<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>
</head>
<body dir="ltr">
<div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
It creates the needed vti interfaces and sets some iptables stuff. Here is mine in it's entirety.</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
#!/bin/bash
<div><br>
</div>
<div>while [[ $# > 1 ]]; do</div>
<div> case ${1} in</div>
<div> -ln|--link-name)</div>
<div> TUNNEL_NAME="${2}"</div>
<div> TUNNEL_PHY_INTERFACE="${PLUTO_INTERFACE}"</div>
<div> shift</div>
<div> ;;</div>
<div> -ll|--link-local)</div>
<div> TUNNEL_LOCAL_ADDRESS="${2}"</div>
<div> TUNNEL_LOCAL_ENDPOINT="${PLUTO_ME}"</div>
<div> shift</div>
<div> ;;</div>
<div> -lr|--link-remote)</div>
<div> TUNNEL_REMOTE_ADDRESS="${2}"</div>
<div> TUNNEL_REMOTE_ENDPOINT="${PLUTO_PEER}"</div>
<div> shift</div>
<div> ;;</div>
<div> -m|--mark)</div>
<div> TUNNEL_MARK="${2}"</div>
<div> shift</div>
<div> ;;</div>
<div> -r|--static-route)</div>
<div> TUNNEL_STATIC_ROUTE="${2}"</div>
<div> shift</div>
<div> ;;</div>
<div> *)</div>
<div> echo "${0}: Unknown argument \"${1}\"" >&2</div>
<div> ;;</div>
<div> esac</div>
<div> shift</div>
<div>done</div>
<div><br>
</div>
<div>command_exists() {</div>
<div> type "$1" >&2 2>&2</div>
<div>}</div>
<div><br>
</div>
<div>create_interface() {</div>
<div> ip link add ${TUNNEL_NAME} type vti local ${TUNNEL_LOCAL_ENDPOINT} remote ${TUNNEL_REMOTE_ENDPOINT} key ${TUNNEL_MARK}</div>
<div> ip addr add ${TUNNEL_LOCAL_ADDRESS} remote ${TUNNEL_REMOTE_ADDRESS} dev ${TUNNEL_NAME}</div>
<div> ip link set ${TUNNEL_NAME} up mtu 1419</div>
<div>}</div>
<div><br>
</div>
<div>configure_sysctl() {</div>
<div> sysctl -w net.ipv4.ip_forward=1</div>
<div> sysctl -w net.ipv4.conf.${TUNNEL_NAME}.rp_filter=2</div>
<div> sysctl -w net.ipv4.conf.${TUNNEL_NAME}.disable_policy=1</div>
<div> sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_xfrm=1</div>
<div> sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_policy=1</div>
<div>}</div>
<div><br>
</div>
<div>add_route() {</div>
<div> IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"</div>
<div> for i in "${route[@]}"; do</div>
<div> ip route add ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK}</div>
<div> done</div>
<div> iptables -t mangle -A FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</div>
<div> iptables -t mangle -A INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d ${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK}</div>
<div> ip route flush table 220</div>
<div>}</div>
<div><br>
</div>
<div>cleanup() {</div>
<div> IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}"</div>
<div> for i in "${route[@]}"; do</div>
<div> ip route del ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK}</div>
<div> done</div>
<div> iptables -t mangle -D FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</div>
<div> iptables -t mangle -D INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d ${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK}</div>
<div> ip route flush cache</div>
<div>}</div>
<div><br>
</div>
<div>delete_interface() {</div>
<div> ip link set ${TUNNEL_NAME} down</div>
<div> ip link del ${TUNNEL_NAME}</div>
<div>}</div>
<div><br>
</div>
<div># main execution starts here</div>
<div><br>
</div>
<div>command_exists ip || echo "ERROR: ip command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2</div>
<div>command_exists iptables || echo "ERROR: iptables command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2</div>
<div>command_exists sysctl || echo "ERROR: sysctl command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2</div>
<div><br>
</div>
<div>case "${PLUTO_VERB}" in</div>
<div> up-client)</div>
<div> create_interface</div>
<div> configure_sysctl</div>
<div> add_route</div>
<div> ;;</div>
<div> down-client)</div>
<div> cleanup</div>
<div> delete_interface</div>
<div> ;;</div>
<div>esac</div>
<br>
<br>
</div>
<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div id="Signature">
<div>
