[Swan] AWS IPsec Client VPN Connectivity Issue

Brandon Galbraith brandon.galbraith at gmail.com
Tue Dec 6 09:17:53 UTC 2016


Hello all!

I'm attempting to create a connection from an AWS EC2 instance (running
LibreSwan) to a Juniper SRX240. The SRX240 VPN endpoint has a public IP,
and the subnet I'm attempting to route to over the encrypted VPN connection
is a public IP. The EC2 instance has a private IP within a VPC, but has an
elastic IP assigned to it.

Due to limitations on the remote network, RFC1918 network address space
can't be routed over the IPsec tunnel.

The connection looks like such with `ipsec auto --status`:

192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in
VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host
ip>/32

I'm able to successfully establish IPsec SA and ISAKMP SA sessions with the
destination VPN terminator endpoint, but I'm unable to ping across the
tunnel; the firewall policy on the other side of the tunnel is restricting
source packets to be from the elastic IP of the EC2 instance (again, due to
RFC1918 space being unroutable for VPN tunnel purposes).

My ipsec.conf contents:

config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        oe=off
        plutodebug=all
        plutostderrlog=/var/log/libreswan.log
        uniqueids=yes

My tunnel conf contents:

conn tunnel1

        authby=secret
        auto=start
        left=192.168.204.177
        leftid=<elastic ip>
        #leftsubnet=192.168.204.0/22
        right=<vpn terminator public ip>
        rightsubnet=<public host ip>
        type=tunnel
        ikelifetime=24h
        salifetime=1h
        phase2alg=3des-sha1
        ike=3des-sha1
        pfs=yes
        auth=esp
        keyingtries=%forever
        aggrmode=no
        keyexchange=ike
        ikev2=never
        forceencaps=yes

Is this type of connection possible from within an AWS VPC?

Thanks!
Brandon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161206/e6dba32e/attachment.html>


More information about the Swan mailing list