servers/clients on Corporate Network (Virginia Reg.) to communicate with Mumbai Reg. through the tunnel?
Hello Sir ! Thank you for the very helpful video. I am trying to do a AWS site to site VPN between my VPC and a distant instance wich is an open vpn server. The goal is that the VPC resources can reach my openvpn clients. Thank to your video I am able to connect my distant instance to my VPC and connexion links are up. In order to test the connexion I created an aws instance in the VPC subnet and I try to send pings from my distant instance to the aws instance (EC2-A in your video). But I guess I missanterstand a step, do you have any suggestion about the architecture I am trying to build ? A warm thank you in advance !
Hi I have a one query , we want to make tunnel between aws to aws but issue is that both side private ip is matched so is it possible to use Nat technology. On firewall i am able to perform this..pleas help I need urgent support
AWS to Cisco IKEv2 would be nice considering the configuration DOWNLOAD is IKEv1 using deprecated and unsecure protocols. Thought it might be in this video, but guess not.
Yeah I agree. Actually at the time this video was recorded aws was supporting only IKEv1. But yes now it supports v2 as well so always good to use latest protocol version.
@@AWSwithChetan Discovered why it isn't working for me. The IKEv1 two tunnel from AWS to ASA is active standby, but for IKEv2, two peer is not supported, at least not in the 9.1 version, possibly in 9.7 version. I will have to tear the entire configuration out and create one VPN tunnel. I don't think it will allow me to create 2 tunnels though.
Yes, just open port 80 or 443 for the EC2 instance on which website is running and then you can access it with Private IP of EC2 over VPN connection. For using DNS either you can have your onprem DNS server resolve to this private IP or you can configure AWS route53 inbound resolver to handle the DNS.
Thank you wery much! It works OK if VPC-A and VPC-B both in AWS, but I had a problem with connection other cloud provider to AWS. In my case Ipsec connection was OK, but ping didn't worked until I added public IP of my openswan VM into Routing table and VPN Static route. Also there is not exist openswan for centos-8 and ubuntu-18+ it replaced by libreswan. Usage of libreswan the same as openswan.
Thats right because your openswan instance is acting as router for other side of the network. Watch my other video on site to site vpn (new video) which explains this.
When trying to create the Customer gateway I am told I need a valid Public IP address despite coping the one from the EC2-B router I can not proceed further
HI, I am able to ping to AWS instance from only one instance which is installed Openswan on on-premises side, I am unable to ping from different instance, And only linux to linux machine able to ping, linux to windows unable to ping.
With latest version of openswan, you may have to change few tunnel parameters, especially: 1. Remove auth=esp 2. phase2alg=aes_gcm 3. ike=aes256-sha1;modp1024 Try this
@@AWSwithChetan Thanks for the reply Chetan. Much appreciated. Tried your solution but did not work. Status is still down. Also can't ping the private IP. Can't figure out what is the issue. Anyway thanks.
@@AWSwithChetan in document 2024 you have menioned below ▪ Remove auth=esp ▪ phase2alg=aes_gcm ▪ ike=aes256-sha1 i am confused which one is currently working.
but IKEV2 is working, if i disable ikv2 from aws side, then tunnel is showing down from aws side, and from DC side error is "Tunnel1" #1: dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN notification; message payloads: N; miss" any solution so that i can use ikev1?
Hello Chetan, Thanks for making such excellent video. as per the guidlines i had configured VPC-A & VPC-B and conncetion has been established but i'm unable to ping.. i had check the secuirty groups but not able to identify where is the issue.. Please help... Thanks in advance.. Rgds, Mahesh
how would i configure this if the customer network is requesting for public IP instead of typical private IP in such VPN setup? How is the natting suppose to be done? Thank you
Thanks man..you spelled it almost correct. Its Chetan :-). I don’t have associate architect course. I just have hands on course on AWS Networking on Udemy.