<meta content="text/html; charset=UTF-8">
<div id="divtagdefaultwrapper" dir="ltr" style="background-color: rgb(255, 255, 255);">
<p style="margin-top: 0px; margin-bottom: 0px;margin:0in 0in 0.0001pt"></p>
<p style="font-size: 12pt; color: rgb(0, 0, 0); margin: 0in 0in 0.0001pt;"></p>
<p class="x_MsoNormal" style="margin: 0in 0in 0.0001pt; color: rgb(33, 33, 33);">
<b style="font-family:Calibri,sans-serif; font-size:11pt"><span style="font-size: 10.5pt; font-family: Arial, sans-serif, serif, EmojiFont; color: black;">Doug Tucker<br>
</span></b><font face="Helvetica, sans-serif"><span style="font-size:13.32px">Sr. Director of Networking & Linux Operations</span></font><font face="Calibri, sans-serif"><span style="color: black; font-size: 11pt;"></span></font></p>
<p class="x_MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(33, 33, 33);">
<b><span style="font-size: 10.5pt; font-family: Arial, sans-serif, serif, EmojiFont; color: black;">o:</span></b><span style="font-size: 10.5pt; font-family: Arial, sans-serif, serif, EmojiFont; color: black;"> 817.975.5832 | <b> m:</b> 817.975.5832<br>
</span></p>
<p style="margin-top: 0px; margin-bottom: 0px;font-size:11pt; font-family:Calibri,sans-serif,serif,EmojiFont; margin-right:0px; margin-left:0px">
<span style="color: black; font-size: 10.5pt; font-family: Arial, sans-serif, serif, EmojiFont;"><b>e:</b> doug.tucker</span><span style="font-size:10.5pt; font-family:Arial,sans-serif,serif,EmojiFont"><font color="#954f72" style="">@navigaglobal.com</font></span></p>
<p style="margin: 0px; color: rgb(33, 33, 33); font-size: 11pt; font-family: Calibri, sans-serif, serif, EmojiFont;">
<span style="color: black; font-size: 10.5pt; font-family: Arial, sans-serif, serif, EmojiFont;"> </span></p>
<p style="margin: 0px; color: rgb(33, 33, 33); font-size: 11pt; font-family: Calibri, sans-serif, serif, EmojiFont;">
<span style="color: black; font-size: 12pt;"><a href="https://navigaglobal.com/" target="_blank" rel="noopener noreferrer" title="https://navigaglobal.com/ Ctrl+Click or tap to follow the link"><span style="text-decoration-line:none"><img class="EmojiInsert" border="0" id="OWAPstImg750417" style="width:218.99pt; height:48.74pt" data-outlook-trace="F:0|T:1" src="cid:image001.png@01D4FEC7.F32F3010"></span></a></span></p>
<p style="margin: 0px; color: rgb(33, 33, 33); font-size: 11pt; font-family: Calibri, sans-serif, serif, EmojiFont;">
<span style="color: black; font-size: 10.5pt; font-family: Arial, sans-serif, serif, EmojiFont;"><br>
</span><a href="https://www.facebook.com/navigaglobal" target="_blank" rel="noopener noreferrer"><span style="text-decoration-line:none"><img class="EmojiInsert" border="0" id="OWAPstImg217983" style="width:18pt; height:18pt" data-outlook-trace="F:0|T:1" src="cid:image002.png@01D4FEC7.F32F3010"></span></a><span style="color: black;"> <a href="https://twitter.com/navigaglobal" target="_blank" rel="noopener noreferrer"><span style="text-decoration-line:none"><img class="EmojiInsert" border="0" id="OWAPstImg993761" style="width:18pt; height:18pt" data-outlook-trace="F:0|T:1" src="cid:image003.png@01D4FEC7.F32F3010"></span></a> <a href="https://www.linkedin.com/company/navigaglobal/about/" target="_blank" rel="noopener noreferrer"><span style="text-decoration-line:none"><img class="EmojiInsert" border="0" id="OWAPstImg727145" style="width:18pt; height:18pt" data-outlook-trace="F:0|T:1" src="cid:image004.png@01D4FEC7.F32F3010"></span></a></span></p>
<p style="margin: 0px; color: rgb(33, 33, 33); font-size: 11pt; font-family: Calibri, sans-serif, serif, EmojiFont;">
<span style="color: black;"> </span></p>
<p style="margin: 0px; color: rgb(33, 33, 33); font-size: 11pt; font-family: Calibri, sans-serif, serif, EmojiFont; line-height: 11.65pt;">
<b><i><span style="color: white; font-size: 11.5pt; font-family: Arial, sans-serif, serif, EmojiFont; background-color: rgb(65, 28, 181);"><a href="https://navigaglobal.com/" target="_blank" rel="noopener noreferrer"><span style="color: white;">Newscycle Solutions
