AWS EC2 openSWAN

Given that you would want a cluster of sipXecs servers on Amazon's AWS EC2 that are in different Regions, you may to connect them using a VPN. Following are instructions to configure openSWAN for this purpose. I did this with CentOS 6.3 provided by CentOS from the AWS Marketplace. I'm not a Linux expert, I didn't figure this out – I liberally copied from others. If you figure a better way, please amend!

sipXecs 4.6 "update 4 modified' maintains its MongoDB succesfully between a Primary and a Secondary server in a cluster over this link.

Assumptions

The instructions assume an East and a West machine with the following IP addresses that you need to substitute with your own:

10.150.6.135

50.111.154.248

10.150.4.134

107.22.235.173

You must ensure that the AWS EC2 or VPC Security Groups you are using for these instances allow incoming traffic from their counterpart's IP addresses: both the EIP and the private IP. If you feel you want to allow only necessary ports & protocols, I would suggest you do that after succesfully establishing a connection.

This configuration is suitable to connect machine A to machine B, or in other words to connect two /32 subnets. It's possible to use this for larger subnets, but then you do need to do more things both in the openSWAN settings, and on the AWS EC2 settings. These 'more things' are not documented in this article.

If you have problems establishing a connection, I'd suggest first that, for testing only, you allow all traffic in from anywhere on both the East and the West machine. Once the VPN works, then figure out what you're doing with your Security Groups.

My last hint if things are not working is to super-double-check every setting in your files... it's easy to get confused with the internal and external IP addresses used by East and West and the IPSec Left and Right terminology.

ipsec.conf

On both the east and the west machine:

yum install openswan lsof -y

vi /etc/ipsec.conf

remove the # from the last line:

include /etc/ipsec.d/*.conf

add the virtual_private setting for reference; you really ought to not leave it blank, but things probably will work fine in this limited situation:

virtual_private=

and save.

eastwest.secrets

On both the east and the west machine:

vi /etc/ipsec.d/eastwest.secrets

Copy the following lines, replace the secrets (keep the quotes) with something long (>14 characters) and totally random:

107.22.132.99 50.111.163.10 : "VERYLONGANDSECRET1"

50.111.163.10 107.22.132.99 : "VERYLONGANDSECRET2"

west2east.conf

On the west machine only:

vi /etc/ipsec.d/west2east.conf

Copy the following lines and adjust the IP addresses:

conn west2east

  authby=secret

  auto=start

  type=tunnel

  #Left is "this" side

  left=10.150.6.135

  leftid=50.111.154.248

  leftsubnet=10.150.006.128/32

  #Right is the other side i.e. us-east so right and rightsubnet become

  # Elastic IP of us-east NAT instance and the VPC CIDR for the us-east VPC

  right=107.22.235.173

  rightsubnet=10.150.004.128/32

  ike=aes256-sha1;modp2048

  phase2=esp

  phase2alg=aes256-sha1;modp2048

  forceencaps=yes

east2west.conf

On the east machine only:

vi /etc/ipsec.d/east2west.conf

Copy the following lines and adjust the IP addresses:

conn west2east

  authby=secret

  auto=start

  type=tunnel

  #Left is "this" side i.e. us-east

  left=10.150.4.134

  leftid=107.22.235.173

  leftsubnet=10.150.4.134/32

  #Right is the other side i.e. us-west so right becomes the Elastic IP of us-west, and

  #rightsubnet becomes the us-west instance's private IP

  right=50.111.154.248

  rightsubnet=10.150.6.135/32

  ike=aes256-sha1;modp2048

  phase2=esp

  phase2alg=aes256-sha1;modp2048

  forceencaps=yes

Initiate the tunnel

Type in the command to start the tunnel, and to make sure it starts on reboot:

service ipsec start

chkconfig ipsec on

Verify that the tunnel is up with

service ipsec status

For whatever reason, it’ll possibly give you more than 1 tunnel up.

Also now test by doing a ping from one site to the other using theother's private IP address.