AWS - Establish Site-to-Site VPN Connection | Concept | Demo
ฝัง
- เผยแพร่เมื่อ 11 ก.ย. 2024
- #Cloud4DevOps
Video will help us to understand regards to AWS VPN connection , covering below concepts with Demo:-
- What is AWS VPN Connection?
- What is a Customer Gateway & a Virtual Private Gateway?
- Key Components for VPN connection.
- Detail Demo
AWS Doc Link:-docs.aws.amazo...
Import Values to Open VPN config file from VPN Connection:-
===================================
Contents for /etc/ipsec.d/aws-vpn.conf
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=Customer end VPN public IP
right=AWS VPN Tunnel 1 public IP
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
keyingtries=%forever
keyexchange=ike
leftsubnet=Customer end VPN CIDR
rightsubnet=AWS end VPN CIDR
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
Contents for /etc/ipsec.d/aws-vpn.secrets
Public IP of Openswan instance Public IP of third party network : PSK “PSK”
Commands to enable/start ipsec service
$ chkconfig ipsec on
$ service ipsec start
$ service ipsec status
=====================================
This will help a lot of folks! Great explanation, keep making more and more videos.
Thanks, will do!
Thanks for placing this video , quite clear enough to understand for VPN configuration...I tried the same and it worked like a charm.. thanks again..
Men thanks a lot your a sunshine, you explain me all that i need, god bless you. Best regards from Mexico.
Appreciate your focus and glad my videos helping you.. Please share among your circle to get more technical minds..
THanks for the full explanation !
Glad it was helpful!
Once again, Thankyou
Thank you too!
Nice video thanks
Most welcome..
Hi i am getting error while installing Openswan -
Last metadata expiration check: 1:01:33 ago on Sun Jul 30 18:41:01 2023.
No match for argument: openswan
Error: Unable to find a match: openswan
Thanks for clear explaination.But After doing hands on and followng all the steps AWS Tunnel 1 status is not changing to up.Could you suggest what could be the reasons for the tunnel disconnection.I have tried with Putty for windows.
When you sat 1 status of tunnel is not changing, is that you are configuring active-active configuration into your env , or its just active-passive and in this case none of tunnel is up , it seems one of routing issue.. Without actual error its tough to say, in most of cases its routing issue.
Just a quick comments ..I think you probably missed the last step of showing connection to the public ip of private ec2 from your vpn server after ssh into it...Thanks
thanks for info...
Thanks!
Figuring out all the stuff you need to do in OpenVPN (Cisco ASA if you had one) is the hardest part of doing this process and Shashank spends the extra time to figure that out. Fantastic video!
Thanks Joe for feedback !!!
Suggestion and question:
1) You said it's private connection, isn't it private tunnel over public internet? Private tunnel could be if used Direct Connect.
2) Why do you need to configure EC2 public ip on CGW? What if we have multiple resources, this need explain.
Thanks for the comments.. Please find my answer below:-
1) You said it's private connection, isn't it private tunnel over public internet? Private tunnel could be if used Direct Connect.
So basically what i said we can connect aws cloud resources via their private IP address from your on premise network. VPN tunnel could establish over the open internet to keep traffic communication between the VPC and your on site prem. I have used EC2 public IP on assumed on-premise DC [which is Frankfurt for my video] , i can use NAT IP which is always static public in nature on the CGW side which is a pre requisite to design VPN b/w two environments. Again you can access or do job like LDAP sync over VPN always flows via public natting but its always encrypted by TLS security so we should be good to use it. AWS Direct Connect always has an advantage over VPN as it provides fast performance like your fiber optics b/w two environments with higher cost.
2) Why do you need to configure EC2 public ip on CGW? What if we have multiple resources, this need explain.
So basically what i said i have created EC2 on Frankfurt region and i am treating that as an my on-premise DC network , so whenever you create VPN connection , the static route to use customer gateway should have an internet-routable IP address to use as the endpoint for the IPsec tunnels connecting your customer gateway to the virtual private gateway. So this can be your EC2 public IP or if customer gateway is behind a NAT device ,then we can use the public IP address of the NAT device. For the demo purpose i have used EC2 public IP instead of NAT as my internet-routable IP address.Since i don't have any on premise DC so i created public server in Frankfurt region just to replicate scenario.
Let me know if above explanation suffice your queries.
@@Cloud4DevOps Thanks, it's clear
The config file looks the same as for strongswan . So is this openvpn or strongswan?
openswan..to a certain extent concepyual funa for all VPNs remain same..
Hi, I'm struggling with what to use virtual private gateway or transit gateway? which one is much cheaper? I have 1 VPC with 1 subnet and 1 ec2 instance. I want my 2 network on premise to connect to my VPC via VPN. I Setup already my EC2 instance and VPC just this VPN thing I'm struggling. I badly need some help T_T
I'm not in network engineer job T_T
@@ayieecorral5711 Transit gateway is faster and act as cloud router so its better to use TGW..
@@Cloud4DevOps hi so i dont need to setup a vpn site to site?
@@Cloud4DevOps I mean yah tgw is way better than virtual private gateway, but still i’m confused. sorry man just a frustrated man haha
@@ayieecorral5711 you still need site to site vpn with ygw..its straight forward config and concept..
Surprising enough, the ipsec.d directory is not there.
can you plz do this on palo altos ?
Hi i am getting this error : "/etc/ipsec.d/aws-vpn.conf"
"/etc/ipsec.d/aws-vpn.conf" E212: Can't open file for writing
Press ENTER or type command to continue , This is coming while i am editing ( vim /etc/ipsec.d/aws-vpn.conf )
same error . how to get rif of it ??