djoreilly/bgpd.conf

## bgpd.conf
#@ /etc/quagga/bgpd.conf (Centos & Ubuntu)

hostname <Local OS hostname>
password <Any random phrase>
enable password <Any random phrase>
!
log file /var/log/quagga/bgpd
!debug bgp events
!debug bgp zebra
debug bgp updates
!
router bgp <Your Customer Gateway ASN>
  bgp router-id <Any integer number - smaller means higher priority routes>
  network <Your internal LAN subnet - e.g. 10.130.0.0/16>
  !network 169.254.x.x/32
  !network 169.254.x.x/32
  !
  ! aws tunnel #1 neighbour
  neighbor <Your VGW1 Inside IP> remote-as 17493
  !
  ! aws tunnel #2 neighbour
  neighbor <Your VGW2 Inside IP> remote-as 17493
  !
  ! Uncomment the line below if you prefer to use 'Connection B' as your backup (Connection A will # be used as your primary for all traffic). By default if you do not uncomment the next lines, traffic can #be sent and received down both of your connections at any time (asymmetric routing).
  !neighbor <Your VGW2 Inside IP> route-map RM_LOWER_PRIORITY out
!
route-map RM_LOWER_PRIORITY permit 10
  set as-path prepend <Your Customer Gateway ASN> <Your Customer Gateway ASN> <Your Customer Gateway ASN>
!
line vty


# LEGEND
# https://s3-us-west-2.amazonaws.com/youtubetutorials/racoon_config.txt
#
# <Your Customer Gateway ASN> is the local autonomous system (Customer Gateway ASN)
# 17493 is the remote autonomous system of AWS (Virtual Private  Gateway ASN)
#
# <Your VGW1 Inside IP> is the 169.x address on the REMOTE side of the first peer. (Neighbor IP Address)
# <Your VGW2 Inside IP> is the 169.x address on the REMOTE side of the second peer. (Neighbor IP Address)
#
# <Your internal LAN subnet - e.g. 10.0.0.0/16> is the local private subnet/LAN (Private Network Subnet)
# 169.254.x.x/32 is the 169.x address on LOCAL side of the first peer. Use /32
# 169.254.x.x/32 is the 169.x address on the LOCAL side of the second peer. Use /32

## ipsec-vti.sh
#!/bin/bash

#@ /etc/strongswan/ipsec-vti.sh (Centos) or /etc/strongswan.d/ipsec-vti.sh (Ubuntu)

# AWS VPC Hardware VPN Strongswan updown Script

# Usage Instructions:
# Add "install_routes = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
# Add "install_virtual_ip = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
# For Ubuntu: Add "leftupdown=/etc/strongswan.d/ipsec-vti.sh" to /etc/ipsec.conf
# For RHEL/Centos: Add "leftupdown=/etc/strongswan/ipsec-vti.sh" to /etc/strongswan/ipsec.conf
# For RHEL/Centos 6 and below: git clone git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git && cd iproute2 && make && cp ./ip/ip /usr/local/sbin/ip

# Adjust the below according to the Generic Gateway Configuration file provided to you by AWS.
# Sample: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html

IP=$(which ip)
IPTABLES=$(which iptables)

PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
case "$PLUTO_CONNECTION" in
  AWS-VPC-GW1)
    VTI_INTERFACE=vti1
    VTI_LOCALADDR=<Your CGW1 Inside IP 169.254.x.x/30>
    VTI_REMOTEADDR=<Your VGW1 Inside IP 169.254.x.x/30>
    ;;
  AWS-VPC-GW2)
    VTI_INTERFACE=vti2
    VTI_LOCALADDR=<Your CGW2 Inside IP 169.254.x.x/30>
    VTI_REMOTEADDR=<Your VGW2 Inside IP 169.254.x.x/30>
    ;;
esac

case "${PLUTO_VERB}" in
    up-client)
        #$IP tunnel add ${VTI_INTERFACE} mode vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
        $IP link add ${VTI_INTERFACE} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
        sysctl -w net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1
        sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2 || sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=0
        $IP addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev ${VTI_INTERFACE}
        $IP link set ${VTI_INTERFACE} up mtu 1436
	$IPTABLES -t mangle -I FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        $IPTABLES -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
        $IP route flush table 220
        #/etc/init.d/bgpd reload || /etc/init.d/quagga force-reload bgpd
        ;;
    down-client)
        #$IP tunnel del ${VTI_INTERFACE}
        $IP link del ${VTI_INTERFACE}
	$IPTABLES -t mangle -D FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
        $IPTABLES -t mangle -D INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
        ;;
esac

