This section addresses common issues encountered during VPN setup and provides solutions for different operating system versions.
| Operating System | Recommended IPsec Software | Package Manager | Status |
|---|---|---|---|
| Amazon Linux 2 | OpenSwan | yum | ✅ Supported |
| Amazon Linux 2023 | Libreswan | dnf | ✅ Recommended |
| Ubuntu 20.04+ | StrongSwan | apt | ✅ Preferred |
| RHEL 8+ | Libreswan | dnf | ✅ Supported |
Problem: OpenSwan package not available in Amazon Linux 2023
Error Message:
No match for argument: openswan
Error: Unable to locate package openswan
✅ Solution: Use Libreswan instead of OpenSwan
# Check OS version first
cat /etc/os-release
# For Amazon Linux 2023
sudo dnf update -y
sudo dnf --enablerepo=fedora install libreswan -y
# Verify installation
rpm -qa | grep libreswan
systemctl status ipsec
Problem: OpenSwan configuration doesn’t work with Libreswan
✅ Solution: Update configuration syntax
Libreswan Configuration (/etc/ipsec.conf):
# /etc/ipsec.conf - Libreswan configuration
config setup
protostack=netkey
plutodebug=none
# Include crypto policies and additional configs
include /etc/crypto-policies/back-ends/libreswan.config
include /etc/ipsec.d/*.conf
Updated AWS Configuration (/etc/ipsec.d/aws.conf):
conn Tunnel1
authby=secret
auto=start
left=%defaultroute
leftid=<CUSTOMER_GATEWAY_PUBLIC_IP>
right=<AWS_VPN_TUNNEL_1_IP>
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp2048
ike=aes128-sha1;modp2048
keyingtries=%forever
keyexchange=ike
leftsubnet=<LOCAL_NETWORK_CIDR>
rightsubnet=<REMOTE_NETWORK_CIDR>
dpddelay=10
retransmit-timeout=30s
dpdaction=restart_by_peer
conn Tunnel2
authby=secret
auto=start
left=%defaultroute
leftid=<CUSTOMER_GATEWAY_PUBLIC_IP>
right=<AWS_VPN_TUNNEL_2_IP>
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp2048
ike=aes128-sha1;modp2048
keyingtries=%forever
keyexchange=ike
leftsubnet=<LOCAL_NETWORK_CIDR>
rightsubnet=<REMOTE_NETWORK_CIDR>
dpddelay=10
retransmit-timeout=30s
dpdaction=restart_by_peer
Key Differences from OpenSwan:
auth=esp parameter (not needed in Libreswan)dpdtimeout=30 to retransmit-timeout=30sProblem: service network restart command not found
Error Message:
bash: service: command not found
# or
Failed to restart network.service: Unit network.service not found
✅ Solution: Use systemd commands for Amazon Linux 2023
# Modern network service management
sudo systemctl restart systemd-networkd
sudo systemctl restart systemd-networkd-wait-online
# Apply sysctl changes
sudo sysctl -p
# IPsec service management
sudo systemctl enable ipsec
sudo systemctl start ipsec
sudo systemctl restart ipsec
Problem: IPsec tunnels fail to establish connection
✅ Diagnostic Steps:
sudo systemctl status ipsec
sudo ipsec status
sudo ipsec trafficstatus
sudo ipsec verify
sudo ipsec whack --status
# Test connectivity to AWS VPN endpoints
ping -c 4 <AWS_VPN_TUNNEL_1_IP>
ping -c 4 <AWS_VPN_TUNNEL_2_IP>
# Check routing
ip route show
ip route get <REMOTE_NETWORK>
# Real-time log monitoring
sudo journalctl -u ipsec -f
# Check authentication logs
sudo tail -f /var/log/secure
# Check system messages
sudo tail -f /var/log/messages
Problem: PSK authentication fails
Common Causes:
✅ Solution:
# Correct format (note the spacing)
<CUSTOMER_GATEWAY_IP> <AWS_TUNNEL_IP>: PSK "<PRE_SHARED_KEY>"
# Example:
3.0.55.195 18.138.189.202: PSK "ODdP8ym_R7vCDK0DXdjKhozZc323Nd7V"
3.0.55.195 52.74.110.26: PSK "UKjoh_Q_FzbSyHAtlkQWUCj2ssw.6H09"
sudo chmod 600 /etc/ipsec.d/aws.secrets
sudo chown root:root /etc/ipsec.d/aws.secrets
sudo systemctl restart ipsec
Check System Configuration:
# Verify IP forwarding
cat /proc/sys/net/ipv4/ip_forward
# Check RP filter settings
cat /proc/sys/net/ipv4/conf/default/rp_filter
# Verify source route acceptance
cat /proc/sys/net/ipv4/conf/default/accept_source_route
Apply Correct Settings (/etc/sysctl.conf):
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
# Apply changes
sudo sysctl -p
Check Firewall Status:
# Check if firewall is running
sudo systemctl status firewalld
# List current rules
sudo firewall-cmd --list-all
Allow IPsec Traffic:
# Allow IPsec protocols
sudo firewall-cmd --permanent --add-service=ipsec
sudo firewall-cmd --permanent --add-port=500/udp
sudo firewall-cmd --permanent --add-port=4500/udp
# Reload firewall
sudo firewall-cmd --reload
Optimize IPsec Performance:
# Add to /etc/ipsec.conf under config setup
config setup
protostack=netkey
plutodebug=none
# Performance optimizations
nhelpers=0
interfaces=%defaultroute
# From Customer Gateway to AWS private resources
ping -c 4 <AWS_PRIVATE_IP>
# From AWS private resources to Customer Gateway
ping -c 4 <CUSTOMER_GATEWAY_PRIVATE_IP>
# Check if VPN routes are learned
ip route show | grep <REMOTE_NETWORK>
# Verify route table in AWS Console
# VPC → Route Tables → Check propagated routes
# Continuous monitoring
watch -n 5 'sudo ipsec trafficstatus'
# Check tunnel statistics
sudo ipsec whack --trafficstatus
# Service Management
sudo systemctl status ipsec
sudo systemctl restart ipsec
sudo systemctl enable ipsec
# Configuration Verification
sudo ipsec verify
sudo ipsec whack --status
# Connectivity Testing
ping -c 4 <REMOTE_IP>
traceroute <REMOTE_IP>
# Log Analysis
sudo journalctl -u ipsec -f
sudo tail -f /var/log/secure
# Network Diagnostics
ip route show
netstat -rn
ss -tuln | grep -E '500|4500'
If you continue to experience issues:
For additional support, refer to:
💡 Pro Tip: Always test VPN connectivity from both directions and monitor logs during initial setup to quickly identify and resolve issues.