[Swan] AWS IPsec Client VPN Connectivity Issue
Brandon Galbraith
brandon.galbraith at gmail.com
Tue Dec 6 09:17:53 UTC 2016
Hello all!
I'm attempting to create a connection from an AWS EC2 instance (running
LibreSwan) to a Juniper SRX240. The SRX240 VPN endpoint has a public IP,
and the subnet I'm attempting to route to over the encrypted VPN connection
is a public IP. The EC2 instance has a private IP within a VPC, but has an
elastic IP assigned to it.
Due to limitations on the remote network, RFC1918 network address space
can't be routed over the IPsec tunnel.
The connection looks like such with `ipsec auto --status`:
192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in
VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host
ip>/32
I'm able to successfully establish IPsec SA and ISAKMP SA sessions with the
destination VPN terminator endpoint, but I'm unable to ping across the
tunnel; the firewall policy on the other side of the tunnel is restricting
source packets to be from the elastic IP of the EC2 instance (again, due to
RFC1918 space being unroutable for VPN tunnel purposes).
My ipsec.conf contents:
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
plutodebug=all
plutostderrlog=/var/log/libreswan.log
uniqueids=yes
My tunnel conf contents:
conn tunnel1
authby=secret
auto=start
left=192.168.204.177
leftid=<elastic ip>
#leftsubnet=192.168.204.0/22
right=<vpn terminator public ip>
rightsubnet=<public host ip>
type=tunnel
ikelifetime=24h
salifetime=1h
phase2alg=3des-sha1
ike=3des-sha1
pfs=yes
auth=esp
keyingtries=%forever
aggrmode=no
keyexchange=ike
ikev2=never
forceencaps=yes
Is this type of connection possible from within an AWS VPC?
Thanks!
Brandon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161206/e6dba32e/attachment.html>
More information about the Swan
mailing list