# Enable IPv4 forwarding
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.eth1.disable_xfrm=1
sysctl -w net.ipv4.conf.eth1.disable_policy=1

# References:
# http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html
# http://end.re/2015-01-06_vti-tunnel-interface-with-strongswan.html
# https://www-01.ibm.com/support/knowledgecenter/#!/SST55W_4.3.0/liaca/liaca_cfg_ipsec_vti.html

## ipsec.conf
#@ /etc/strongswan/ipsec.conf (Centos) or /etc/ipsec.conf (Ubuntu)

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
       charondebug="cfg 2, ike 3"
#      strictcrlpolicy=yes
#      uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start


# Usage Instructions:
# Adjust the below according to the Generic Gateway Configuration file provided to you by AWS.
# Sample: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html

conn %default
	# Authentication Method    : Pre-Shared Key
	#authby=psk
	leftauth=psk
	rightauth=psk
	# Encryption Algorithm     : aes-128-cbc
	# Authentication Algorithm : sha1
	# Perfect Forward Secrecy  : Diffie-Hellman Group 2
	ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024!
	# Lifetime                 : 28800 seconds
	ikelifetime=28800s
	# Phase 1 Negotiation Mode : main
	aggressive=no
	# Protocol                 : esp
	# Encryption Algorithm     : aes-128-cbc
	# Authentication Algorithm : hmac-sha1-96
	# Perfect Forward Secrecy  : Diffie-Hellman Group 2
	esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024!
	# Lifetime                 : 3600 seconds
	lifetime=3600s
	# Mode                     : tunnel
	type=tunnel
	# DPD Interval             : 10
	dpddelay=10s
	# DPD Retries              : 3
	dpdtimeout=30s
	# Tuning Parameters for AWS Virtual Private Gateway:
	keyexchange=ikev1
	#keyingtries=%forever
	rekey=yes
	reauth=no
	dpdaction=restart
	closeaction=restart
	left=%defaultroute
	leftsubnet=0.0.0.0/0,::/0
	rightsubnet=0.0.0.0/0,::/0
	leftupdown=/etc/strongswan/ipsec-vti.sh
	installpolicy=yes
	compress=no
	mobike=no

conn AWS-VPC-GW1
	# Customer Gateway:        : <Your Strongswan-CGW Public IP>
	left=<Your Strongswan-CGW Public IP>
	# Virtual Private Gateway  : <Your VGW1 Outside IP>
	right=<Your VGW1 Outside IP>
	auto=start
	mark=100
	#reqid=1

conn AWS-VPC-GW2
	# Customer Gateway:        : <Your Strongswan-CGW Public IP>
	left=<Your Strongswan-CGW Public IP>
	# Virtual Private Gateway  : <Your VGW2 Outside IP>
	right=<Your VGW2 Outside IP>
	auto=start
	mark=200
	#reqid=2

# References:
# http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html
# http://end.re/2015-01-06_vti-tunnel-interface-with-strongswan.html
# https://www-01.ibm.com/support/knowledgecenter/#!/SST55W_4.3.0/liaca/liaca_cfg_ipsec_vti.html
# https://aravindkrishnaswamy.wordpress.com/tag/multiple-vpn-tunnels-with-strongswan/
# https://aravindkrishnaswamy.wordpress.com/2014/11/26/site-to-site-vpn-between-openvpn-and-aws/
# http://www.mynameistoby.com/blog/2015/01/21/setting-up-strongswan-on-centos-6-to-connect-to-your-amazon-vpc-vpn/
# https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
# https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites

## ipsec.secrets
#@ /etc/strongswan/ipsec.secrets (Centos) or /etc/ipsec.secrets (Ubuntu)

<Your Strongswan-CGW Public IP> <Your VGW1 Outside IP> : PSK "<Replace with VGW1 secret phrase provided by AWS>"
<Your Strongswan-CGW Public IP> <Your VGW2 Outside IP> : PSK "<Replace with VGW2 secret phrase provided by AWS>"

