Given that you would want a cluster of sipXecs servers on Amazon's AWS EC2 that are in different Regions, you may to connect them using a VPN. Following are instructions to configure openSWAN for this purpose. I did this with CentOS 6.3 provided by CentOS from the AWS Marketplace. I'm not a Linux expert, I didn't figure this out – I liberally copied from others. If you figure a better way, please amend!
sipXecs 4.6 "update 4 modified' maintains its MongoDB succesfully between a Primary and a Secondary server in a cluster over this link.
Assumptions
The instructions assume an East and a West machine with the following IP addresses that you need to substitute with your own:
Machine | Private IP | External IP |
---|---|---|
West | 10.150.6.135 | 50.111.154.248 |
East | 10.150.4.134 | 107.22.235.173 |
You must ensure that the AWS EC2 or VPC Security Groups you are using for these instances allow incoming traffic from their counterpart's IP addresses: both the EIP and the private IP. If you feel you want to allow only necessary ports & protocols, I would suggest you do that after succesfully establishing a connection.
This configuration is suitable to connect machine A to machine B, or in other words to connect two /32 subnets. It's possible to use this for larger subnets, but then you do need to do more things both in the openSWAN settings, and on the AWS EC2 settings. These 'more things' are not documented in this article.
If you have problems establishing a connection, I'd suggest first that, for testing only, you allow all traffic in from anywhere on both the East and the West machine. ONce the VPN works, then figure out what you're doing with your Security Groups.
My last hint if things are not working is to super-double-check every setting in your files... it's easy to get confused with the internal and external IP addresses used by East and West and the IPSec Left and Right terminology.
ipsec.conf
On both the east and the west machine:
yum install openswan lsof -y
vi /etc/ipsec.conf
remove the # from the last line:
include /etc/ipsec.d/*.conf
add the virtual_private setting for reference; you really ought to not leave it blank, but things probably will work fine in this limited situation:
virtual_private=
and save.
eastwest.secrets
On both the east and the west machine:
vi /etc/ipsec.d/eastwest.secrets
Copy the following lines, replace the secrets (keep the quotes) with something long (>14 characters) and totally random:
107.22.132.99 50.111.163.10 : "VERYLONGANDSECRET1"
50.111.163.10 107.22.132.99 : "VERYLONGANDSECRET2"
west2east.conf
On the west machine only:
vi /etc/ipsec.d/west2east.conf
Copy the following lines and adjust the IP addresses:
conn west2east
authby=secret
auto=start
type=tunnel
#Left is "this" side
left=10.150.6.135
leftid=50.111.154.248
leftsubnet=10.150.006.128/32
#Right is the other side i.e. us-east so right and rightsubnet become
# Elastic IP of us-east NAT instance and the VPC CIDR for the us-east VPC
right=107.22.235.173
rightsubnet=10.150.004.128/32
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048
forceencaps=yes
east2west.conf
On the east machine only:
vi /etc/ipsec.d/east2west.conf
Copy the following lines and adjust the IP addresses:
conn west2east
authby=secret
auto=start
type=tunnel
#Left is "this" side i.e. us-east
left=10.150.4.134
leftid=107.22.235.173
leftsubnet=10.150.4.134/32
#Right is the other side i.e. us-west so right becomes the Elastic IP of us-west, and
#rightsubnet becomes the us-west instance's private IP
right=50.111.154.248
rightsubnet=10.150.6.135/32
ike=aes256-sha1;modp2048
phase2=esp
phase2alg=aes256-sha1;modp2048
forceencaps=yes
Initiate the tunnel
Type in the command to start the tunnel, and to make sure it starts on reboot:
service ipsec start
chkconfig ipsec on
Verify that the tunnel is up with
service ipsec status
For whatever reason, it’ll possibly give you more than 1 tunnel up.
Also now test by doing a ping from one site to the other using theother's private IP address.