<div dir="ltr"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">You have two choices:</span><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">1) Connect from Strongswan to AWS VPC VPN</span><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">2) Connect from Strongswan to an EC2 instance running Strongswan</span><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">The Strongswan wiki covers #2. For #1 you can look at this tutorial:</span><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><a class="" href="http://www.mynameistoby.com/" style="color:rgb(153,102,51);text-decoration:none;font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">http://www.mynameistoby.com/</a><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">However, I did not have success with the config file in the tutorial for several reasons:</span><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">1) It has IKEv2, whereas VPC VPN now only supports IKEv1</span><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">2) It tries to establish two tunnels, which Strongswan can't handle (the kernel routing goes buggy)..although I believe if IKEv2 was allowed it could be possible.</span><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">After much trial and error, the attached config worked for me on a CENTOS6 box running Strongswan 5.3.</span><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">You will be able to ping your internal EC2 instance, but not your AWS tunnel IPs.</span><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><br style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px"><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">(another tutorial you can look at : </span><a class="" href="http://www.maxmanders.co.uk/2014/05/05/aws-vpn-solutions-with-strongswan.html" style="color:rgb(153,102,51);text-decoration:none;font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">http://www.maxmanders.co.uk/2014/05/05/aws-vpn-solutions-with-strongswan.html</a><span style="color:rgb(0,0,0);font-family:verdana,arial,sans-serif;font-size:12px;line-height:18px">)</span><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Jan 14, 2016 at 10:09 PM, John A. Sullivan III <span dir="ltr"><<a href="mailto:jsullivan@opensourcedevel.com" target="_blank">jsullivan@opensourcedevel.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
<br>
On Thursday 14 January 2016 10:56:11 pm Josh wrote:<br>
> This <a href="http://bleikertz.com/blog/amazon_vpc_with_linux.html" rel="noreferrer" target="_blank">http://bleikertz.com/blog/amazon_vpc_with_linux.html</a> guide uses<br>
> racoon. Does anyone know how to use strongswan for the same task?<br>
><br>
> Josh.<br>
</span><snip><br>
We have done this successfully with StrongSWAN. Unfortunately, I do not have<br>
my documentation handy but I recall that, even though we wanted to use<br>
transport mode (since we were doing GRE / IPSec), we needed to use tunnel<br>
mode. I do not recall if we had to use the internal address as the<br>
rightnetwork address.<br>
<br>
I have wall to wall meeting tomorrow but I'll see if I can dig out the setup -<br>
John<br>
<div class="HOEnZb"><div class="h5">_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br>
</div></div></blockquote></div><br></div>