## iptables
#@ /etc/sysconfig/iptables (Centos) or /etc/iptables/rules.v4 (Ubuntu with iptables-persistent package)

# Generated by iptables-save v1.4.7
*filter
:INPUT DROP [1:60]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [21:2888]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p esp -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A INPUT -i vti+ -p tcp -m tcp --dport 179 -j ACCEPT
-A INPUT -i eth+ -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed

## zebra.conf
#@ /etc/quagga/zebra.conf (Centos & Ubuntu)

hostname <Local OS hostname>
password <Any random phrase>
enable password <Any random phrase>
!
! Configure interfaces
interface lo
! Change preferred source ip address of received routes
route-map RM_SET_SRC permit 10
  set src <Your host ip-address on Your internal LAN subnet interface - e.g. 10.130.0.5>
ip protocol bgp route-map RM_SET_SRC
!
line vty
	#@ /etc/quagga/bgpd.conf (Centos & Ubuntu)

	hostname <Local OS hostname>
	password <Any random phrase>
	enable password <Any random phrase>
	!
	log file /var/log/quagga/bgpd
	!debug bgp events
	!debug bgp zebra
	debug bgp updates
	!
	router bgp <Your Customer Gateway ASN>
	bgp router-id <Any integer number - smaller means higher priority routes>
	network <Your internal LAN subnet - e.g. 10.130.0.0/16>
	!network 169.254.x.x/32
	!network 169.254.x.x/32
	!
	! aws tunnel #1 neighbour
	neighbor <Your VGW1 Inside IP> remote-as 17493
	!
	! aws tunnel #2 neighbour
	neighbor <Your VGW2 Inside IP> remote-as 17493
	!
	! Uncomment the line below if you prefer to use 'Connection B' as your backup (Connection A will # be used as your primary for all traffic). By default if you do not uncomment the next lines, traffic can #be sent and received down both of your connections at any time (asymmetric routing).
	!neighbor <Your VGW2 Inside IP> route-map RM_LOWER_PRIORITY out
	!
	route-map RM_LOWER_PRIORITY permit 10
	set as-path prepend <Your Customer Gateway ASN> <Your Customer Gateway ASN> <Your Customer Gateway ASN>
	!
	line vty


	# LEGEND
	# https://s3-us-west-2.amazonaws.com/youtubetutorials/racoon_config.txt
	#
	# <Your Customer Gateway ASN> is the local autonomous system (Customer Gateway ASN)
	# 17493 is the remote autonomous system of AWS (Virtual Private Gateway ASN)
	#
	# <Your VGW1 Inside IP> is the 169.x address on the REMOTE side of the first peer. (Neighbor IP Address)
	# <Your VGW2 Inside IP> is the 169.x address on the REMOTE side of the second peer. (Neighbor IP Address)
	#
	# <Your internal LAN subnet - e.g. 10.0.0.0/16> is the local private subnet/LAN (Private Network Subnet)
	# 169.254.x.x/32 is the 169.x address on LOCAL side of the first peer. Use /32
	# 169.254.x.x/32 is the 169.x address on the LOCAL side of the second peer. Use /32
	#!/bin/bash

	#@ /etc/strongswan/ipsec-vti.sh (Centos) or /etc/strongswan.d/ipsec-vti.sh (Ubuntu)

	# AWS VPC Hardware VPN Strongswan updown Script

	# Usage Instructions:
	# Add "install_routes = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
	# Add "install_virtual_ip = no" to /etc/strongswan/strongswan.d/charon.conf or /etc/strongswan.d/charon.conf
	# For Ubuntu: Add "leftupdown=/etc/strongswan.d/ipsec-vti.sh" to /etc/ipsec.conf
	# For RHEL/Centos: Add "leftupdown=/etc/strongswan/ipsec-vti.sh" to /etc/strongswan/ipsec.conf
	# For RHEL/Centos 6 and below: git clone git://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git && cd iproute2 && make && cp ./ip/ip /usr/local/sbin/ip

