In this tutorial, we will use the Site-to-Site VPN scenario with the modification and one of the customer site that is using Cisco router, which is also acting as gateway for LAN plus the vpn gateway while from the AWS side, we are using the exact same Ubuntu Linux router.
Please review the previous tutorial before starting this tutorial, as I’ll use the previous tutorial as the base for this one.
Note: Please don’t waste your time in hacking, all these public devices and IP(s) are Temporary, I have destroyed them after finished this tutorial.
VPN Configuration on Cisco Site:
First step is to configure an ISAKMP Phase 1 policy:
crypto isakmp policy 1
encryption aes 128
hash sha
authentication pre-share
group 2

Next, we need to set the pre-shared key for authentication with the AWS peer:
crypto isakmp key $VER_SEC_PSK address 54.219.146.242

Next step is to create the transform set (We have named it AWSTrans), which will be used to protect the data:
crypto ipsec transform-set AWSTrans esp-aes esp-sha-hmac

After that we have to define the Traffic to be protected through the VPN Tunnel using the access-list:
ip access-list extended VPN-TRAFFIC
permit ip 192.168.168.0 0.0.0.255 10.100.0.0 0.0.255.255

Now, we need to define the Crypto Map which will connect the ISAKMP and IPSec configuration together, that we have defined above:
crypto map AWSMAP 10 ipsec-isakmp
set peer 54.219.146.242
set transform-set AWSTrans
match address VPN-TRAFFIC

Apply the Crypto Map to the outgoing interface of the router (In our case, it is FastEthernet 0/0)
interface FastEthernet0/0
crypto map AWSMAP

Check the NAT access-list before proceeding:

Add the NAT Bypass entry inside the NAT access-list before the NAT entry, to exclude the AWS VPC Private Subnet(s) to be NAT’d:
ip access-list extended NAT-TRAFFIC
5 deny ip 192.168.168.0 0.0.0.255 10.100.0.0 0.0.255.255

NAT access-list after modification:

VPN Configuration on AWS VPC:
Also allow the ICMP packet on internal subnet security group from the remote LAN for testing purpose:

Edit the ipsec.conf file:
vi /etc/ipsec.conf

Here is the addition to the ipsec.conf file (please refer to the ipsec.conf file from previous tutorial):
conn AWS2CiscoConnection
left=10.100.10.10
leftsubnets=10.100.0.0/16
leftid=54.219.146.242
leftsourceip=10.100.10.10
right=25.109.210.75
rightsubnets=192.168.168.0/24
rightid=25.109.210.75
pfs=no
forceencaps=yes
authby=secret
auto=start

Edit the shared secret file:
vi /etc/ipsec.secrets

Mine ipsec.secrets file as an example:

Restart the IPSec Service & verify the Tunnel status on both Sides:
Restart the IPSec service on Ubuntu at AWS VPC:
service ipsec restart

Verify the status of IPSec service on Ubuntu at AWS VPC:
service ipsec status
Note: Please don’t panic, just restart the service one more time if it didn’t come up.
Verify the status of IPSec Tunnel on Cisco:
show crypto isakmp sa

Verify that the Traffic is passing through the Tunnel:
Ping from the AWS vpn gateway to the Cisco LAN IP:

Ping from AWS VPC private Subnet to Cisco’s LAN for verification:

Ping from the Local machine to the machine on VPC Private subnet:


Please Remember me in your prayers!
Enjoy 🙂
Like this:
Like Loading...
Related
Thanks for the tutorial. This is very good and was able to establish the tunnel. I am having an issue if could help me. I am on AWS running Ubuntu/OpenSwan. Other side is WatchGuard. My tunnel is up (thanks for the tutorial).
root@ip-10-1-200-21:/home/ubuntu# service ipsec status
IPsec running – pluto pid: 2284
pluto pid 2284
1 tunnels up
some eroutes exist
also ipsec auto –status shows the tunnel is established.
When I ping a machine on the other side, I see that the packets are going over the tunnel to the other side, but I dont get back any packets. I confirmed form the other side that they are receiving the packets and are replying, the packets are getting lost. Dont know where to start. Thanks.
Output of tcpdump while pinging.
00:25:55.855634 IP 10.1.200.21.4500 > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb2), length 116
00:25:56.863642 IP 10.1.200.21.4500 > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb3), length 116
00:25:57.871648 IP 10.1.200.21.4500 > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb4), length 116
00:25:58.879636 IP 10.1.200.21.4500 > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb5), length 116
00:25:59.887640 IP 10.1.200.21.4500 > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb6), length 116
00:26:00.895636 IP 10.1.200.21.4500 > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb7), length 116
00:26:01.903678 IP 10.1.200.21.4500 > 50.xx.xx.xx.4500: UDP-encap: ESP(spi=0x8f27261f,seq=0xb8), length 116
Thanks for your help.