[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-users
Subject: Re: [strongSwan] Strongswan on public Amazon EC2 instance
From: Eric Germann <ekgermann () semperen ! com>
Date: 2016-08-31 21:33:08
Message-ID: E6C620D9-BEB0-4DFD-AA85-E3901975EC99 () semperen ! com
[Download RAW message or body]
[Attachment #2 (multipart/signed)]
[Attachment #4 (multipart/alternative)]
Are your encaps/decaps increasing for the SA when it's up and you're trying to ping?
We use a number of instances on AWS to connect to about everything under the sun that \
does IPSec.
Several notes:
- Put the AWS IPSec appliance on a public subnet with an IGW
- Associate an Elastic IP with the appliance instance.
- Make sure the Security Group associated with it permits udp/500 and udp/4500 since \
they're doing NAT and NAT-T
- on the AWS appliance in ipsec.conf make sure left = is the internal IP of the \
appliance. Make sure leftid = the EIP associated with the instance.
- set right = to be the external IP of the Cisco appliance
- leftsubnet = the internal subnet of the VPC (we set it to the supernet associated \
with the whole VPC)
- rightsubnet = what's behind the Cisco
- make sure your Security Groups allow the remote subnets (from the Cisco side) to \
connect to things
- add routes to the remote Cisco networks to the routing table(s)
- manually or automatically (leftfirewall, rightfirewall = yes) get the iptables \
rules updated to forward.
- Forwarding needs to be on in /etc/sysctl.conf
- I usually bump up UDP send/receive buffers
Works for me.
EKG
> On Aug 31, 2016, at 4:40 PM, John Gathm <john.gathm@gmail.com> wrote:
>
> Hi Strongswan User list
>
> I am trying to do a fake "site to site" IPSec tunnel to a service provider.
> My instance of Strongswan in hosted on an Amazon EC2 instance, and I am trying to \
> reach a service on a server behind a Cisco VPN gateway
>
> I am trying to do the following thing (IP are fake)
>
>
> Amazon EC2 instance:
> 123.123.22.22/32 <http://123.123.22.22/32> (dummy linux interface &fake local \
> subnet, only one ip for the instance, this is my leftsubnet private EC2 IP:
> 10.0.0.5
>
> AWS NAT internet gateway EC2 IP
> 10.0.0.1
> public EC2 IP
> 81.98.242.23
>
>
> Cisco VPN public IP:
> 82.58.243.24
> Cisco Private IP:
> 192.168.0.1
>
> Server to access
> 192.168.0.5 (righsubnet = 192.168.0.5/24 <http://192.168.0.5/24>)
>
> I manage to get the ipsec tunnel up and running (stable in "ipsec statusall"), \
> however I cannot get to reach 192.168.0.5 from my EC2 instance, using interface \
> 123.123.22.22
> first question is
> 1) is it possible to reach the remote server through the Strongswan IPSEC gateway \
> itself ? 2) does it require special routes& policies not added by Strongswan ?
> 3) would you recommend another setup than using a dummy interface ?