With latest version of openswan, you may have to change few tunnel parameters, especially: 1. Remove auth=esp 2. phase2alg=aes_gcm 3. ike=aes256-sha1;modp1024 Try this
Your approach was really wonderful..! and one doubt I have, Can we replace that customer gateway with With Azure Cloud .. I mean I want to establish connection between AWS to Azure Cloud ?? Is it possible..? Quick reply is appriciated.. ! Thanks In Advance.
Yes you can connect to Azure or GCP. My Udemy course has hands-on where I have shown how to do that however unfortunately I can’t publish same video here.
Great video. Tried to follow all the steps one by one, without mistake 5-6 times. but @30:02 when start IPSEC services, it refuses and gives an error" [root@ip-10-2-0-250 ec2-user]# systemctl start ipsec Job for ipsec.service failed because the control process exited with error code. See "systemctl status ipsec.service" and "journalctl -xe" for details. Please if someone can assist to resolve this issue, As I followed some more videos but still getting the same error in this lab, Even from Google, couldn't find any solution. Pls assist 🙏
@@AWSwithChetan Thanks for your swift response. I followed all the steps again n found that always /etc/ipsec.d/aws.secrets file was creating an issue. I deleted this file and created new. Entered the line from downloaded configuration file. started serices n status was showing ACTIVE. [root@ip-10-2-0-95 ipsec.d]# systemctl status ipsec â ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled) Active: active (running) since Thu 2020-06-25 20:25:56 UTC; 9min ago But now when I checked the status of tunnel, whoich should be UP, after Route Propagation. Tunnel is still DOWN. Would u assist with this now. That what could be the reason for showing Tunnel Down, however ipsec service is ACTIVE. Waiting for your kind response. Thanks
Tunnel would start when you send some request (ping) to aws from your openswan instance. Also I hope you have configured only one tunnel in openswan. Don’t add both in your configs as it causes problem.
@@AWSwithChetan Yes, I have configured only one tunnel. IPSEC service is active n running. But even while pinging (passing traffic) from OPENSWAN Instance side, not pinging as well. no error even.
@@AWSwithChetan sure sir, Thanks a lot for your quick response; and one more thing can you please update the course on udemy as well as i'm getting error while Uploading the certificate and keys to ACM; its showing "Unable to locate credentials. You can configure credentials by running "aws configure"." Can you please guide me on this case? As the interviewer will ask questions from the latest ami
There had been new cipher suites that you have to use due to security issues in the older openswan. I will see if I can provide the link to pdf for latest version deployment. Otherwise if you want you can get the video and pdf in my networking course at www.awswithchetan.com
I LOVE this 30 mins session!! it is best tutorial about AWS site-to-site VPN so far on TH-cam.
I think it's a very long time since I have seen our Indians going quality tutorials , it's succinct! 👌
Chetan is changing the world
Man u just saved my 20 marks for final exam
u r genius
Thanks chetan, i have been going through all ur recordings, these are quite insightful; thanks again and good work :)
Hey Vinod, great to see you here :-)
Thank you Sir for this. 💙
Well explained. This saved me a lot of reading time. Thanks.
Wow, no nicely explained.
You have covered the topic thoroughly... Respect.
Keep coming up with more stuff...🙂
Hi, Is there anyway we can use DynDns address while configuring the site to site ?
It is really Fabulous...very nicely explained
Brilliant! Clear and concised!
is it possible to create site to site tunnel between AWS lightsail server to an onpremise server?
Thanks for sharing your knowledg!
Awesome Demo with nice explanation ....!!!!
Thanks Buddy keep it up
Great Video and explanation. Well done Sir and Thank you
Great session man - i really love it and will follow you on upcoming sessions.
Hello, is there is same approach for the Fortinet Vendor as you did with Openswan ?
Very Nicely explained and documented. Thank You #Respect
wonderful Bro..nice explaination
Thanks I can able to configure😍
Thank you for sharing. It's valuable.