	# Adjust the below according to the Generic Gateway Configuration file provided to you by AWS.
	# Sample: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html

	IP=$(which ip)
	IPTABLES=$(which iptables)

	PLUTO_MARK_OUT_ARR=(${PLUTO_MARK_OUT//// })
	PLUTO_MARK_IN_ARR=(${PLUTO_MARK_IN//// })
	case "$PLUTO_CONNECTION" in
	AWS-VPC-GW1)
	VTI_INTERFACE=vti1
	VTI_LOCALADDR=<Your CGW1 Inside IP 169.254.x.x/30>
	VTI_REMOTEADDR=<Your VGW1 Inside IP 169.254.x.x/30>
	;;
	AWS-VPC-GW2)
	VTI_INTERFACE=vti2
	VTI_LOCALADDR=<Your CGW2 Inside IP 169.254.x.x/30>
	VTI_REMOTEADDR=<Your VGW2 Inside IP 169.254.x.x/30>
	;;
	esac

	case "${PLUTO_VERB}" in
	up-client)
	#$IP tunnel add ${VTI_INTERFACE} mode vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
	$IP link add ${VTI_INTERFACE} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
	sysctl -w net.ipv4.conf.${VTI_INTERFACE}.disable_policy=1
	sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=2 \|\| sysctl -w net.ipv4.conf.${VTI_INTERFACE}.rp_filter=0
	$IP addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev ${VTI_INTERFACE}
	$IP link set ${VTI_INTERFACE} up mtu 1436
	$IPTABLES -t mangle -I FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	$IPTABLES -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
	$IP route flush table 220
	#/etc/init.d/bgpd reload \|\| /etc/init.d/quagga force-reload bgpd
	;;
	down-client)
	#$IP tunnel del ${VTI_INTERFACE}
	$IP link del ${VTI_INTERFACE}
	$IPTABLES -t mangle -D FORWARD -o ${VTI_INTERFACE} -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
	$IPTABLES -t mangle -D INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
	;;
	esac

	# Enable IPv4 forwarding
	sysctl -w net.ipv4.ip_forward=1
	sysctl -w net.ipv4.conf.eth1.disable_xfrm=1
	sysctl -w net.ipv4.conf.eth1.disable_policy=1

	# References:
	# http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html
	# http://end.re/2015-01-06_vti-tunnel-interface-with-strongswan.html
	# https://www-01.ibm.com/support/knowledgecenter/#!/SST55W_4.3.0/liaca/liaca_cfg_ipsec_vti.html
	#@ /etc/strongswan/ipsec.conf (Centos) or /etc/ipsec.conf (Ubuntu)

	# ipsec.conf - strongSwan IPsec configuration file

	# basic configuration

	config setup
	charondebug="cfg 2, ike 3"
	# strictcrlpolicy=yes
	# uniqueids = no

	# Add connections here.

	# Sample VPN connections

	#conn sample-self-signed
	# leftsubnet=10.1.0.0/16
	# leftcert=selfCert.der
	# leftsendcert=never
	# right=192.168.0.2
	# rightsubnet=10.2.0.0/16
	# rightcert=peerCert.der
	# auto=start

	#conn sample-with-ca-cert
	# leftsubnet=10.1.0.0/16
	# leftcert=myCert.pem
	# right=192.168.0.2
	# rightsubnet=10.2.0.0/16
	# rightid="C=CH, O=Linux strongSwan CN=peer name"
	# auto=start


	# Usage Instructions:
	# Adjust the below according to the Generic Gateway Configuration file provided to you by AWS.
	# Sample: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html