>
> thanks for any hints
>
> best regards
> J.G
> _______________________________________________
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
[Attachment #7 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; \
-webkit-line-break: after-white-space;" class="">Are your encaps/decaps increasing \
for the SA when it's up and you're trying to ping?<div class=""><br \
class=""></div><div class="">We use a number of instances on AWS to connect to about \
everything under the sun that does IPSec.</div><div class=""><br class=""></div><div \
class="">Several notes:</div><div class=""><br class=""></div><div class="">- Put the \
AWS IPSec appliance on a public subnet with an IGW</div><div class="">- Associate an \
Elastic IP with the appliance instance.</div><div class="">- Make sure the Security \
Group associated with it permits udp/500 and udp/4500 since they're doing NAT and \
NAT-T</div><div class="">- on the AWS appliance in ipsec.conf make sure left = is the \
internal IP of the appliance. Make sure leftid = the EIP associated with the \
instance.</div><div class="">- set right = to be the external IP of the Cisco \
appliance </div><div class="">- leftsubnet = the internal subnet of the VPC (we \
set it to the supernet associated with the whole VPC)</div><div class="">- \
rightsubnet = what's behind the Cisco</div><div class="">- make sure your Security \
Groups allow the remote subnets (from the Cisco side) to connect to things</div><div \
class="">- add routes to the remote Cisco networks to the routing table(s)</div><div \
class="">- manually or automatically (leftfirewall, rightfirewall = yes) get the \
iptables rules updated to forward.</div><div class="">- Forwarding needs to be on in \
/etc/sysctl.conf</div><div class="">- I usually bump up UDP send/receive \
buffers</div><div class=""><br class=""></div><div class="">Works for me.</div><div \
class=""><br class=""></div><div class="">EKG</div><div class=""><br \
class=""></div><div class=""><br class=""></div><div class=""><br \
class=""><div><blockquote type="cite" class=""><div class="">On Aug 31, 2016, at 4:40 \
PM, John Gathm <<a href="mailto:john.gathm@gmail.com" \
class="">john.gathm@gmail.com</a>> wrote:</div><br \
class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi Strongswan \
User list<div class=""><br class=""></div><div class="">I am trying to do a fake \
"site to site" IPSec tunnel to a service provider.</div><div class="">My instance of \
Strongswan in hosted on an Amazon EC2 instance, and I am trying to reach a service on \
a server behind a Cisco VPN gateway</div><div class=""><br class=""></div><div \
class=""><br class=""></div><div class="">I am trying to do the following thing (IP \
are fake)</div><div class=""><br class=""></div><div class=""><br class=""></div><div \
class="">Amazon EC2 instance:</div><div class=""><a href="http://123.123.22.22/32" \
class="">123.123.22.22/32</a> (dummy linux interface &fake local subnet, only one \
ip for the instance, this is my leftsubnet</div><div class="">private EC2 \
IP:</div><div class="">10.0.0.5</div><div class=""><br class=""></div><div \
class="">AWS NAT internet gateway EC2 IP</div><div class="">10.0.0.1</div><div \
class="">public EC2 IP</div><div class="">81.98.242.23</div><div class=""><br \
class=""></div><div class=""><br class=""></div><div class="">Cisco VPN public \
IP:</div><div class="">82.58.243.24</div><div class="">Cisco Private IP:</div><div \
class="">192.168.0.1</div><div class=""><br class=""></div><div class="">Server to \
access</div><div class="">192.168.0.5 (righsubnet = <a href="http://192.168.0.5/24" \
class="">192.168.0.5/24</a>)</div><div class=""><br class=""></div><div class="">I \
manage to get the ipsec tunnel up and running (stable in "ipsec statusall"), however \
I cannot get to reach 192.168.0.5 from my EC2 instance, using interface \
