Overview
Meyi Cloud's strongSwan VPN AMI is a production-hardened, IKEv2-only site-to-site VPN gateway designed for deployment on Amazon EC2. It is fully operational immediately after launch, with no manual server setup, hardening, or configuration required.
Every instance boots with AES-256-GCM/SHA-384/ECP-384 cryptographic proposals, Perfect Forward Secrecy, pre-shared-key or certificate-based IKEv2 tunnel authentication, key material excluded from logs, a default-deny host firewall, and key-only SSH access with root login disabled.
The AMI is validated against Amazon Linux and Ubuntu LTS, with time synchronization configured using the Amazon Time Sync Service and system settings tuned for the IPsec data path. It is designed to integrate with existing Amazon VPC connectivity architectures.
The solution is optimized to run efficiently across a range of compatible Amazon EC2 instance types, allowing customers to select an instance size based on their expected tunnel throughput. Each instance starts from the same tested image, helping provide a consistent and repeatable deployment experience.
Meyi Cloud provides technical support for this product.
Highlights
- Production-grade, IKEv2-only hardened strongSwan VPN AMI - fully operational immediately after launch, with no manual server setup or hardening required.
- Skip the hardening checklist entirely: AES-256-GCM, SHA-384, ECP-384 crypto proposals, PFS, a default-deny host firewall, and key-only SSH access are pre-configured and tested, cutting deployment time from days to minutes.
- High efficiency runs well even on low-cost instance types like t3.micro or t3.small, and the same hardened image is validated across Amazon Linux and Ubuntu LTS for a consistent, auditable baseline on every launch.
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Vendor refund policy
Refunds for this is accordance with AWS Marketplace refund policies. Customers may request a refund for billing errors or technical issues that prevent the successful use of the product. Refund requests must be submitted within 7 days of purchase.
To request a refund, customers should contact AWS Marketplace support or email support@meyicloud.com with their AWS account ID, product name, and reason for the request. AWS Marketplace will process approved refunds.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
64-bit (x86) Amazon Machine Image (AMI)
Amazon Machine Image (AMI)
An AMI is a virtual image that provides the information required to launch an instance. Amazon EC2 (Elastic Compute Cloud) instances are virtual servers on which you can run your applications and workloads, offering varying combinations of CPU, memory, storage, and networking resources. You can launch as many instances from as many different AMIs as you need.
Version release notes
Version 1.1 Ubuntu
Additional details
Usage instructions
STARTING THE INSTANCE
- Launch the instance from the AMI in your target VPC/subnet. A t3.micro or t3.small is sufficient for most tunnel throughput needs.
- Ensure the security group allows: UDP 500 (IKE), UDP 4500 (NAT-T), and ESP (protocol 50) from your peer gateway's IP.
- Assign or associate an Elastic IP if the tunnel needs a stable public endpoint. If the IP changes after launch, restart the instance so the hardened baseline re-applies correctly.
CONNECTING TO THE INSTANCE
Linux username: [specify - e.g. ubuntu] Authentication: SSH key pair only (set at launch). Password and root login are disabled by design. Connect with: ssh -i your-key.pem [username]@<public-IP>
CONFIGURING THE SITE-TO-SITE TUNNEL
- Edit the tunnel definition at [specify path - e.g. /etc/ipsec.conf or /etc/swanctl/conf.d/] with your peer gateway's public IP, local/remote subnets, and pre-shared key or certificate.
- Add the matching secret at [specify path - e.g. /etc/ipsec.secrets].
- Reload the configuration: [specify exact command - e.g. sudo ipsec reload or sudo swanctl --load-all].
- Bring the tunnel up: [specify - e.g. sudo ipsec up <connection-name>].
VERIFYING THE TUNNEL
Check status: [specify - e.g. sudo ipsec status or sudo swanctl --list-sas] Confirm IKEv2/ESP proposals negotiated are AES-256-GCM/SHA-384/ECP-384 as expected. Test connectivity across the tunnel with ping to a host on the remote subnet.
LOGS & TROUBLESHOOTING
strongSwan logs: [specify - e.g. journalctl -u strongswan or /var/log/syslog] For persistent issues, contact support at [your support email] with the log excerpt and connection name.
Support
Vendor support
Customers receive technical support through email at support@meyicloud.com . Support includes assistance with installation, configuration, exporter setup, dashboard customization, and alert rule optimization. Standard support is provided during business hours (IST), with optional extended support available upon request. SLA options and dedicated support plans can be tailored based on customer needs.
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.