Linux IPSec Site-to-Site VPN: AWS VPC & Cisco Router

In this tutorial, we will use the Site-to-Site VPN scenario with the modification and one of the customer site that is using Cisco router, which is also acting as gateway for LAN plus the vpn gateway while from the AWS side, we are using the exact same Ubuntu Linux router.

Please review the previous tutorial before starting this tutorial, as I’ll use the previous tutorial as the base for this one.

topologyNote: Please don’t waste your time in hacking, all these public devices and IP(s) are Temporary, I have destroyed them after finished this tutorial.

VPN Configuration on Cisco Site:

First step is to configure an ISAKMP Phase 1 policy:

crypto isakmp policy 1
encryption aes 128
hash sha
authentication pre-share
group 2


Next, we need to set the pre-shared key for authentication with the AWS peer:

crypto isakmp key $VER_SEC_PSK address


Next step is to create the transform set (We have named it AWSTrans), which will be used to protect the data:

crypto ipsec transform-set AWSTrans esp-aes esp-sha-hmac


After that we have to define the Traffic to be protected through the VPN Tunnel using the access-list:

ip access-list extended VPN-TRAFFIC
permit ip


Now, we need to define the Crypto Map which will connect the ISAKMP and IPSec configuration together, that we have defined above:

crypto map AWSMAP 10 ipsec-isakmp
 set peer
 set transform-set AWSTrans
 match address VPN-TRAFFIC


Apply the Crypto Map to the outgoing interface of the router (In our case, it is FastEthernet 0/0)

interface FastEthernet0/0
crypto map AWSMAP


Check the NAT access-list before proceeding:

NAT Show

Add the NAT Bypass entry inside the NAT access-list before the NAT entry, to exclude the AWS VPC Private Subnet(s) to be NAT’d:

ip access-list extended NAT-TRAFFIC
5 deny ip


NAT access-list after modification:

NAT after Change

VPN Configuration on AWS VPC:

Also allow the ICMP packet on internal subnet security group from the remote LAN for testing purpose:


Edit the ipsec.conf file:

vi /etc/ipsec.conf


Here is the addition to the ipsec.conf file (please refer to the ipsec.conf file from previous tutorial):

conn AWS2CiscoConnection


Edit the shared secret file:

vi /etc/ipsec.secrets


Mine ipsec.secrets file as an example:


Restart the IPSec Service & verify the Tunnel status on both Sides:

Restart the IPSec service on Ubuntu at AWS VPC:

service ipsec restart


Verify the status of IPSec service on Ubuntu at AWS VPC:

service ipsec status

5Note: Please don’t panic, just restart the service one more time if it didn’t come up.

Verify the status of IPSec Tunnel on Cisco:

show crypto isakmp sa


Verify that the Traffic is passing through the Tunnel:

Ping from the AWS vpn gateway to the Cisco LAN IP:


Ping from AWS VPC private Subnet to Cisco’s LAN for verification:


Ping from the Local machine to the machine on VPC Private subnet:



Please Remember me in your prayers!

Enjoy 🙂

One response to “Linux IPSec Site-to-Site VPN: AWS VPC & Cisco Router

  1. Maqbool January 26, 2016 at 5:30 am

    Thanks for the tutorial. This is very good and was able to establish the tunnel. I am having an issue if could help me. I am on AWS running Ubuntu/OpenSwan. Other side is WatchGuard. My tunnel is up (thanks for the tutorial).

    root@ip-10-1-200-21:/home/ubuntu# service ipsec status
    IPsec running – pluto pid: 2284
    pluto pid 2284
    1 tunnels up
    some eroutes exist

    also ipsec auto –status shows the tunnel is established.

    When I ping a machine on the other side, I see that the packets are going over the tunnel to the other side, but I dont get back any packets. I confirmed form the other side that they are receiving the packets and are replying, the packets are getting lost. Dont know where to start. Thanks.
    Output of tcpdump while pinging.

    00:25:55.855634 IP > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb2), length 116
    00:25:56.863642 IP > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb3), length 116
    00:25:57.871648 IP > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb4), length 116
    00:25:58.879636 IP > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb5), length 116
    00:25:59.887640 IP > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb6), length 116
    00:26:00.895636 IP > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb7), length 116
    00:26:01.903678 IP > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb8), length 116

    Thanks for your help.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: