[Swan] AWS IPsec Client VPN Connectivity Issue
paul at nohats.ca
Tue Dec 6 17:57:42 UTC 2016
Try ping -I elasticip remoteip?
If you NAT on there machine, exclude NAT for -s elasticip -d remoteip
Sent from my iPhone
> On Dec 6, 2016, at 12:54, Brandon Galbraith <brandon.galbraith at gmail.com> wrote:
> Thank you Paul! I've modified my configuration to define the elastic IP as the `leftsubnet` parameter (with `/32` at the end of it) as well as define `%defaultroute` for the `left` parameter, and the tunnel is established, although I'm still unable to ping. When I run `ip xfrm monitor` while pinging (no ping packets returned), no output is returned.
> Would you have any suggestions as to how I can debug further?
>> On Tue, Dec 6, 2016 at 9:43 AM, Paul Wouters <paul at nohats.ca> wrote:
>> On Tue, 6 Dec 2016, Brandon Galbraith wrote:
>>> I'm attempting to create a connection from an AWS EC2 instance (running LibreSwan) to a Juniper SRX240. The SRX240 VPN
>>> endpoint has a public IP, and the subnet I'm attempting to route to over the encrypted VPN connection is a public IP. The
>>> EC2 instance has a private IP within a VPC, but has an elastic IP assigned to it.
>>> Due to limitations on the remote network, RFC1918 network address space can't be routed over the IPsec tunnel.
>>> The connection looks like such with `ipsec auto --status`:
>>> 192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in
>>> VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host ip>/32
>>> I'm able to successfully establish IPsec SA and ISAKMP SA sessions with the destination VPN terminator endpoint, but I'm
>>> unable to ping across the tunnel; the firewall policy on the other side of the tunnel is restricting source packets to be
>>> from the elastic IP of the EC2 instance (again, due to RFC1918 space being unroutable for VPN tunnel purposes).
>> You need to configure the elastic IP on your VPS, so that the operating
>> system can use it as source ip address. This is described at:
>> (if your VPS is ubuntu/debian, you will have to change /etc/network/interfaces similarly)
>> I've just clarified the above wiki entry, and also updated the AWS example config:
>> But basically:
>>> conn tunnel1
>>> leftid=<elastic ip>
>> So change that to leftsubnet=<elastic ip>/32
>>> Is this type of connection possible from within an AWS VPC?
>> It is!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan