[Swan] AWS IPsec Client VPN Connectivity Issue
Paul Wouters
paul at nohats.ca
Tue Dec 6 15:43:17 UTC 2016
On Tue, 6 Dec 2016, Brandon Galbraith wrote:
> I'm attempting to create a connection from an AWS EC2 instance (running LibreSwan) to a Juniper SRX240. The SRX240 VPN
> endpoint has a public IP, and the subnet I'm attempting to route to over the encrypted VPN connection is a public IP. The
> EC2 instance has a private IP within a VPC, but has an elastic IP assigned to it.
> Due to limitations on the remote network, RFC1918 network address space can't be routed over the IPsec tunnel.
> The connection looks like such with `ipsec auto --status`:
>
> 192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in
> VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host ip>/32
>
> I'm able to successfully establish IPsec SA and ISAKMP SA sessions with the destination VPN terminator endpoint, but I'm
> unable to ping across the tunnel; the firewall policy on the other side of the tunnel is restricting source packets to be
> from the elastic IP of the EC2 instance (again, due to RFC1918 space being unroutable for VPN tunnel purposes).
You need to configure the elastic IP on your VPS, so that the operating
system can use it as source ip address. This is described at:
https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
(if your VPS is ubuntu/debian, you will have to change /etc/network/interfaces similarly)
I've just clarified the above wiki entry, and also updated the AWS example config:
https://libreswan.org/wiki/Interoperability#Example_configuration
But basically:
> conn tunnel1
>
> authby=secret
> auto=start
> left=192.168.204.177
> leftid=<elastic ip>
> #leftsubnet=192.168.204.0/22
So change that to leftsubnet=<elastic ip>/32
> Is this type of connection possible from within an AWS VPC?
It is!
Paul
More information about the Swan
mailing list