[Swan] Advice on troubleshooting AWS VPC site-to-site VPN connection.

Scott Classen sclassen at lbl.gov
Tue Oct 12 17:34:30 UTC 2021 

Hello,

Apologies for the lengthy message, but thought it better to give you too much information rather than too little. I am attempting to configure a VPN tunnel from my on premise CentOS 7 machine to an Amazon AWS Virtual Private Cloud (VPC). I have installed and configured Libreswan from the Base repo (libreswan version 3.25). I have followed the AWS instructions for setting up and configuring a site-to-site VPN connection.

AWS automatically sets up 2 tunnels, and provides a set of instructions for configuring Strongswan 5.5.1+ (unfortunately ther are no instructions explicilty for Libreswan). I proceeded under the assumption that most of the ipsec configuration options would be similar or the same.

Here is my current configuration:

conn conn-to-aws-1
    leftid=xxx.xxx.xxx.xxx {public ip address of my on prem machine}
    left=xxx.xxx.xxx.xxx {public ip address of my on prem machine}
    leftsubnets=192.168.0.0/16
    leftauth=secret
    rightid=xxx.xxx.xxx.230
    right=xxx.xxx.xxx.230
    rightsubnets="169.254.228.144/30 10.0.0.0/16"
    rightauth=secret
    ikev2=insist
    aggressive=no
    ikelifetime=28800
    lifetime=3600
    #margintime=270
    rekey=yes
    rekeyfuzz=100%
    fragmentation=yes
    replay-window=1024
    dpddelay=30
    dpdtimeout=120
    #dpdaction=restart/clear
    mtu=1436
    type=tunnel
    auto=start
    ike=aes128-sha1-modp1024
    esp=aes128-sha1-modp1024
    keyingtries=%forever
    mark=100/0xffffffff
    vti-interface=vti01
    vti-routing=yes
    vti-shared=yes
conn conn-to-aws-2
    leftid=xxx.xxx.xxx.xxx {public ip address of my on prem machine}
    left=xxx.xxx.xxx.xxx {public ip address of my on prem machine}
    leftsubnets=192.168.0.0/16
    leftauth=secret
    rightid=xxx.xxx.xxx.74
    right=xxx.xxx.xxx.74
    rightsubnets="169.254.167.172/30 10.0.0.0/16"
    rightauth=secret
    ikev2=insist
    aggressive=no
    ikelifetime=28800
    lifetime=3600
    #margintime=270
    rekey=yes
    rekeyfuzz=100%
    fragmentation=yes
    replay-window=1024
    phase2=esp
    dpddelay=30
    dpdtimeout=120
    #dpdaction=restart/clear
    mtu=1436
    type=tunnel
    auto=start
    ike=aes128-sha1-modp1024
    esp=aes128-sha1-modp1024
    keyingtries=%forever
    mark=100/0xffffffff
    vti-interface=vti01
    vti-routing=yes
    vti-shared=yes


After a fair bit of fiddling I believe I have established the tunnel connection. The following tcpdump command shows UDP traffic between my on prem machine and AWS:

([root at mymachine]# tcpdump -n -i enp5s0f1 esp or udp port 500 or udp port 4500

10:14:33.984518 IP xxx.xxx.xxx.230.ipsec-nat-t > xxx.xxx.xxx.105.ipsec-nat-t: NONESP-encap: isakmp: child_sa  inf2
10:14:33.985420 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.230.ipsec-nat-t: NONESP-encap: isakmp: child_sa  inf2[IR]
10:14:34.987292 IP xxx.xxx.xxx.74.ipsec-nat-t > xxx.xxx.xxx.105.ipsec-nat-t: NONESP-encap: isakmp: child_sa  inf2
10:14:34.988971 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.74.ipsec-nat-t: NONESP-encap: isakmp: child_sa  inf2[IR]


and according to ipsec it looks like there are some connections being made.


(base) [root at bl1231 ipsec.d]# ipsec trafficstatus
006 #3: "sibyls-to-aws-1/1x1", type=ESP, add_time=1634058414, inBytes=0, outBytes=0, id=‘xxx.xxx.xxx.230'
006 #4: "sibyls-to-aws-2/1x1", type=ESP, add_time=1634058413, inBytes=0, outBytes=0, id=‘xxx.xxx.xxx.74'
006 #5: "sibyls-to-aws-2/1x2", type=ESP, add_time=1634058414, inBytes=0, outBytes=252, id=‘xxx.xxx.xxx.74'


I have an AWS EC AMI instance up and running which has been assigned the private IP of 10.0.1.52 and attached to my VPC. but I am unable to ping it from my on-prem machine.

I think tcpdump shows the packets going out:

10:14:48.484678 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.74.ipsec-nat-t: UDP-encap: ESP(spi=0xcfb5cc6f,seq=0x1), length 132
10:14:49.486181 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.74.ipsec-nat-t: UDP-encap: ESP(spi=0xcfb5cc6f,seq=0x2), length 132
10:14:50.485446 IP xxx.xxx.xxx.105.ipsec-nat-t > xxx.xxx.xxx.74.ipsec-nat-t: UDP-encap: ESP(spi=0xcfb5cc6f,seq=0x3), length 132

but nothing comes back. At this point I think I am essentaily stuck on an AWS routing problem (or maybe my firewall is misconfigured), and I will not bother this list with AWS questions, but I was curious why some instructions say to create 2 vti tunnels and some say to create 1 vti tunnel and share it between the 2 ipsec connections? I was also curious if it would be to my benefit to build and install the latest Libreswan as it appears 3.25 is a bit outdated? Can people think of what other things I should be troubleshooting?

Thanks,
Scott

More information about the Swan mailing list