Could you please explain AWS Solutions Architect Professional ? I like your explanation, you are the best instructor I have ever seen
Hi. It was very helpful. I want to know whether VPC flow logs will capture the traffic of VPN or not. If not, request you to share steps to capture logs. Thanks in advance.
Note: A small suggestion, many videos are available over internet but no one will talk about capturing logs, troubleshooting common problems. So request you to even include these also in your videos. Please don't think otherwise. I am sorry if I am wrong.
Excellent , Much appreciated... clear explanation. Thanks bro
Well explained :) you save my project!
Great Video ,Really you made easy to understand this .
Very helpful video ✅💯
Informative video but I have one doubt when I configure both tunnnels then it is not working
It is already mentioned in video that openswan does not work with two tunnels
can you please tell me where can i get the documents that you have mentioned
in the lecture 28:56 we have to add the route with VPW. But what will be the route in this case? will it be 10.200.0.0/16 or 0.0.0.0/0?
Typically you would want to add the destination cidr of other side of the network that means only 10.200.0.0/16 in this case. However if you want that all the traffic should be routed to other network you can also put 0.0.0.0/0. However you need to then make sure that the internet traffic is routed further to internet via that network router.
On a cisco router you have to configure encryption type, hash, authentication type and diffie helman grop. Don´t you have to do that on AWS ? Thanks
Yes, you should match it as per your router configuration. When you download VPN configuration you can select your router type.
Good clear explanation thank you so much
Wonderful session, Thanks
Hi, To remove one VPN connection what are the actions / steps do we need follow
please update setup guide docs link.... currently no-one accessable
An excellent example many thanks.
I am using Transit gateway in place of VPG after setting up S2S VPN what will be the Route setup
Yeah you can propagate the routes via TGW route tables and attachments
There two segments in the Create VPN connection which is not in your presentation. After the Tunnel Inside Ip version.. there are these Local Ipv4 Network CIDR (Customer Gateway CIDR range) and Remote IPv4 Network CIDR range. Are these 10.200.0.0/16 and 10.100.0.0/16?
Well explained
thanks a lot. nice explanation
Thank you very much you explain it very well...
Does public IP change every time like EC2 instance or it is fixed for ipse c tunnel?
VPN is not directly linked to EC2 IPs if you are talking about VGW side. In this video I also showed customer side using another EC2 with Public IP. Now this IP in this setup will change if you restart customer gateway side EC2. However in ideal world you should have router on customer side with fixed public IP.
@AWS Training Center
Thanks
I want to know based on example you given.. right side public ip (VPG) will not change and it is constant?
I know left side ip will change if ec2 restart.
Thats right VPG IPs are static
Can you please put hybrid dns resolution on top of this? may be create private hosted zone per vpc, add inbound and outbound endpoint resolvers and try resolving dns from other vpc?
If I want to Virtual isolation of network from customers using the web application then is it possible to do with VPC peering or I have to use VPN connectivity?
Well explained, thank you :)
Thank you very much sir, I really need this.
One question sir, is it possible to other servers/clients on Corporate Network (Virginia Reg.) to communicate with Mumbai Reg. through the tunnel?
As always, brilliant material Chetan. Can you pl point me to a video that explains src and destination of routing tables?
Hello Sir !
Thank you for the very helpful video. I am trying to do a AWS site to site VPN between my VPC and a distant instance wich is an open vpn server. The goal is that the VPC resources can reach my openvpn clients. Thank to your video I am able to connect my distant instance to my VPC and connexion links are up. In order to test the connexion I created an aws instance in the VPC subnet and I try to send pings from my distant instance to the aws instance (EC2-A in your video).
But I guess I missanterstand a step, do you have any suggestion about the architecture I am trying to build ?
A warm thank you in advance !
Hi I have a one query , we want to make tunnel between aws to aws but issue is that both side private ip is matched so is it possible to use Nat technology. On firewall i am able to perform this..pleas help I need urgent support
it seems complex, even may be not possible.
