OpenSwan, Amazon VPC, and Cisco ASA. Putting it all together.

OpenSwan, Amazon VPC, and Cisco ASA. Putting it all together.


Recently I have been working on the growing need of a private cloud to utilize ec2 instances in a secure environment. Right now I have a network behind a Cisco ASA which acts as the front end, and does what I need it to do. I started looking into Amazon VPC since I could create an IPSec tunnel directly from my network behind the ASA into the Amazon Cloud. Then I realized the big issue after reading into how cool it was, the ASA alone wasn’t compatible with VPC. This of course was a major downer, since I didn’t want to purchase new hardware and redesign my network just to get a private cloud working.  I immediately started searching for alternative options, yet it seems like there were a few that could fit but didn’t exactly do what I wanted. One of those options was VPNCubed, which is awesome software they did a great job I must say. The only issue I ran into it besides pricing was the fact I couldn’t just spin up an instance and have it dynamically be assigned a private address. I had to assign a static private ip to each instance with some cert stuff that I didn’t bother looking into. I was told later by support I could utilize their API in order to do this, but one of my core components in needing the private cloud was that another server would be spinning up instances on demand, and I couldn’t script in their API to tie into this process (I’m not going to get into this, just believe me). Anyways, I started reading about the possibility of using OpenVPN somehow, but it appears that it doesn’t support IPSec tunnels (please correct me if im incorrect!), and I didn’t want another OpenVPN server running on my local network in order to communicate with that. I found some articles on OpenSwan and EC2 but nothing regarding VPC, which really surprised me. I saw numerous posts about it not working and such, but no guides on how to create the private network in the cloud and have a basic IPSec site-to-site path between the VPC and an ASA. It blew my mind to say the least… So I set out to get it working on my own, and I’m pleasantly suprised to say it was pretty damn easy.

My Requirements:

I believe my requirements were pretty simple. They were as follows:
  1. Allow communication between my local network and ec2 instances within the vpc and vice-versa
  2. Allow communication between ec2 instances within the vpc
  3. Communication between all paths must be somewhat secure
  4. The ability to have instances assigned a dynamic private address from a dhcp pool or a statically assigned private address
  5. The ability to have a few instances be able to route to the outside world, and have a publically accessable IP

The Network Layout:

On my end:
- – my local network 254 useable ip address
- – my asa’s internal ip address
- – my asa’s public facing external ip address
On amazon vpc end:
- – the /16 subnet that is required for the outer vpc layer
- – the vpc subnet that I will be working with
- – the internal private ip for the OpenSwan server
- – the elastic IP I allocated from amazon vpc. This will be binded to OpenSwan to use for our IPSec tunnel, more on that later. Just remember I am using that as my external IP to connect our IPSec tunnel.

The Network Diagram:

Getting Started (Amazon VPC):

First off we want to create our VPC via the Amazon AWS Management Console.

I pretty much followed the guide here:

  1. Go to the VPC tab
  2. Find the Your Virtual Private Cloud area, and click Get started creating a VPC.
  3. I chose VPC w/ a Single Public Subnet Only, along with the information I provided above in the layout.
  4. Follow the steps to create the VPC.

Adding the OpenSwan Server into your VPC:

  1. First we will need to Allocate a New Elastic IP within the VPC tab under Virtual Private Cloud -> Elastic IPs.This will be used for the openswan server.
  2. Once that is done, I went back to the EC2 tab, and launched an instance. I used the Basic 32bit Amazon Linux AMI
    1. I chose m1.small as my instance type
    2. Make sure to choose ‘Launch Instances Into Your Virtual Private Cloud’
    3. For instance details, I chose to assign it a private IP address of
    4. Chose my keypair, assigned it a name tag of ‘openswan server’
    5. For configure firewall, I chose allow all traffic ( to start off, since I would be locking it down further after it’s setup.
    6. I then associated the elastic IP to the running instance after it started up.
  3. I ssh’d into the instance using my key (ssh -i my-key.pem ec2-user@, and I was brought to a shell, yay!

Configure the instance w/ OpenSwan:

I found a great article here: ( which described the steps in connecting an ec2 instance to an IOS router. It worked great, so I thought I’d mention where I got the information from.

