Tech Notes

Establishing IPsec VPN Connectivity Between AWS EC2 and IoTGW Gateway Using StrongSwan

Introduction

In this guide, I’ll walk through the complete process of setting up an IPsec VPN tunnel between an AWS EC2 instance and a IoTGW Gateway using StrongSwan. This solution enables remote access to the IoTGW Gateway’s management interface and facilitates log retrieval through a secure VPN connection.

Architecture Overview

Diagram

Prerequisites

  • AWS EC2 instance with Elastic IP
  • IoTGW Gateway with cellular connectivity
  • Basic knowledge of Linux command line
  • SSH access to EC2 instance

Launch EC2 Instance

Configure security groups to allow:

  • SSH (TCP 22)
  • IKE (UDP 500)
  • NAT-T (UDP 4500)
  • ESP (IP Protocol 50)

Assign Elastic IP

Allocate and associate Elastic IP to EC2 instance Note: You’ll need this for consistent VPN endpoint

Install StrongSwan on EC2

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# For Amazon Linux 2023
sudo dnf update -y
sudo dnf install strongswan strongswan-swanctl -y

# Enable and start service
sudo systemctl enable strongswan
sudo systemctl start strongswan

sudo systemctl status strongswan
sudo swanctl --version

StrongSwan Configuration

1
2
3
4
5

# Create Configuration Directory
sudo mkdir -p /etc/swanctl/conf.d

# Main Configuration File
sudo nano /etc/swanctl/swanctl.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

# Connection Configuration
connections {
    IoTGWgw-vpn {
        # EC2 public IP address
        local_addrs = your EC2 address
        
        # Accept connections from any remote IP (dynamic mobile IP)
        remote_addrs = 0.0.0.0/0,::/0 # can accept any connection request

        # Local authentication
        local {
            auth = psk
            id = vpns
        }
        
        # Remote authentication
        remote {
            auth = psk
            id = IoTGWgW
        }

        # VPN tunnel configuration
        children {
            net-net {
                # Route all traffic through VPN
                local_ts = your vpn network
                remote_ts = your IoTGWgW network
                
                # Tunnel settings
                mode = tunnel
                start_action = none
                
                # Encryption proposals
                esp_proposals = aes128-sha256-modp2048
            }
        }

        # IKE settings
        version = 2
        mobike = yes
        proposals = aes128-sha256-modp2048
        rekey_time = 14400s
    }
}

secrets {
    ike {
        id-vpns = vpns
        id-IoTGWgW = IoTGWgW
        secret = "your_secure_psk_password_here"
    }
}

1
2
3

# Load Configuration
sudo swanctl --load-all
sudo swanctl --list-conns

IoTGW Gateway Configuration

1.Basic Settings

  • Connection Mode: Always-on
  • Remote Address: EC2 Elastic IP
  • Local Address: IoTGWgW Private IP

2.Security Settings

  • Authentication: Pre-shared Key (PSK)
  • Pre-shared Key: your_secure_psk_password_here (Must match EC2 configuration)
  • Encryption: AES128
  • Hash Algorithm: SHA256
  • DH Group: 14 (modp2048)

3.Network Settings

  • Local Subnet: your IoTGWgW network
  • Remote Subnet: your vpn network

Firewall and Security Configuration

AWS Security Groups
1.Ensure your EC2 security group allows:

  • UDP 500 (IKE)
  • UDP 4500 (NAT-T)

and also CHECK Local Firewall in IoTGWGW whitch must match AWS security groups, AWS private IP, AWS public IP.

Check iptables rules

1
2
3
4
5

sudo iptables -L -n

sudo iptables -A INPUT -p udp --dport 500 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 4500 -j ACCEPT
sudo iptables -A INPUT -p esp -j ACCEPT

Testing and Validation

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

# Monitor Connection Status
# Check active connections
sudo swanctl --list-sas

# Monitor real-time logs
sudo swanctl --log

# Check system logs
sudo journalctl -u strongswan -f

# Test Connectivity
# Ping test through VPN
ping -I your IoTGWgw private ip

# Test web interface access
curl http://your IoTGWgw private ip

# Check routing table
ip route show

Resources

This comprehensive guide should help others successfully implement StrongSwan VPN connectivity between AWS EC2 and IoTGW Gateway devices. The solution addresses common challenges with mobile networks and provides a stable, secure connection for remote management.