Last Updated on April 25, 2025
StrongSwan is an open-source IPsec-based VPN solution that can be used to establish secure site-to-site connections on AWS. It provides a user-friendly experience for both seasoned network administrators and novice users, ensuring efficient establishment and maintenance of secure site-to-site VPN connections between various cloud platforms and on-premise infrastructure.34
To set up a StrongSwan-based AWS Site-to-Site VPN, you need to configure an EC2 instance with StrongSwan installed. This involves several steps, including enabling IP forwarding, disabling the source/destination check, and configuring the IPsec connection.346
Enabling IP forwarding is essential for the instance to function as a router. This can be done by uncommenting the line net.ipv4.ip_forward=1 in the /etc/sysctl.conf file and applying the changes with sudo sysctl -p.34
Disabling the source/destination check on the EC2 instance is necessary because, by default, EC2 instances only accept traffic destined for or originating from themselves. Disabling this check allows the instance to forward traffic between different network interfaces, which is crucial for StrongSwan to handle and route VPN traffic effectively.346
Configuring the IPsec connection involves setting up the IPsec secrets file and the IPsec configuration file (/etc/ipsec.conf). You need to specify details such as the left and right IDs, subnets, and pre-shared keys.34
Additionally, you need to configure routing in the VPC route tables to ensure proper traffic flow through the StrongSwan instance.34
Finally, testing the VPN connection involves verifying that the tunnel is up in the AWS Console and ensuring that you can ping machines from both sides of the VPN.34