[Swan] Advice on troubleshooting AWS VPC site-to-site VPN connection.
Scott Classen
sclassen at lbl.gov
Tue Oct 12 17:34:30 UTC 2021
Hello,
Apologies for the lengthy message, but thought it better to give you too much information rather than too little. I am attempting to configure a VPN tunnel from my on premise CentOS 7 machine to an Amazon AWS Virtual Private Cloud (VPC). I have installed and configured Libreswan from the Base repo (libreswan version 3.25). I have followed the AWS instructions for setting up and configuring a site-to-site VPN connection.
AWS automatically sets up 2 tunnels, and provides a set of instructions for configuring Strongswan 5.5.1+ (unfortunately ther are no instructions explicilty for Libreswan). I proceeded under the assumption that most of the ipsec configuration options would be similar or the same.
Here is my current configuration:
conn conn-to-aws-1
leftid=xxx.xxx.xxx.xxx {public ip address of my on prem machine}
left=xxx.xxx.xxx.xxx {public ip address of my on prem machine}
leftsubnets=192.168.0.0/16
leftauth=secret
rightid=xxx.xxx.xxx.230
right=xxx.xxx.xxx.230
rightsubnets="169.254.228.144/30 10.0.0.0/16"
rightauth=secret
ikev2=insist
aggressive=no
ikelifetime=28800
lifetime=3600
#margintime=270
rekey=yes
rekeyfuzz=100%
fragmentation=yes
replay-window=1024
dpddelay=30
dpdtimeout=120
#dpdaction=restart/clear
mtu=1436
type=tunnel
auto=start
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
keyingtries=%forever
mark=100/0xffffffff
vti-interface=vti01
vti-routing=yes
vti-shared=yes
conn conn-to-aws-2
leftid=xxx.xxx.xxx.xxx {public ip address of my on prem machine}
left=xxx.xxx.xxx.xxx {public ip address of my on prem machine}
leftsubnets=192.168.0.0/16
leftauth=secret
rightid=xxx.xxx.xxx.74
right=xxx.xxx.xxx.74
rightsubnets="169.254.167.172/30 10.0.0.0/16"
rightauth=secret
ikev2=insist
aggressive=no
ikelifetime=28800
lifetime=3600
#margintime=270
rekey=yes
rekeyfuzz=100%
fragmentation=yes
replay-window=1024
phase2=esp
dpddelay=30
dpdtimeout=120
#dpdaction=restart/clear
mtu=1436
type=tunnel
auto=start
ike=aes128-sha1-modp1024
esp=aes128-sha1-modp1024
keyingtries=%forever
mark=100/0xffffffff
vti-interface=vti01
vti-routing=yes
vti-shared=yes
After a fair bit of fiddling I believe I have established the tunnel connection. The following tcpdump command shows UDP traffic between my on prem machine and AWS:
([root at mymachine]# tcpdump -n -i enp5s0f1 esp or udp port 500 or udp port 4500
10:14:33.984518 IP xxx.xxx.xxx.230.ipsec-nat-t > xxx.xxx.xxx.105.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2
10:14:33.985420 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.230.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[IR]
10:14:34.987292 IP xxx.xxx.xxx.74.ipsec-nat-t > xxx.xxx.xxx.105.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2
10:14:34.988971 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.74.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[IR]
and according to ipsec it looks like there are some connections being made.
(base) [root at bl1231 ipsec.d]# ipsec trafficstatus
006 #3: "sibyls-to-aws-1/1x1", type=ESP, add_time=1634058414, inBytes=0, outBytes=0, id=‘xxx.xxx.xxx.230'
006 #4: "sibyls-to-aws-2/1x1", type=ESP, add_time=1634058413, inBytes=0, outBytes=0, id=‘xxx.xxx.xxx.74'
006 #5: "sibyls-to-aws-2/1x2", type=ESP, add_time=1634058414, inBytes=0, outBytes=252, id=‘xxx.xxx.xxx.74'
I have an AWS EC AMI instance up and running which has been assigned the private IP of 10.0.1.52 and attached to my VPC. but I am unable to ping it from my on-prem machine.
I think tcpdump shows the packets going out:
10:14:48.484678 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.74.ipsec-nat-t: UDP-encap: ESP(spi=0xcfb5cc6f,seq=0x1), length 132
10:14:49.486181 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.74.ipsec-nat-t: UDP-encap: ESP(spi=0xcfb5cc6f,seq=0x2), length 132
10:14:50.485446 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.74.ipsec-nat-t: UDP-encap: ESP(spi=0xcfb5cc6f,seq=0x3), length 132
but nothing comes back. At this point I think I am essentaily stuck on an AWS routing problem (or maybe my firewall is misconfigured), and I will not bother this list with AWS questions, but I was curious why some instructions say to create 2 vti tunnels and some say to create 1 vti tunnel and share it between the 2 ipsec connections? I was also curious if it would be to my benefit to build and install the latest Libreswan as it appears 3.25 is a bit outdated? Can people think of what other things I should be troubleshooting?
Thanks,
Scott
More information about the Swan
mailing list