Description
In this post I'll show you how to install, configure and test IPSec for a site-to-site configuration on Linux using openswan (https://www.openswan.org/).
In this POC we are using CentOS 6.9 as operating system, but the configuration will be the same no matter what Linux OS are you using. The differences will be only on the installation part.
Installation on both instances
#yum install openswan
#vi /etc/ipsec.conf
include /etc/ipsec.d/*.conf
# cd /etc/ipsec.d
On first Linux instance
[root@ip ipsec.d]# cat vpc1-to-vpc2.conf
conn vpc1-to-vpc2
type=tunnel
authby=secret
left=%defaultroute
leftnexthop=%defaultroute
leftid=52.207.165.242 ### PUBLIC IP OF CURRENT INSTANCE
leftsubnet=10.6.0.0/16 ### SUBNET BEHIND CURRENT INSTANCE
right=52.9.99.136 ### THIS IS THE PUBLIC IP OF THE REMOTE INSTANCE
rightsubnet=10.7.0.0/16 ### SUBNET BEHIND REMOTE INSTANCE
pfs=yes
auto=start
[root@ip ipsec.d]# cat vpc1-to-vpc2.secrets
52.207.165.242 52.9.99.136: PSK "KhyK9iy97AsNnsqnd/dMVzX11itO1oJQ4"
Note: Use your own PSK.
On second Linux instance
# cd /etc/ipsec.d
[root@ip ipsec.d]# cat vpc2-to-vpc1.conf
conn vpc2-to-vpc1
type=tunnel
authby=secret
left=%defaultroute
leftnexthop=%defaultroute
leftid=52.9.99.136 ### PUBLIC IP OF CURRENT INSTANCE
leftsubnet=10.7.0.0/16 ### PUBLIC IP OF CURRENT INSTANCE
right=52.207.165.242 ### THIS IS THE PUBLIC IP OF THE REMOTE INSTANCE
rightsubnet=10.6.0.0/16 ### SUBNET BEHIND REMOTE INSTANCE
pfs=yes
auto=start
[root@ip ipsec.d]# cat vpc2-to-vpc1.secrets
52.9.99.136 52.207.165.242: PSK "KhyK9iy97AsNnsqnd/dMVzX11itO1oJQ4"
Note: Use your own PSK.
On both instances
cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
Restart service and verify the configuration
#service network restart
#chkconfig ipsec on
#service ipsec start
#ipsec verify
#service ipsec status
