[Swan] AWS IPsec Client VPN Connectivity Issue
Brandon Galbraith
brandon.galbraith at gmail.com
Tue Dec 6 18:53:09 UTC 2016
When I run "ping -I elasticip remoteip" I receive the following from "ip
xfrm monitor":
Async event (0x20) timer expired
src 192.168.204.177 dst <remote_ip> reqid 0x4005 protocol esp SPI
0xf6511e90
Async event (0x20) timer expired
src 192.168.204.177 dst <remote_ip> reqid 0x4005 protocol esp SPI
0xf6511e90
Async event (0x20) timer expired
src 192.168.204.177 dst <remote_ip> reqid 0x4005 protocol esp SPI
0xf6511e90
...ad infinitum...
(with the 192.168.204.177 being the internal IP of the EC2 instance)
On Tue, Dec 6, 2016 at 11:57 AM, Paul Wouters <paul at nohats.ca> wrote:
> Try ping -I elasticip remoteip?
>
> If you NAT on there machine, exclude NAT for -s elasticip -d remoteip
>
> Sent from my iPhone
>
> On Dec 6, 2016, at 12:54, Brandon Galbraith <brandon.galbraith at gmail.com>
> wrote:
>
> Thank you Paul! I've modified my configuration to define the elastic IP as
> the `leftsubnet` parameter (with `/32` at the end of it) as well as define
> `%defaultroute` for the `left` parameter, and the tunnel is established,
> although I'm still unable to ping. When I run `ip xfrm monitor` while
> pinging (no ping packets returned), no output is returned.
>
> Would you have any suggestions as to how I can debug further?
>
> On Tue, Dec 6, 2016 at 9:43 AM, Paul Wouters <paul at nohats.ca> wrote:
>
>> On Tue, 6 Dec 2016, Brandon Galbraith wrote:
>>
>> I'm attempting to create a connection from an AWS EC2 instance (running
>>> LibreSwan) to a Juniper SRX240. The SRX240 VPN
>>> endpoint has a public IP, and the subnet I'm attempting to route to over
>>> the encrypted VPN connection is a public IP. The
>>> EC2 instance has a private IP within a VPC, but has an elastic IP
>>> assigned to it.
>>> Due to limitations on the remote network, RFC1918 network address space
>>> can't be routed over the IPsec tunnel.
>>> The connection looks like such with `ipsec auto --status`:
>>>
>>> 192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in
>>> VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host
>>> ip>/32
>>>
>>> I'm able to successfully establish IPsec SA and ISAKMP SA sessions with
>>> the destination VPN terminator endpoint, but I'm
>>> unable to ping across the tunnel; the firewall policy on the other side
>>> of the tunnel is restricting source packets to be
>>> from the elastic IP of the EC2 instance (again, due to RFC1918 space
>>> being unroutable for VPN tunnel purposes).
>>>
>>
>> You need to configure the elastic IP on your VPS, so that the operating
>> system can use it as source ip address. This is described at:
>>
>> https://libreswan.org/wiki/Interoperability#The_elastic_IP_a
>> nd_the_RFC1918_native_IP_address
>>
>> (if your VPS is ubuntu/debian, you will have to change
>> /etc/network/interfaces similarly)
>>
>> I've just clarified the above wiki entry, and also updated the AWS
>> example config:
>>
>> https://libreswan.org/wiki/Interoperability#Example_configuration
>>
>> But basically:
>>
>> conn tunnel1
>>>
>>> authby=secret
>>> auto=start
>>> left=192.168.204.177
>>> leftid=<elastic ip>
>>> #leftsubnet=192.168.204.0/22
>>>
>>
>> So change that to leftsubnet=<elastic ip>/32
>>
>> Is this type of connection possible from within an AWS VPC?
>>>
>>
>> It is!
>>
>> Paul
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20161206/7499e0b2/attachment-0001.html>
More information about the Swan
mailing list