<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Are your encaps/decaps increasing for the SA when it’s up and you’re trying to ping?<div class=""><br class=""></div><div class="">We use a number of instances on AWS to connect to about everything under the sun that does IPSec.</div><div class=""><br class=""></div><div class="">Several notes:</div><div class=""><br class=""></div><div class="">- Put the AWS IPSec appliance on a public subnet with an IGW</div><div class="">- Associate an Elastic IP with the appliance instance.</div><div class="">- Make sure the Security Group associated with it permits udp/500 and udp/4500 since they’re doing NAT and NAT-T</div><div class="">- on the AWS appliance in ipsec.conf make sure left = is the internal IP of the appliance. Make sure leftid = the EIP associated with the instance.</div><div class="">- set right = to be the external IP of the Cisco appliance </div><div class="">- leftsubnet = the internal subnet of the VPC (we set it to the supernet associated with the whole VPC)</div><div class="">- rightsubnet = what’s behind the Cisco</div><div class="">- make sure your Security Groups allow the remote subnets (from the Cisco side) to connect to things</div><div class="">- add routes to the remote Cisco networks to the routing table(s)</div><div class="">- manually or automatically (leftfirewall, rightfirewall = yes) get the iptables rules updated to forward.</div><div class="">- Forwarding needs to be on in /etc/sysctl.conf</div><div class="">- I usually bump up UDP send/receive buffers</div><div class=""><br class=""></div><div class="">Works for me.</div><div class=""><br class=""></div><div class="">EKG</div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Aug 31, 2016, at 4:40 PM, John Gathm <<a href="mailto:john.gathm@gmail.com" class="">john.gathm@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi Strongswan User list<div class=""><br class=""></div><div class="">I am trying to do a fake "site to site" IPSec tunnel to a service provider.</div><div class="">My instance of Strongswan in hosted on an Amazon EC2 instance, and I am trying to reach a service on a server behind a Cisco VPN gateway</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">I am trying to do the following thing (IP are fake)</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Amazon EC2 instance:</div><div class=""><a href="http://123.123.22.22/32" class="">123.123.22.22/32</a> (dummy linux interface &fake local subnet, only one ip for the instance, this is my leftsubnet</div><div class="">private EC2 IP:</div><div class="">10.0.0.5</div><div class=""><br class=""></div><div class="">AWS NAT internet gateway EC2 IP</div><div class="">10.0.0.1</div><div class="">public EC2 IP</div><div class="">81.98.242.23</div><div class=""><br class=""></div><div class=""><br class=""></div><div class="">Cisco VPN public IP:</div><div class="">82.58.243.24</div><div class="">Cisco Private IP:</div><div class="">192.168.0.1</div><div class=""><br class=""></div><div class="">Server to access</div><div class="">192.168.0.5 (righsubnet = <a href="http://192.168.0.5/24" class="">192.168.0.5/24</a>)</div><div class=""><br class=""></div><div class="">I manage to get the ipsec tunnel up and running (stable in "ipsec statusall"), however I cannot get to reach 192.168.0.5 from my EC2 instance, using interface 123.123.22.22</div><div class=""><br class=""></div><div class="">first question is </div><div class="">1) is it possible to reach the remote server through the Strongswan IPSEC gateway itself ?</div><div class="">2) does it require special routes& policies not added by Strongswan ?</div><div class="">3) would you recommend another setup than using a dummy interface ?</div><div class=""><br class=""></div><div class="">thanks for any hints</div><div class=""><br class=""></div><div class="">best regards</div><div class="">J.G</div></div>
_______________________________________________<br class="">Users mailing list<br class=""><a href="mailto:Users@lists.strongswan.org" class="">Users@lists.strongswan.org</a><br class="">https://lists.strongswan.org/mailman/listinfo/users</div></blockquote></div><br class=""></div></body></html>