Launch an Instance
- Click the "Launch Instance" button
- Choose "Basic 32-bit Amazon Linux AMI 1.0"
- Set "Micro" instance type
- Download a new SSH key (or use an existing one)
- Configure a security group (this is the firewall service) like this:
Configure OpenSwan on the EC2 Instance
- Connect to the instance using the directions found here.
- Install IPsec packages:
sudo yum -y update
sudo yum -y install openswan openswan-doc ipsec-tools
- Set some variables that will be useful later
# The private IP address assigned to your EC2 instance.
EC2PRIVATE=`/sbin/ifconfig eth0|grep Bcast|cut -d: -f 2|cut -d\ -f 1`
# The public IP address assigned to your EC2 instance.
EC2PUBLIC=`curl -s http://169.254.169.254/latest/meta-data/public-ipv4`
# The public IP address of the home router
HOMEPUBLIC=1.2.3.4
# The private address space in use at home
HOMEPRIVATE=192.168.0.0/16
# Generate a secret key
PSK=`< /dev/urandom tr -dc a-zA-Z0-9_ | head -c30`
- Configure the 'home' openswan connection. The leading whitespace is important here.
echo "conn home" > /tmp/home.conf
echo " left=%defaultroute" >> /tmp/home.conf
echo " leftsubnet=$EC2PRIVATE/32" >> /tmp/home.conf
echo " leftid=$EC2PUBLIC" >> /tmp/home.conf
echo " right=$HOMEPUBLIC" >> /tmp/home.conf
echo " rightid=$HOMEPUBLIC" >> /tmp/home.conf
echo " rightsubnet=$HOMEPRIVATE" >> /tmp/home.conf
echo " authby=secret" >> /tmp/home.conf
echo " ike=aes128-sha1-modp1024" >> /tmp/home.conf
echo " esp=aes128-sha1" >> /tmp/home.conf
echo " pfs=yes" >> /tmp/home.conf
echo " forceencaps=yes" >> /tmp/home.conf
echo " auto=start" >> /tmp/home.conf
- Configure the 'home' preshared key:
echo "$EC2PUBLIC $HOMEPUBLIC: PSK \"$PSK\"" > /tmp/home.secrets
- Enable the IPsec service:
sudo sed 's!^#\(include /etc/ipsec.d/\*.conf\)!\1!' /etc/ipsec.conf > /tmp/ipsec.conf
sudo chmod 600 /tmp/home.* /tmp/ipsec.conf
sudo chown root:root /tmp/home.* /tmp/ipsec.conf
sudo mv /tmp/home.* /etc/ipsec.d
sudo mv /tmp/ipsec.conf /etc
sudo chkconfig ipsec on
sudo service ipsec start
Configure the IOS end of the tunnel
We'll need one more variable to build the IOS configuration:
HOMEEXTIF=FastEthernet0/0Paste the following text into the EC2 command line. It should spit out IPsec configuration for your IOS device:
cat > /tmp/IOS.cfg << EOFThat's it! Now I can ping the private ($EC2PRIVATE) address of the EC2 instance from one of my internal machines at home. This works in my environment because the 10.x.x.x address assigned by Amazon happens to fall within the default route in use by my home gateway. You may need to add a static route if you're pushing the 10/8 block elsewhere in your environment.
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 86400
crypto isakmp key $PSK address $EC2PUBLIC no-xauth
crypto ipsec security-association lifetime seconds 1800
ip access-list extended AMAZON-CRYPTO-ACL
permit ip any host $EC2PRIVATE
crypto ipsec transform-set AMAZON-TRANSFORM-SET esp-aes esp-sha-hmac
crypto map INTERNET-CRYPTO 10 ipsec-isakmp
description Amazon EC2 instance
set peer $EC2PUBLIC
set transform-set AMAZON-TRANSFORM-SET
set pfs group2
match address AMAZON-CRYPTO-ACL
interface $HOMEEXTIF
crypto map INTERNET-CRYPTO
EOF
clear
cat /tmp/IOS.cfg
Being able to talk securely to the private address is preferable to using the public one because of applications (SIP, FTP) that embed IP address information into their application payload. These don't NAT well, and now they don't have to.
If you want to be able to talk securely to the public address of an EC2 instance, that can probably be done with a dummy interface on the EC2 end. I'll work on that later.