[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-users
Subject:    [strongSwan] ipsec and amazon vpc
From:       Lorin Scraba <lorin () si-bemol ! ro>
Date:       2009-12-22 21:10:46
Message-ID: 6e8605af0912221310v268c7556jd0091ce8ee8905a2 () mail ! gmail ! com
[Download RAW message or body]

Hello.

I am trying to connect my work network to amazon's vpc using ipsec in
tunnel mode. My right side is a debian5 32bit  linux  box running
stock strongswan  and left is a blackbox I am not able to control. The
tunnel comes up, i am able to access right network from left but not
the other way around. Also , from
left i am not able to ping the tunnel ip from the right side.

my topology is:
internet --------left--------------------right----------192.168.0.0/21
                        (strongswan)         (blackbox)

ipsec.secrets:
<left> 72.21.209.193: PSK "supersecret"

ipsec.conf:
version 2.0
config setup
        plutostart=yes
        charonstart=no
        strictcrlpolicy=no

conn T1-aws-us-east-1c
        authby=secret
        compress=no
        type=tunnel
        keyexchange=ike
        ike=aes128-sha1-modp1024
        pfs=yes
        left=<left>
        leftsubnet=0.0.0.0/0
        leftnexthop=%defaultroute
        leftsourceip=169.254.255.6/30
        right=72.21.209.193
        rightsubnet=192.168.0.0/21
        #rightsourceip=169.254.255.5/30
        auto=start

After I start the ipsec tunnel with the upper settings :
1 I am able to reach from <left> any ip in rightsubnet
2 I am not able to reach from leftsubnet anything in rightsubnet
(that's where bgp is required - have to announce 0.0.0.0 to their
gateway to make this work - it is a little weird...)
3 I am not able to ping -I leftsourceip rightsourceip

at this point security policies look like this :
src 192.168.0.0/21 dst 0.0.0.0/0
        dir in priority 3115
        tmpl src 72.21.209.193 dst <left>
                proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 192.168.0.0/21
        dir out priority 3115
        tmpl src <left> dst 72.21.209.193
                proto esp reqid 16385 mode tunnel
src 192.168.0.0/21 dst 0.0.0.0/0
        dir fwd priority 3115
        tmpl src 72.21.209.193 dst <left>
                proto esp reqid 16385 mode tunnel


Now, and this is what I want to get automagically from ike if it's
possible -  I manually add the following policies:
# ip xfrm policy add dir out src 169.254.255.6/30 dst 169.254.255.5/30
priority 3115 tmpl mode tunnel reqid 16385 src <left> dst
72.21.209.193 proto esp
# ip xfrm policy add dir in src 169.254.255.5/30 dst 169.254.255.6/30
priority 3115 tmpl mode tunnel reqid 16385 src 72.21.209.193 dst
<left> proto esp

and 2,3 start working , 2 simply because bgp is able to peer up with right.

They have some configurations examples for cisco/juniper/other peers
http://docs.amazonwebservices.com/AmazonVPC/2009-07-15/NetworkAdminGuide/
but nothing for linux.
Any ideas ?

Thanks!
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic