AWS - VPN connections using StrongSwan

It took me by surprise when I realised that Ubuntu 16.04 did not have OpenSwan as a package - it uses StrongSwan now. AWS only provides generic configuration, configuration steps for CGW hardware or Openswan configuration.

After a bit of head scratching and testing, I found the correct configuration for building a tunnel between an Ubuntu box running StrongSwan and an AWS VPG:

A connection entry for a tunnel in /etc/ipsec.conf

conn Tunnel1
    authby=secret
    auto=start
    type=tunnel

    left=<private ip address of strongswan box>
    leftid=<public (outside) ip address of your firewall/router>
    leftsubnet=<local private CIDR block>

    right=<public ip address of AWS vpn connection>
    rightsubnet=<VPC private CIDR block>

    ikelifetime=8h
    ike=aes128-sha1-modp1024
    esp=aes128-sha1-modp1024

    keylife=1h
    keyingtries=%forever
    keyexchange=ikev1

    dpddelay=10
    dpdtimeout=30
    dpdaction=restart

A secret for /etc/ipsec.secrets

<public ip address of your local firewall/router> <public ip address of AWS vpn connection> : PSK "<The pre shared key obtained from the generic config.txt file downloaded from AWS>"

There you go - now you can test vpn tunnels using an Ubuntu system running StrongSwan - hopefully that's a bit of time saved for you and remember VPN connections are charged by the hour once they are up!!

-->