Here are the exact commands I ran after ssh’ing into the server, note the HOMEPUBLIC and HOMEPRIVATE should be changed according to your internal network:

sudo yum update -y
sudo yum -y install openswan openswan-doc ipsec-tools
EC2PRIVATE=`/sbin/ifconfig eth0|grep Bcast|cut -d: -f 2|cut -d\  -f 1`
EC2PUBLIC=`curl -s`
PSK=`< /dev/urandom tr -dc a-zA-Z0-9_ | head -c30`
echo “conn home” > /tmp/home.conf
echo ”  left=%defaultroute” >> /tmp/home.conf
echo ”  leftsubnet=$EC2PRIVATE/32″ >> /tmp/home.conf
echo ”  leftid=$EC2PUBLIC” >> /tmp/home.conf
echo ”  right=$HOMEPUBLIC” >> /tmp/home.conf
echo ”  rightid=$HOMEPUBLIC” >> /tmp/home.conf
echo ”  rightsubnet=$HOMEPRIVATE” >> /tmp/home.conf
echo ”  authby=secret” >> /tmp/home.conf
echo ”  pfs=yes” >> /tmp/home.conf
echo ”  forceencaps=yes” >> /tmp/home.conf
echo ”  auto=start” >> /tmp/home.conf
echo “$EC2PUBLIC $HOMEPUBLIC: PSK \”$PSK\”" > /tmp/home.secrets
sudo sed ‘s!^#\(include /etc/ipsec.d/\*.conf\)!\1!’ /etc/ipsec.conf > /tmp/ipsec.conf
sudo chmod 600 /tmp/home.* /tmp/ipsec.conf
sudo chown root:root /tmp/home.* /tmp/ipsec.conf
sudo mv /tmp/home.* /etc/ipsec.d
sudo mv /tmp/ipsec.conf /etc
sudo chkconfig ipsec on
sudo /etc/init.d/ipsec start

We need to do a couple more things as well:

In /etc/sysctl.conf:
net.ipv4.ip_forward = 1

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

At the end of this, I had OpenSwan up and running! I had /etc/ipsec.d/home.conf as my openswan configuration and /etc/ipsec.d/home.secrets as my preshared key! Awesome!

Configuring the ASA:

I’m trying my best to grep out the commands that I did here from config change logs, so please take this with a grain of salt. Anyone who has setup a site-to-site on an ASA should be familiar with this process already. All we are doing is creating a new site-to-site entry, using esp-3des-md5 and allowing access to and from this tunnel. (I know esp-3des-md5 is horrible, but this is how I got it working, I need to change it to sha-aes soon.)

ASA Configs: Make sure to BACKUP before making these changes!

Tunnel Group:

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
! pre-shared-key (the key in /etc/ipsec.d/home.secrets on your openswan server)

Crypto Map:
I’m using crypto map priority 6, this doesn’t need to be 6.

crypto map outside_map 6 match address outside_cryptomap_6
crypto map outside_map 6 set pfs
crypto map outside_map 6 set peer
crypto map outside_map 6 set transform-set ESP-3DES-MD5
crypto ipsec transform-set ESP-3DES-MD5
access-list outside_cryptomap_6 extended permit ip

Internal Network Group:

object-group myinternalnetwork
 description My Internal Network that Will connect to EC2 VPC

NAT Entries allowing Access from my internal network to VPC:

access-list inside_nat0_outbound extended permit ip object-group myinternalnetwork

Boom! We should be all set on the ASA side. Save your changes!

Restarting IPSec on OpenSwan Instance:

  1. Log back into your openswan instance via ssh, and issue the commands sudo /etc/init.d/ipsec stop; sudo /etc/init.d/ipsec start
  2. You can check if the tunnel is up by issuing an /etc/init.d/ipsec status which should state if the tunnel is up or not, you can also check your ASA.

Fixing the routes in EC2:

In order for traffic to route properly on new instances and allow communication between your network and VPC instances we need to add a route in the AWS management console.

  1. Login to the AWS management Console
  2. Click on the VPC tab
  3. Click on Route Tables
  4. Click on the Route table ID that ISNT set as MAIN (It should say Main: No under the column)
  5. For destination put your local network subnet (from the above example, mine is and for Target, choose the instance ID of the OpenSwan instance.
  6. Click Add
  7. Boom!

Fixing Your Security Groups:

You can now update your security group for the openswan server. For example, mine I have all traffic allowed from the external IP of my asa (, and nothing else.

For new instances, you will want to have a new security group, and remember to allow the internal network to access these security groups, so for example in all security groups I allow all traffic from This way I have communication both ways to the private vpc and from the private vpc to my network.

Known Issues:

  1. I’m writing this at midnight after a long day, I’m sure there are errors. Please let me know what they are!!!!
  2. I haven’t been able to get communication to just work to the outside world from instances without an elastic IP associated to them. IE: instance4293 in the private VPC cloud can communicate between other instances in the private VPC and to my internal network, but not out to… Not sure if this is a routing issue or a firewall rule, I haven’t had the time to check it out further, but please let me know if you know why!
  3. Enjoy and please comment! I hope to clean this up in the following weeks to be more of a step-by-step guide (especially the ASA part), but you should get the jist of it all!



  1. Hi!

    I am from Europe and am trying to establish a VPN from out Cisco ASA to the VPC for one of our clients.
    However in the configuration guides, they keep saying that I need to configure BGP?
    In your post there is no mention of BGP… can you explain how this is so?

    Btw : very good informaton :)


    • Hi Andrea –
      You are correct, with amazon’s full VPC configuration you need a hardware router that is compatible with BGP, which I didn’t have available. This method allows you to do a site-to-site ipsec tunnel without the need of BGP.

  2. I’m happy to read that you found my article helpful. Thanks for linking!


  3. Yeah!

    Good idea…will give it a shot….thanks!

  4. Hi,

    Thanks for your post.
    Please finish and add to post next config line for Cisco ASA

    crypto ipsec transform-set ESP-3DES-MD5 ….


  5. Can I use this method to establish an IPSec between my laptop and an EC2 instance with openswan on both ends?

    • Hi Ks -
      You could, but the configuration would be different. Essentially the concept would be the same.

      • Thanks a lot for the info

        I tried the configuration with

        But I’m getting an error : We cannot identify ourselves with either end of this connection.

        Also when I try ipsec verify I’m getting :

        Checking that pluto is running [OK]
        Pluto listening for IKE on udp 500 [OK]
        Pluto listening for NAT-T on udp 4500 [FAILED]
        Checking for ‘ip’ command [OK]

        Any idea why I’m getting these errors?

        • sorry a typo I was trying left=%defaultroute

          • are there spaces for left=%default, etc under conn home?

            so it should look like:

            conn home

  6. One thing I did find – that drove me crazy until I realized it – IPV4 routing HAS to be enabled on your vpn VPC –

    By default it is disabled…

    net.ipv4.ip_forward = 0
    net.ipv4.ip_forward = 1
    sysctl -p /etc/sysctl.conf


  7. Do you know how to establish an IPSec between a linux machine and EC2?

  8. IJWTS wow! Why can’t I think of thgins like that?

  9. i have asa as front end after it i have a cisco router 2821 ios 12.4 (24 T5)
    they connected between each other by ethernet .
    can any one help me with how to establish the vpn connection the amazon do??????

  10. This is needed, at least when i tested, on the OpenSwan server in order to do proper routing.


    net.ipv4.ip_forward = 1


    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    • LOL, thanks, I have been mulling over the fact that my OpenSWAN box is unable to forward traffic from other parts of the VPC, and never once did it I think of iptables – thanks :-)

  11. Also, the VPC OpenSwan instance will NOT route traffic backwards unless Source/Dest check is disabled, bellow is from Amazon support;

    By default, instances in VPC have a “Source/Dest Check” which prevents the instances from receiving traffic destined for addresses other than the private IP address of the instance.

    For the NAT instance you’ll need to disable this check. From the AWS Management Console, visit the EC2 tab, Instances section. Locate the NAT instance, right click, and select “Change Source / Dest Check”. Click “Yes, Disable”.

    • nyc-h0st

      you are a beautiful, beautiful person! I have been tearing my hair out for soo long

      i am going to sit in the corner and feel stupid now!



  12. After starting ipsec I receive the following message:

    ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set un /proc/sys/crypto/fips_enabled

    How do I fix that?


  13. I have followed the setup on both sides and the status on ipsec is:

    [root@ip-10-0-0-10 log]# /etc/init.d/ipsec status
    /usr/libexec/ipsec/addconn Not able to open /proc/sys/crypto/fips_enabled, retur
    ning non-fips mode
    IPsec running – pluto pid: 2672
    pluto pid 2672
    No tunnels up

    How can I debug this?


    • I’m in the same boat as Jeff. I believe the configurations are correct on both the ASA and the OpenSwan box but I still get the message “No tunnels up”. I’ve checked /var/log/messages and I get one entry after restarting the IPSEC service on the OpenSwan box:

      Aug 10 15:27:02 ip-172-10-0-254 ipsec__plutorun: 104 “vpn” #1: STATE_MAIN_I1: initiate

      I’m guessing my networking configuration within AWS is the problem but do you have suggestions for debugging the connection?

  14. Hi, I was wondering if you would be so kind as to help me with a couple of questions. First, can you install this in a micro instance, outside of a vpc? and second, do you have to use a VPC or can I use 1 ec2 micro to connect to my customer gateway and connect another ec2 to the first OpenSwan instance?

    Thank you,

    • Hi AJC –

      I believe at this time amazon doesn’t allow micro instances in VPC. For things that are running 24×7 we have tried to use m1.small where possible.

      • Hi,

        I configured my instance as described (but I used the commands on the link cause I wanted to use AES) But the state on my router says: State : MM_WAIT_MSG2 and on my linux machine the status returns there are no Tunnels open.

        Do you know what I might have gotten wrong? I should add that I have no access to the phisical router, they are a third party provider, I just give them my IP and the PSK and they gave me their gateway IP.

        Thank for your help. I prefered to use your option rather then using something like cohesiveFT because, A) its free B) looks simple enough and C) cohesiveFT doesn’t use EBS Instances so I can’t stop them, just terminate them and thats no good for me.

  15. I am looking for clarification about the HOMEPUBLIC. Is this my elastic IP that I assign to the server or is it the internal static IP of the server? I seem to get farther when I use the internal IP, however, I am not sure it is leaving through the elastic IP (which is what the PIX is expecting). When I run sudo ipsec whack –status I get:

    000 using kernel interface: netkey
    000 interface lo/lo ::1
    000 interface lo/lo
    000 interface lo/lo
    000 interface eth0/eth0
    000 interface eth0/eth0
    000 %myid = (none)
    000 debug none
    000 virtual_private (%priv):
    000 – allowed 0 subnets:
    000 – disallowed 0 subnets:
    000 WARNING: Either virtual_private= is not specified, or there is a syntax
    000 error in that line. ‘left/rightsubnet=vhost:%priv’ will not work!
    000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
    000 private address space in internal use, it should be excluded!
    000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
    000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
    000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
    000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
    000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
    000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
    000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
    000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
    000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
    000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
    000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
    000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
    000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
    000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
    000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
    000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
    000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
    000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
    000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
    000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
    000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
    000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
    000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
    000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
    000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
    000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
    000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
    000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
    000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
    000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,8,36} trans={0,8,1536} attrs={0,8,2048}
    000 “tunnelipsec”:[+S=C]—…—PIXEXTERNALIP[+S=C]===PIXSUBNET; prospective erouted; eroute owner: #0
    000 “tunnelipsec”: myip=unset; hisip=unset;
    000 “tunnelipsec”: ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
    000 “tunnelipsec”: policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0;
    000 “tunnelipsec”: newest ISAKMP SA: #0; newest IPsec SA: #0;
    000 “tunnelipsec”: IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
    000 “tunnelipsec”: IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
    000 “tunnelipsec”: ESP algorithms wanted: AES(12)_256-SHA1(2)_000; flags=-strict
    000 “tunnelipsec”: ESP algorithms loaded: AES(12)_256-SHA1(2)_160
    000 #14: “tunnelipsec”:4500 STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 17s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

    Any suggestions would be greatly appreciated!!!

    • $HOMEPUBLIC should be the external IP (or the elastic IP) used for the openswan box.

      in the example it would be:

  16. Ive configured openswan using this guide and was able to establish a tunnel connection. The issue I seem to be facing now is once traffic passes through the tunnel, all connections die(the tunnel connection & any putty sessions). Logging is on full debug, but logging stops once I initiate a connection through, it acts as if the host comes to a halt for a blip. Eventually I am able to connect back to the host couple seconds later, but nothing useful in the logs, & restarting ipsec service re-establishes the tunnel. Any ideas? TYIA.


    • I haven’t experienced this before. Is it happening after a few mins, or a few days, etc

      If you have traffic passing through the tunnel (ie a ping every second from Local -> VPC subnet) does it keep the tunnel up?

  17. Do you have a typo in there? In your openswan config you declare the remote encryption to be yet on the ASA you are encrypting Two very different subnets.

  18. I’ve also realised that Elastic IP is required for my EC2 instance to connect to the internet. It can connect perfectly to any other EC2s within the VPC or traverse the IPSec tunnel to my other machines on the other side of the VPN tunnel. But internet simply does not work without Elastic IP.

    Anyone has any ideas?

  19. LIFE SAVER! At first I got stuck because I couldn’t SSH into my VPC with a Network Connection Timed Out error even though I had a public Elastic IP. This was fixed by changing regions from East coast to West coast, a very odd bug on Amazon Web Services! The rest was easy as pie, thank you JGilmour!

    For Google’s sake: EC2, SSH Amazon, Network Timed Out, VPN, VPC

    • Glad to hear it worked for you! I have heard that amazon recently released IPSEC VPC which should allow users to not even use openswan as the gateway, but rather their service. I haven’t had time to check it out yet, but I hope to soon!

Leave a Reply

Scroll To Top
Descargar musica