123.123.22.22</div><div class=""><br class=""></div><div class="">first question \
is </div><div class="">1) is it possible to reach the remote server through the \
Strongswan IPSEC gateway itself ?</div><div class="">2) does it require special \
routes& policies not added by Strongswan ?</div><div class="">3) would you \
recommend another setup than using a dummy interface ?</div><div class=""><br \
class=""></div><div class="">thanks for any hints</div><div class=""><br \
class=""></div><div class="">best regards</div><div class="">J.G</div></div> \
_______________________________________________<br class="">Users mailing list<br \
class=""><a href="mailto:Users@lists.strongswan.org" \
class="">Users@lists.strongswan.org</a><br \
class="">https://lists.strongswan.org/mailman/listinfo/users</div></blockquote></div><br \
class=""></div></body></html>
["smime.p7s" (smime.p7s)]
0� *H
��� 0���1�0 ��+������0� *H
�����
0��0� ������o� :j8]] "y0
� *H
�����0u1�0 ��U����IL1�0���U�
�
StartCom Ltd.1)0'��U��� StartCom Certification Authority1#0!��U����StartCom Class 1 \
Client CA0�� 160513180003Z�
190813180003Z0H1�0���U����ekgermann@semperen.com1%0#� *H
� ���ekgermann@semperen.com0�"0
� *H
���������0�
�����9Mo_+L�RE8�� ��jRȭ?�"5OM��Gr� \
Hw�0>W%ȷ�;�I�M��<tB�X)~A�X%ڛtb�� \
�)dߋ�?}A+,p%���o�f@�Y$�P;�4Ee<(8�fW�ӜڼĮ2.5f0\M� \
$v� KhdnDݧoZ:������0�0���U���������0���U�%��0���+�� \
�������+�������0 ��U����0�0���U������?_X]W_�j�,OD\D0���U�#��0��$l9aI��F+( \
'Hmh0o��+��������c0a0$��+�����0��http://ocsp.startssl.com09��+�����0�-http://aia.startssl.com/certs/sca.client1.crt08��U���10/0- \
+ )'http://crl.startssl.com/sca-client1.crl0!��U����0��ekgermann@semperen.com0#��U����0��http://www.startssl.com/0G��U� \
�@0>0<��+����7���0-0+��+���������https://www.startssl.com/policy0 � *H
���������{#v#M�2 ��8G �� ςz@;(0Z7}t!f,
zxM~sL/P x)%+��-Ǥ+Oe-�#�B��ާ��rh~W�
�{�œ^h��BHb�|C%I!�7Wŝc͜q`�cEg,V'�ƜB"ڕef���`�۴o�S
7RbCY�cѩ^�F%0�0� ������k}
Q
Y0
� *H
�����0}1�0 ��U����IL1�0���U�
�
StartCom Ltd.1+0)��U���"Secure Digital Certificate Signing1)0'��U��� StartCom \
Certification Authority0�� 151216010005Z�
301216010005Z0u1�0 ��U����IL1�0���U�
�
StartCom Ltd.1)0'��U��� StartCom Certification Authority1#0!��U����StartCom Class 1 \
Client CA0�"0 � *H
���������0�
����}â}[[_��u�$Wy5 �|̔�
v�n�qY)\aL$d��YG|B"QǤĩVD#'F� k9O_]*ςz_kU.u3�r #:C<o�g� \
T��)K� Xah�8v[�\Kq��dlO)3+u7J5";[vfL/"2ϩJ#��4ד[U� \
�TB, a˖a�7H�<��=q������d0�`0���U����������0���U�%��0���+���������+�������0���U������0������02��U���+0)0' \
% #!http://crl.startssl.com/sfsca.crl0f��+��������Z0X0$��+�����0��http://ocsp.starts \
sl.com00��+�����0�$http://aia.startssl.com/certs/ca.crt0���U������$l9aI��F+('Hmh0���U�#��0��N��@[�i04hCA0?��U� \
�80604��U� �0,0*��+���������http://www.startssl.com/policy0 � *H
�������������[#'#�4p�nR�ۡЗN⛭`]K"#H*߷Թ�ψ;UA8�Ҟeg�{ozm \
Y��E60A�)wXR�K6�c^�-Al��^�k[':G=�;oLv�{$B5;8b,ZP4� \
�{o[-j m) \
[땭[�4 s.c|Ҵ�v�YLJ<����|ӯgu�0j�D2 \
@hl+�:j\ze_ևa@HyMHI��N�xpK?% 㤺RC:=?^�&�7m� \
)��A2;E~ V�B1$Ev�cKj؝(Oo�پ�U`"$a;ҡj0$&< \
$ۊ+�/x�jz�b,7}W*1ܺ��t�Dv#8K \
%�^P>/i�?�)yRuQg^z`~sP91�N0�J���00u1�0 ��U����IL1�0���U�
�
StartCom Ltd.1)0'��U��� StartCom Certification Authority1#0!��U����StartCom Class 1 \
Client CA��o� :j8]] "y0 ��+������ �0�� *H � �1�� *H
���0�� *H
� �1��
160831213308Z0#� *H
� �1���[cr@Xɼ">n$��Li0� +����7��100u1�0 ��U����IL1�0���U�
�
StartCom Ltd.1)0'��U��� StartCom Certification Authority1#0!��U����StartCom Class 1 \
Client CA��o� :j8]] "y0��*H � ���1 0u1�0 ��U����IL1�0���U�
�
StartCom Ltd.1)0'��U��� StartCom Certification Authority1#0!��U����StartCom Class 1 \
Client CA��o� :j8]] "y0 � *H
��������%�
Bް�=߮n0W">jרAu~ڛΓfY#ZY
U#�I�,�0�>_$g�W�mY7�ݗ \
ɂ1���._y(T$�V?'h|7.��^[QA�R5�-/Q},�>T�b&ӰF��_ \
ARW9�AFsQf>pVPkl�WU�ѹ�8S{4A{� )ryUE"������
[Attachment #9 (text/plain)]
_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic