Welcome back to AWS site to site VPN tutorial. Part 1 of this tutorial can be found in this link in which the terraform IAC created the resoruces in us-west-2(oregon) region represented as on-premises DC. In this part 2 tutorial will be installed the aws cloud resources such as (VPC, VPN and EC2 instance) in AP-southeast-1 region. In order to follow part 2 lab, part1 demo is mandatory to created prior to this lab.

AWS Cloud Steps (AP-SouthEast-1)

1) change the directory to ap-southeast-1 folder


2) type terraform init, terraform plan and apply.

terraform init
terraform plan 
terraform apply --auto-approve

After the completion, see the deployed resources in AWS portal. VPC components and VPN resources such as Customer gateway, Virtual private gateway and VPN connection are created as seen below.

Customer gateway ip address is configured to use the Router1 IP address from us-west-2.

Virtual private gateway is created and attached to VPC.

Tunnels status show down as the openswan Router need to be configured ipsec in us-west-2 router.

OK. now only left the final step for the configuration of IPSEC in Router 1.

Openswan configuration (IPSEC Tunnel)

  • login ssh into the router1 in us-west-2 region. (make sure you have updated the ssh public key in terrafrom script)
  • type curl https://raw.githubusercontent.com/ConnecttheCloud/AWS-LAB/main/OpenSwan/openswan-config.sh -o install.sh
  • chmod u+x install.sh
  • sudo ./install.sh

the install.sh script will prompt you to key in the IP Address and pre-shared key of IP SEC configuration. here is the description of the information that you have to filled in. Your lab will be different public ip address from my case.

  • Tunnel1 on-prem PublicIP: ##Public IP Address of your on-prem Router
  • Tunnel1 AWS PublicIP: ## Public IP Address of AWS Tunnel 1
  • Tunnel1 on-prem PrivateIP PREFIX: ## Private IP prefix of your subnet range
  • Tunnel1 AWS PrivateIP PREFIX: ## Private IP Address of AWS Cloud
  • Tunnel1 type PREShARED KEY:Helloworld123 ## Preshared key that configured in Terraform
  • Tunnel2 on-prem PublicIP: ## Tunnel 2 PublicIP address of on-prem router
  • Tunnel2 AWS PublicIP: ## Public IP Address of AWS Tunnel 2
  • Tunnel2 type PREShARED KEY:Helloworld123 ## Preshared key that configured for Tun2 in Terraform

The command ” systemctl status ipsec -l” shows that both of tunnel 1 and 2 security negotiation ISAKMP and SA Association have been established. You may see the aws portal show the tunnel status are UP after a few minutes.

Congratuation! you have successfully set up the IPSEC site to site tunnel with static route.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *