How to use IPSec / Openswan with Amazon's Virt

2019-04-08 05:54发布

问题:

Does anyone know how to use Openswan to create an IPSec tunnel to a Cisco router on EC2?

I keep reading that people can or they cannot set up the IPSec tunnels on Amazon's cloud. Is it possible or not?

If so, can someone point me to a tutorial where it was successful?

回答1:

Update

AWS has just dropped the requirement to establish Border Gateway Protocol (BGP) peerings in order to use the built in VPN connectivity to an Amazon Virtual Private Cloud (VPC), see Amazon VPC - Additional VPN Features:

You can now create Hardware VPN connections to your VPC using static routing. This means that you can establish connectivity using VPN devices that do not support BGP such as Cisco ASA and Microsoft Windows Server 2008 R2. You can also use Linux to establish a Hardware VPN connection to your VPC. In fact, any IPSec VPN implementation should work. [emphasis mine]

The outlined reason for this change specifically highlights BGP as a previous barrier to adoption of this otherwise very appealing VPN connectivity to a VPC:

First, BGP can be difficult to set up and to manage, [...]. Second, some firewalls and entry-level routers support IPSec but not BGP. These devices are very popular in corporate branch offices. As I mentioned above, this change dramatically increases the number of VPN devices that can be used to connect to a VPC. [...]

I couldn't agree more - accordingly you should now be able to facilitate Openswan (or the built in Linux IPSec stack) to connect to the respective built in VPC IPSec functionality.


Initial Answer

A related tutorial based on Racoon is available at Amazon VPC with Linux. However, before you dive into that, I highly recommend to read the referring article Connecting to Amazon VPC first, at least section Using Linux as VPN Server:

Let us say you have decided to use some linux for your VPN server. For an IPSec newbie there is no obvious reason that this is a bad idea. And because one soon finds a tutorial like http://openfoo.org/blog/amazon_vpc_with_linux.html it seems possible to perform that task. Following this tutorial you should be able to ping the two BGP servers from your VPN server. [...] But after that point you will start to get in trouble. Maybe you are able to connect to a server in your VPC. But there is one thing you won’t get working stable: Connecting from the VPC to some server in your home net 192.168.1.1/24. That is because linux has a policy-based IPSec implementation. [...]

Consequently the author concludes:

And the last and most important reason is that Openswan is not intended to be used that way. Abusing software in a security relevant place doesn’t seem to be a good idea. [emphasis mine]

YMMV as usual, but you have been warned ;)