<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
I'm trying to create a VPN tunnel between 2 AWS regions. The way I'm
trying to do this is by setting up a strongSwan server in one
region, and then a VPC VPN in the other region (the VPC VPN is an
IPsec VPN provided and controlled by Amazon).<br>
The problem is I can't come up with a configuration that works
right.<br>
<br>
AWS provides the following info for setting up the IPsec VPN:<br>
<br>
<font color="#660000"><tt>> #1: Internet Key Exchange
Configuration<br>
> <br>
> Configure the IKE SA as follows<br>
> - Authentication Method : Pre-Shared Key<br>
> - Pre-Shared Key : ***********************<br>
> - Authentication Algorithm : sha1<br>
> - Encryption Algorithm : aes-128-cbc<br>
> - Lifetime : 28800 seconds<br>
> - Phase 1 Negotiation Mode : main<br>
> - Perfect Forward Secrecy : Diffie-Hellman Group 2<br>
> <br>
> #2: IPSec Configuration<br>
> <br>
> Configure the IPSec SA as follows:<br>
> - Protocol : esp<br>
> - Authentication Algorithm : hmac-sha1-96<br>
> - Encryption Algorithm : aes-128-cbc<br>
> - Lifetime : 3600 seconds<br>
> - Mode : tunnel<br>
> - Perfect Forward Secrecy : Diffie-Hellman Group 2<br>
> <br>
> IPSec Dead Peer Detection (DPD) will be enabled on the AWS
Endpoint. We<br>
> recommend configuring DPD on your endpoint as follows:<br>
> - DPD Interval : 10<br>
> - DPD Retries : 3<br>
> <br>
> IPSec ESP (Encapsulating Security Payload) inserts
additional<br>
> headers to transmit packets. These headers require
additional space,<br>
> which reduces the amount of space available to transmit
application data.<br>
> To limit the impact of this behavior, we recommend the
following<br>
> configuration on your Customer Gateway:<br>
> - TCP MSS Adjustment : 1387 bytes<br>
> - Clear Don't Fragment Bit : enabled<br>
> - Fragmentation : Before encryption<br>
> <br>
> #3: Tunnel Interface Configuration<br>
> <br>
> Your Customer Gateway must be configured with a tunnel
interface that is<br>
> associated with the IPSec tunnel. All traffic transmitted
to the tunnel<br>
> interface is encrypted and transmitted to the Virtual
Private Gateway.<br>
> <br>
> <br>
> <br>
> The Customer Gateway and Virtual Private Gateway each have
two addresses that relate<br>
> to this IPSec tunnel. Each contains an outside address,
upon which encrypted<br>
> traffic is exchanged. Each also contain an inside address
associated with<br>
> the tunnel interface.<br>
> <br>
> The Customer Gateway outside IP address was provided when
the Customer Gateway<br>
> was created. Changing the IP address requires the creation
of a new<br>
> Customer Gateway.<br>
> <br>
> The Customer Gateway inside IP address should be configured
on your tunnel<br>
> interface.<br>
> <br>
> Outside IP Addresses:<br>
> - Customer Gateway : 54.241.138.199<br>
> - Virtual Private Gateway : 87.238.85.44<br>
> <br>
> Inside IP Addresses<br>
> - Customer Gateway : 169.254.254.6/30<br>
> - Virtual Private Gateway : 169.254.254.5/30<br>
> <br>
> Configure your tunnel to fragment at the optimal size:<br>
> - Tunnel interface MTU : 1436 bytes<br>
> <br>
> <br>
> #4: Static Routing Configuration:<br>
> <br>
> To route traffic between your internal network and your
VPC,<br>
> you will need a static route added to your router.<br>
> <br>
> Static Route Configuration Options:<br>
> <br>
> - Next hop : 169.254.254.5<br>
> <br>
> You should add static routes towards your internal network
on the VGW.<br>
> The VGW will then send traffic towards your internal
network over<br>
> the tunnels. </tt></font><br>
<br>
<br>
The private subnet on the local strongSwan side is `10.2.0.0/16`. <br>
The private subnet on the remote VPN side is `10.4.0.0/16`.<br>
<br>
With this I tried using a configuration as follows:<br>
<br>
<br>
<font color="#660000"><tt>> conn eu-west-1-1<br>
> left=10.2.0.40<br>
> leftsubnet=10.2.0.0/16<br>
> right=87.238.85.40<br>
> rightsubnet=10.4.0.0/16<br>
> auto=add<br>
> type=tunnel<br>
> keyexchange=ikev1<br>
> authby=secret<br>
> ikelifetime=28800s<br>
> keylife=28800s<br>
> ike=aes128<br>
> esp=aes128</tt></font><br>
<br>
<br>
However this results in the following error:<br>
<br>
<font color="#660000"><tt>> pluto[1763]: "eu-west-1-1" #12:
cannot respond to IPsec SA request because no connection is
known for
0.0.0.0/0===10.2.0.40[10.2.0.40]...87.238.85.40[87.238.85.40]===0.0.0.0/0</tt></font><br>
<br>
Following one idea I found on the mailing list, I tried putting
`0.0.0.0/0` for the `leftsubnet` and `rightsubnet`, and this does
cause the tunnel to come up (as reported by the AWS web GUI), but I
lose all connectivity to the server (I'm guessing it's creating a
route to 0.0.0.0/0 that blackholes all traffic).<br>
<br>
Can anyone provide any hints on how to adjust the config to get this
working?<br>
<br>
</body>
</html>