Great video
AWS to Cisco IKEv2 would be nice considering the configuration DOWNLOAD is IKEv1 using deprecated and unsecure protocols. Thought it might be in this video, but guess not.
Yeah I agree. Actually at the time this video was recorded aws was supporting only IKEv1. But yes now it supports v2 as well so always good to use latest protocol version.
@@AWSwithChetan Discovered why it isn't working for me. The IKEv1 two tunnel from AWS to ASA is active standby, but for IKEv2, two peer is not supported, at least not in the 9.1 version, possibly in 9.7 version. I will have to tear the entire configuration out and create one VPN tunnel. I don't think it will allow me to create 2 tunnels though.
Hi brother is it possible to access a website from this structure of vpn.
Yes, just open port 80 or 443 for the EC2 instance on which website is running and then you can access it with Private IP of EC2 over VPN connection. For using DNS either you can have your onprem DNS server resolve to this private IP or you can configure AWS route53 inbound resolver to handle the DNS.
Excellent ! Thank you buddy :)
good job
Thank you wery much!
It works OK if VPC-A and VPC-B both in AWS, but I had a problem with connection other cloud provider to AWS. In my case Ipsec connection was OK, but ping didn't worked until I added public IP of my openswan VM into Routing table and VPN Static route.
Also there is not exist openswan for centos-8 and ubuntu-18+ it replaced by libreswan. Usage of libreswan the same as openswan.
Thats right because your openswan instance is acting as router for other side of the network. Watch my other video on site to site vpn (new video) which explains this.
Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec. getting error in the end how to fix it ?
Difficult to comment without looking at error. Just try again and make sure you don’t miss the configuration.
yes i did follow all step exactly but I get this error _faild to start internet key exchange IKE protocol daemon for IPsec"
i can say only love you bro
Do you think we can perform all these steps by using Terraform configuration file
On AWS side configuration.. yes ofcourse
This is awesome, Thanks.
Can you add other clients and how to prevent cross talk
When trying to create the Customer gateway I am told I need a valid Public IP address despite coping the one from the EC2-B router
I can not proceed further
Sorry did not get your question completely
worthy explanation!!
HI,
I am able to ping to AWS instance from only one instance which is installed Openswan on on-premises side, I am unable to ping from different instance, And only linux to linux machine able to ping, linux to windows unable to ping.
The service status is active but the Tunnel status is down. Tried multiple times without any success. Any solution?
With latest version of openswan, you may have to change few tunnel parameters, especially:
1. Remove auth=esp
2. phase2alg=aes_gcm
3. ike=aes256-sha1;modp1024
Try this
@@AWSwithChetan Thanks for the reply Chetan. Much appreciated. Tried your solution but did not work. Status is still down. Also can't ping the private IP. Can't figure out what is the issue. Anyway thanks.
@@AWSwithChetan in document 2024 you have menioned below
▪ Remove auth=esp
▪ phase2alg=aes_gcm
▪ ike=aes256-sha1
i am confused which one is currently working.
i followed all steps when checking status of tunnel i am getting below error
initiating all conns with alias='Tunnel1'
no connection named "Tunnel1"
resolved after following the method available in document, method in video is not working,
but IKEV2 is working, if i disable ikv2 from aws side, then tunnel is showing down from aws side, and from DC side error is "Tunnel1" #1: dropping unexpected IKE_SA_INIT message containing NO_PROPOSAL_CHOSEN notification; message payloads: N; miss"
any solution so that i can use ikev1?
Hello Chetan,
Thanks for making such excellent video. as per the guidlines i had configured VPC-A & VPC-B and conncetion has been established but i'm unable to ping.. i had check the secuirty groups but not able to identify where is the issue.. Please help...
Thanks in advance..
Rgds,
Mahesh
Do you see tunnel up and In SG I hope ICMP Ipv4 is allowed.
should both networks be \16 as remote andlocal or one can be \24 and one \16
Can be anything, doesn’t matter. Depends on how big or small networks you want to have.