	conn %default
	# Authentication Method : Pre-Shared Key
	#authby=psk
	leftauth=psk
	rightauth=psk
	# Encryption Algorithm : aes-128-cbc
	# Authentication Algorithm : sha1
	# Perfect Forward Secrecy : Diffie-Hellman Group 2
	ike=aes256-sha256-modp2048s256,aes128-sha1-modp1024!
	# Lifetime : 28800 seconds
	ikelifetime=28800s
	# Phase 1 Negotiation Mode : main
	aggressive=no
	# Protocol : esp
	# Encryption Algorithm : aes-128-cbc
	# Authentication Algorithm : hmac-sha1-96
	# Perfect Forward Secrecy : Diffie-Hellman Group 2
	esp=aes128-sha256-modp2048s256,aes128-sha1-modp1024!
	# Lifetime : 3600 seconds
	lifetime=3600s
	# Mode : tunnel
	type=tunnel
	# DPD Interval : 10
	dpddelay=10s
	# DPD Retries : 3
	dpdtimeout=30s
	# Tuning Parameters for AWS Virtual Private Gateway:
	keyexchange=ikev1
	#keyingtries=%forever
	rekey=yes
	reauth=no
	dpdaction=restart
	closeaction=restart
	left=%defaultroute
	leftsubnet=0.0.0.0/0,::/0
	rightsubnet=0.0.0.0/0,::/0
	leftupdown=/etc/strongswan/ipsec-vti.sh
	installpolicy=yes
	compress=no
	mobike=no

	conn AWS-VPC-GW1
	# Customer Gateway: : <Your Strongswan-CGW Public IP>
	left=<Your Strongswan-CGW Public IP>
	# Virtual Private Gateway : <Your VGW1 Outside IP>
	right=<Your VGW1 Outside IP>
	auto=start
	mark=100
	#reqid=1

	conn AWS-VPC-GW2
	# Customer Gateway: : <Your Strongswan-CGW Public IP>
	left=<Your Strongswan-CGW Public IP>
	# Virtual Private Gateway : <Your VGW2 Outside IP>
	right=<Your VGW2 Outside IP>
	auto=start
	mark=200
	#reqid=2

	# References:
	# http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html
	# http://end.re/2015-01-06_vti-tunnel-interface-with-strongswan.html
	# https://www-01.ibm.com/support/knowledgecenter/#!/SST55W_4.3.0/liaca/liaca_cfg_ipsec_vti.html
	# https://aravindkrishnaswamy.wordpress.com/tag/multiple-vpn-tunnels-with-strongswan/
	# https://aravindkrishnaswamy.wordpress.com/2014/11/26/site-to-site-vpn-between-openvpn-and-aws/
	# http://www.mynameistoby.com/blog/2015/01/21/setting-up-strongswan-on-centos-6-to-connect-to-your-amazon-vpc-vpn/
	# https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
	# https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2CipherSuites
	#@ /etc/strongswan/ipsec.secrets (Centos) or /etc/ipsec.secrets (Ubuntu)

	<Your Strongswan-CGW Public IP> <Your VGW1 Outside IP> : PSK "<Replace with VGW1 secret phrase provided by AWS>"
	<Your Strongswan-CGW Public IP> <Your VGW2 Outside IP> : PSK "<Replace with VGW2 secret phrase provided by AWS>"
	#@ /etc/sysconfig/iptables (Centos) or /etc/iptables/rules.v4 (Ubuntu with iptables-persistent package)

	# Generated by iptables-save v1.4.7
	*filter
	:INPUT DROP [1:60]
	:FORWARD DROP [0:0]
	:OUTPUT ACCEPT [21:2888]
	-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
	-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
	-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
	-A INPUT -i lo -j ACCEPT
	-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
	-A INPUT -i eth0 -p esp -j ACCEPT
	-A INPUT -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
	-A INPUT -i eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
	-A INPUT -i vti+ -p tcp -m tcp --dport 179 -j ACCEPT
	-A INPUT -i eth+ -p icmp -m icmp --icmp-type 8 -j ACCEPT
	-A FORWARD -i eth1 -p icmp -m icmp --icmp-type 8 -j ACCEPT
	-A FORWARD -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A OUTPUT -p icmp -m icmp --icmp-type 0 -m state --state RELATED,ESTABLISHED -j ACCEPT
	COMMIT
	# Completed
	#@ /etc/quagga/zebra.conf (Centos & Ubuntu)

	hostname <Local OS hostname>
	password <Any random phrase>
	enable password <Any random phrase>
	!
	! Configure interfaces
	interface lo
	! Change preferred source ip address of received routes
	route-map RM_SET_SRC permit 10
	set src <Your host ip-address on Your internal LAN subnet interface - e.g. 10.130.0.5>
	ip protocol bgp route-map RM_SET_SRC
	!
	line vty