Creating an AWS Site-to-Site VPN

1.5 hours
  • 5 Learning Objectives

About this Hands-on Lab

In this lab, we’ll create an AWS Site-to-Site VPN connection from an AWS VPC used by our organization’s main office to a private, remote data center used by a branch office. We will simulate the branch office network via a second AWS VPC, installing and configuring a software-based customer VPN gateway running on an EC2 instance. We’ll also create a virtual gateway and configure the Site-to-Site VPN to use a secure IPsec tunnel between sites. We will then test connectivity.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Verify Resources and Examine Network Configuration

Verify that the resources below exist.

Note: If using the pre-configured lab environment, these resources have already been configured for you. If not, you’ll need to create them.

  • Two VPCs in different Availability Zones:
    • VPC-MainOffice with CIDR block
    • VPC-BranchOffice with CIDR block
  • A public subnet in each VPC:
    • Subnet-MainOffice-Public with CIDR block
    • Subnet-BranchOffice-Public with CIDR block
  • An internet gateway (IGW) in each VPC
  • Two route tables, each attached to the appropriate subnet:
    • Names: RT-MainOffice and RT-BranchOffice
    • Routes: Local, and pointing to the IGW
Create Two EC2 Instances

Create two new EC2 instances: one in VPC-MainOffice and one in VPC-BranchOffice.


  • AMI: Amazon Linux 2
  • Instance type: t2.medium
  • Network: VPC-MainOffice
  • Subnet: Subnet-MainOffice-Public
  • Auto-assign Public IP: Enable
  • Tags:
    • Key: Name; Value: EC2-MainOffice
  • Security group: Create a new security group:
    • Type: SSH; Source: My IP
    • Type: All TCP; Source: Custom,
    • Type: All UDP; Source: Custom,
    • Type: All ICMP – IPv4; Source: Custom, 10.20.0 0/16
  • Key pair: Create a new key pair:
    • Key pair name: Key-MainOffice
    • Download and save key pair.


  • AMI: Amazon Linux 2
  • Instance type: t2.medium
  • Network: VPC-BranchOffice
  • Subnet: Subnet-BranchOffice-Public
  • Auto-assign Public IP: Enable
  • Tags:
    • Key: Name; Value: EC2-BranchOffice
  • Security group: Create a new security group:
    • Type: SSH; Source: My IP
    • Type: All TCP; Source: Custom,
    • Type: All UDP; Source: Custom,
    • Type: All ICMP – IPv4; Source: Custom,
  • Key pair: Create a new key pair:
    • Key pair name: Key-BranchOffice
    • Download and save key pair.

Once EC2-BranchOffice is created, disable the source/destination checks.

Create Virtual Private Network Resources

Create the following resources:

  • Virtual private gateway attached to VPC-MainOffice
    • Name: VPG-MainBranch
  • Customer gateway
    • Name: CGW-MainBranch
    • Routing: Static
    • IP Address: Public IP address of EC2-BranchOffice
  • Site-to-Site VPN connection
    • Name: VPN-MainBranch
    • Virtual Private Gateway: VPG-MainBranch
    • Customer Gateway: CGW-MainBranch
    • Routing Options: Static
    • IP Prefixes:

It may take several minutes for the VPN connection to move from <span style="color:gold">pending</span> to <span style="color:green">available</span>.

Install and Configure Openswan
  1. Connect via SSH to EC2-BranchOffice.

  2. Install Openswan:

    sudo su
    yum install openswan
  3. Configure /etc/ipsec.conf — if there is a # in front of this line, remove it:

    include /etc/ipsec.d/*.conf
  4. Configure /etc/sysctl.conf, adding these lines to the file:

    net.ipv4.ip_forward = 1
    net.ipv4.conf.default.rp_filter = 0
    net.ipv4.conf.default.accept_source_route = 0
  5. Configure /etc/ipsec.d/aws.conf, adding these lines to the file:

    conn Tunnel1
  6. Configure /etc/ipsec.d/aws.secrets, using this format:


    For example: PSK "34nkfwoe732ddf"
  7. Restart the network service:

    service network restart
  8. Set the ipsec service to run automatically if the server restarts:

    chkconfig ipsec on
  9. Start the ipsec service:

    service ipsec start
  10. Check the status of the ipsec service:

    service ipsec status
Test Connectivity Across VPN
  1. Connect via SSH to EC2-BranchOffice, and attempt to ping EC2-MainOffice:

    ping <EC2-MainOffice_PRIVATE_IP_ADDRESS>
  2. Connect via SSH to EC2-MainOffice, and attempt to ping EC2-BranchOffice:

    ping <EC2-BranchOffice_PRIVATE_IP_ADDRESS>

Additional Resources

The main office of your organization has completed their migration to the AWS Cloud, but a branch office is still using a private, remote data center. You need to configure a secure Site-to-Site VPN connection that will allow branch office servers to connect to data stored in the main office VPC in the AWS Cloud. The connection must be secure and use the internet connection already existing in the branch office data center.

The main office VPC has been created for you. The branch office remote datacenter will be simulated by using a second, separate AWS VPC in a different Availability Zone, which has also already been created for you.

You need to create an EC2 instance in each VPC, create a customer gateway, virtual private gateway, and Site-to-Site VPN connection in the main office VPC. You then need to install and configure OpenSWAN on the EC2 instance in the branch office VPC to function as the remote data center's software-based VPN. You'll also test connectivity by pinging each EC2 instance.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!