[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: [strongSwan] ipsec and amazon vpc
From: Lorin Scraba <lorin () si-bemol ! ro>
Date: 2009-12-22 21:10:46
Message-ID: 6e8605af0912221310v268c7556jd0091ce8ee8905a2 () mail ! gmail ! com
[Download RAW message or body]
Hello.
I am trying to connect my work network to amazon's vpc using ipsec in
tunnel mode. My right side is a debian5 32bit linux box running
stock strongswan and left is a blackbox I am not able to control. The
tunnel comes up, i am able to access right network from left but not
the other way around. Also , from
left i am not able to ping the tunnel ip from the right side.
my topology is:
internet --------left--------------------right----------192.168.0.0/21
(strongswan) (blackbox)
ipsec.secrets:
<left> 72.21.209.193: PSK "supersecret"
ipsec.conf:
version 2.0
config setup
plutostart=yes
charonstart=no
strictcrlpolicy=no
conn T1-aws-us-east-1c
authby=secret
compress=no
type=tunnel
keyexchange=ike
ike=aes128-sha1-modp1024
pfs=yes
left=<left>
leftsubnet=0.0.0.0/0
leftnexthop=%defaultroute
leftsourceip=169.254.255.6/30
right=72.21.209.193
rightsubnet=192.168.0.0/21
#rightsourceip=169.254.255.5/30
auto=start
After I start the ipsec tunnel with the upper settings :
1 I am able to reach from <left> any ip in rightsubnet
2 I am not able to reach from leftsubnet anything in rightsubnet
(that's where bgp is required - have to announce 0.0.0.0 to their
gateway to make this work - it is a little weird...)
3 I am not able to ping -I leftsourceip rightsourceip
at this point security policies look like this :
src 192.168.0.0/21 dst 0.0.0.0/0
dir in priority 3115
tmpl src 72.21.209.193 dst <left>
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 192.168.0.0/21
dir out priority 3115
tmpl src <left> dst 72.21.209.193
proto esp reqid 16385 mode tunnel
src 192.168.0.0/21 dst 0.0.0.0/0
dir fwd priority 3115
tmpl src 72.21.209.193 dst <left>
proto esp reqid 16385 mode tunnel
Now, and this is what I want to get automagically from ike if it's
possible - I manually add the following policies:
# ip xfrm policy add dir out src 169.254.255.6/30 dst 169.254.255.5/30
priority 3115 tmpl mode tunnel reqid 16385 src <left> dst
72.21.209.193 proto esp
# ip xfrm policy add dir in src 169.254.255.5/30 dst 169.254.255.6/30
priority 3115 tmpl mode tunnel reqid 16385 src 72.21.209.193 dst
<left> proto esp
and 2,3 start working , 2 simply because bgp is able to peer up with right.
They have some configurations examples for cisco/juniper/other peers
http://docs.amazonwebservices.com/AmazonVPC/2009-07-15/NetworkAdminGuide/
but nothing for linux.
Any ideas ?
Thanks!
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic