[Swan] AWS IPsec Client VPN Connectivity Issue

Paul Wouters paul at nohats.ca
Tue Dec 6 17:57:42 UTC 2016


Try ping -I elasticip remoteip?

If you NAT on there machine, exclude NAT for -s elasticip -d remoteip 

Sent from my iPhone

> On Dec 6, 2016, at 12:54, Brandon Galbraith <brandon.galbraith at gmail.com> wrote:
> 
> Thank you Paul! I've modified my configuration to define the elastic IP as the `leftsubnet` parameter (with `/32` at the end of it) as well as define `%defaultroute` for the `left` parameter, and the tunnel is established, although I'm still unable to ping. When I run `ip xfrm monitor` while pinging (no ping packets returned), no output is returned. 
> 
> Would you have any suggestions as to how I can debug further?
> 
>> On Tue, Dec 6, 2016 at 9:43 AM, Paul Wouters <paul at nohats.ca> wrote:
>> On Tue, 6 Dec 2016, Brandon Galbraith wrote:
>> 
>>> I'm attempting to create a connection from an AWS EC2 instance (running LibreSwan) to a Juniper SRX240. The SRX240 VPN
>>> endpoint has a public IP, and the subnet I'm attempting to route to over the encrypted VPN connection is a public IP. The
>>> EC2 instance has a private IP within a VPC, but has an elastic IP assigned to it.
>>> Due to limitations on the remote network, RFC1918 network address space can't be routed over the IPsec tunnel.
>>> The connection looks like such with `ipsec auto --status`:
>>> 
>>> 192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in
>>> VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host ip>/32
>>> 
>>> I'm able to successfully establish IPsec SA and ISAKMP SA sessions with the destination VPN terminator endpoint, but I'm
>>> unable to ping across the tunnel; the firewall policy on the other side of the tunnel is restricting source packets to be
>>> from the elastic IP of the EC2 instance (again, due to RFC1918 space being unroutable for VPN tunnel purposes).
>> 
>> You need to configure the elastic IP on your VPS, so that the operating
>> system can use it as source ip address. This is described at:
>> 
>> https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
>> 
>> (if your VPS is ubuntu/debian, you will have to change /etc/network/interfaces similarly)
>> 
>> I've just clarified the above wiki entry, and also updated the AWS example config:
>> 
>> https://libreswan.org/wiki/Interoperability#Example_configuration
>> 
>> But basically:
>> 
>>> conn tunnel1
>>> 
>>>         authby=secret
>>>         auto=start
>>>         left=192.168.204.177
>>>         leftid=<elastic ip>
>>>         #leftsubnet=192.168.204.0/22
>> 
>> So change that to leftsubnet=<elastic ip>/32
>> 
>>> Is this type of connection possible from within an AWS VPC?
>> 
>> It is!
>> 
>> Paul
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161206/5fbc01b5/attachment.html>


More information about the Swan mailing list