@@AWSwithChetan Thanks
how would i configure this if the customer network is requesting for public IP instead of typical private IP in such VPN setup? How is the natting suppose to be done? Thank you
Customer gateway router should have Public IP and it should do the NATing for all internal machines.
Great chaytan , i hope i got the spelling right. great demo, do u have complete course? for associate architect?
Thanks man..you spelled it almost correct. Its Chetan :-).
I don’t have associate architect course. I just have hands on course on AWS Networking on Udemy.
After starting ipsec service still tunnel status is down. Can you please help me on this?
With latest version of openswan, you may have to change few tunnel parameters, especially:
1. Remove auth=esp
2. phase2alg=aes_gcm
3. ike=aes256-sha1;modp1024
Try this
@@AWSwithChetan This was very helpful. Thank you very much
Your approach was really wonderful..! and one doubt I have, Can we replace that customer gateway with With Azure Cloud .. I mean I want to establish connection between AWS to Azure Cloud ?? Is it possible..? Quick reply is appriciated.. ! Thanks In Advance.
Yes you can connect to Azure or GCP. My Udemy course has hands-on where I have shown how to do that however unfortunately I can’t publish same video here.
@@AWSwithChetan No Problem. can you share the tutorial name ??
Super
Great video.
Tried to follow all the steps one by one, without mistake 5-6 times. but @30:02 when start IPSEC services, it refuses and gives an error" [root@ip-10-2-0-250 ec2-user]# systemctl start ipsec
Job for ipsec.service failed because the control process exited with error code. See "systemctl status ipsec.service" and "journalctl -xe" for details.
Please if someone can assist to resolve this issue, As I followed some more videos but still getting the same error in this lab, Even from Google, couldn't find any solution. Pls assist 🙏
Whats the output of journalctl -xe command?
@@AWSwithChetan Thanks for your swift response. I followed all the steps again n found that always /etc/ipsec.d/aws.secrets file was creating an issue. I deleted this file and created new. Entered the line from downloaded configuration file. started serices n status was showing ACTIVE.
[root@ip-10-2-0-95 ipsec.d]# systemctl status ipsec
â ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2020-06-25 20:25:56 UTC; 9min ago
But now when I checked the status of tunnel, whoich should be UP, after Route Propagation. Tunnel is still DOWN.
Would u assist with this now. That what could be the reason for showing Tunnel Down, however ipsec service is ACTIVE.
Waiting for your kind response. Thanks
Tunnel would start when you send some request (ping) to aws from your openswan instance. Also I hope you have configured only one tunnel in openswan. Don’t add both in your configs as it causes problem.
@@AWSwithChetan Yes, I have configured only one tunnel. IPSEC service is active n running. But even while pinging (passing traffic) from OPENSWAN Instance side, not pinging as well. no error even.
The Security group on aws side of ec2 instance allows ICMP, right? Also try the other way around traffic
-Chetan
Thanks buddy !!!
terrific!!!! good job
how about the NACL configuration?
Is it possible that you upload the document. it will be easier for us to practice.
Document download link is there in the description
Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.
--------------------------- i am getting this error
Kindly refer to latest guide added to video description.
He is hero
Hello Sir, I'm not able to install "Openswan", can you please help?
May be you are using Amazon Linux 3 (2023) AMI. Can you try with Amazon Linux 2 AMI for launching EC2 instance?
@@AWSwithChetan sure sir, Thanks a lot for your quick response; and one more thing can you please update the course on udemy as well as i'm getting error while Uploading the certificate and keys to ACM; its showing "Unable to locate credentials. You can configure credentials by running "aws configure"."
Can you please guide me on this case? As the interviewer will ask questions from the latest ami
Why my openswan is not able to start its throws error
There had been new cipher suites that you have to use due to security issues in the older openswan.
I will see if I can provide the link to pdf for latest version deployment. Otherwise if you want you can get the video and pdf in my networking course at www.awswithchetan.com
it did not worked .
@ajaygupta943 I have made a latest guide available in the video description.