[Swan] AWS IPsec Client VPN Connectivity Issue

Brandon Galbraith brandon.galbraith at gmail.com
Tue Dec 6 17:54:08 UTC 2016


Thank you Paul! I've modified my configuration to define the elastic IP as
the `leftsubnet` parameter (with `/32` at the end of it) as well as define
`%defaultroute` for the `left` parameter, and the tunnel is established,
although I'm still unable to ping. When I run `ip xfrm monitor` while
pinging (no ping packets returned), no output is returned.

Would you have any suggestions as to how I can debug further?

On Tue, Dec 6, 2016 at 9:43 AM, Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 6 Dec 2016, Brandon Galbraith wrote:
>
> I'm attempting to create a connection from an AWS EC2 instance (running
>> LibreSwan) to a Juniper SRX240. The SRX240 VPN
>> endpoint has a public IP, and the subnet I'm attempting to route to over
>> the encrypted VPN connection is a public IP. The
>> EC2 instance has a private IP within a VPC, but has an elastic IP
>> assigned to it.
>> Due to limitations on the remote network, RFC1918 network address space
>> can't be routed over the IPsec tunnel.
>> The connection looks like such with `ipsec auto --status`:
>>
>> 192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in
>> VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host
>> ip>/32
>>
>> I'm able to successfully establish IPsec SA and ISAKMP SA sessions with
>> the destination VPN terminator endpoint, but I'm
>> unable to ping across the tunnel; the firewall policy on the other side
>> of the tunnel is restricting source packets to be
>> from the elastic IP of the EC2 instance (again, due to RFC1918 space
>> being unroutable for VPN tunnel purposes).
>>
>
> You need to configure the elastic IP on your VPS, so that the operating
> system can use it as source ip address. This is described at:
>
> https://libreswan.org/wiki/Interoperability#The_elastic_IP_
> and_the_RFC1918_native_IP_address
>
> (if your VPS is ubuntu/debian, you will have to change
> /etc/network/interfaces similarly)
>
> I've just clarified the above wiki entry, and also updated the AWS example
> config:
>
> https://libreswan.org/wiki/Interoperability#Example_configuration
>
> But basically:
>
> conn tunnel1
>>
>>         authby=secret
>>         auto=start
>>         left=192.168.204.177
>>         leftid=<elastic ip>
>>         #leftsubnet=192.168.204.0/22
>>
>
> So change that to leftsubnet=<elastic ip>/32
>
> Is this type of connection possible from within an AWS VPC?
>>
>
> It is!
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161206/2adbc5c5/attachment.html>


More information about the Swan mailing list