is now Naviga. Learn more.</span></a></span></i></b></p>
<p style="margin: 0px; color: rgb(33, 33, 33); font-size: 11pt; font-family: Calibri, sans-serif, serif, EmojiFont;">
<b><span style="color: black; font-size: 10.5pt;"><br>
</span></b><span style="color: rgb(136, 136, 136); font-size: 8.5pt; font-family: Arial, sans-serif, serif, EmojiFont;">CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential
and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and
then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.</span></p>
<br>
<p style="margin-top: 0px; margin-bottom: 0px;"></p>
<p class="x_MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(33, 33, 33);">
<span style="font-size: 10.5pt; font-family: Arial, sans-serif, serif, EmojiFont; color: black;"> </span></p>
<p class="x_MsoNormal" style="margin: 0in 0in 0.0001pt; font-size: 11pt; font-family: Calibri, sans-serif; color: rgb(33, 33, 33);">
<span style="font-size: 8.5pt; font-family: Arial, sans-serif, serif, EmojiFont; color: rgb(136, 136, 136);"></span></p>
<p style="margin-top: 0px; margin-bottom: 0px;"></p>
<p style="margin-top: 0px; margin-bottom: 0px;"></p>
<p style="margin-top: 0px; margin-bottom: 0px;"></p>
<p style="font-size: 12pt; font-family: Calibri, Arial, Helvetica, sans-serif; color: rgb(0, 0, 0); margin: 0in 0in 0.0001pt;">
<span style="font-size: 8.5pt; font-family: Helvetica, sans-serif; color: rgb(136, 137, 139);"></span></p>
</div>
</div>
</div>
</div>
<div id="appendonsend"></div>
<hr style="display:inline-block;width:98%" tabindex="-1">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Users <users-bounces@lists.strongswan.org> on behalf of Dominik <dr896543@gmail.com><br>
<b>Sent:</b> Thursday, September 17, 2020 9:32 AM<br>
<b>To:</b> users@lists.strongswan.org <users@lists.strongswan.org><br>
<b>Subject:</b> Re: [strongSwan] Connection to AWS-VPC</font>
<div> </div>
</div>
<div>
<p>Thanks Doug,</p>
<p>what does the aws-updown.sh do?</p>
<p>Kind regards</p>
<p>Dominik<br>
</p>
<div class="x_moz-cite-prefix">On 16.09.20 17:28, Doug Tucker wrote:<br>
</div>
<blockquote type="cite">
<div>
<div>
<div>ipsec.conf:</div>
<div><br>
</div>
<div># ipsec.conf - strongSwan IPsec configuration file
<div># Site network admin: </div>
<div># basic configuration</div>
<div><br>
</div>
<div>config setup</div>
<div> # strictcrlpolicy=yes</div>
<div> uniqueids = no</div>
<div> # charondebug = "ike 2,chd 3, enc 2"</div>
<div><br>
</div>
<div># Add connections here.</div>
<div><br>
</div>
<div>############################################################</div>
<div>## Common configuration</div>
<div>############################################################</div>
<div><br>
</div>
<div>conn Tunnel1</div>
<div> auto=start</div>
<div> left=%defaultroute</div>
<div> leftid=1.1.1.1</div>
<div> right=2.2.2.2</div>
<div> type=tunnel</div>
<div> leftauth=psk</div>
<div> rightauth=psk</div>
<div> keyexchange=ikev1</div>
<div> ike=aes256-sha1-modp1024</div>
<div> ikelifetime=8h</div>
<div> esp=aes256-sha1-modp1024</div>
<div> lifetime=1h</div>
<div> keyingtries=%forever</div>
<div> leftsubnet=0.0.0.0/0</div>
<div> rightsubnet=0.0.0.0/0</div>
<div> dpddelay=10s</div>
<div> dpdtimeout=30s</div>
<div> dpdaction=restart</div>
<div> mark=100</div>
<div>leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel1 -ll 169.254.x.x/30 -lr 169.254.x.x/30 -m 100 -r 10.x.x.0/20"</div>
<div><br>
</div>
<div>conn Tunnel2</div>
<div> auto=start</div>
<div> left=%defaultroute</div>
<div> leftid=1.1.1.1</div>
<div> right=2.2.2.2</div>
<div> type=tunnel</div>
<div> leftauth=psk</div>
<div> rightauth=psk</div>
<div> keyexchange=ikev1</div>
<div> ike=aes128-sha1-modp1024</div>
<div> ikelifetime=8h</div>
<div> esp=aes128-sha1-modp1024</div>
<div> lifetime=1h</div>
<div> keyingtries=%forever</div>
<div> leftsubnet=0.0.0.0/0</div>
<div> rightsubnet=0.0.0.0/0</div>
<div> dpddelay=10s</div>
<div> dpdtimeout=30s</div>
<div> dpdaction=restart</div>
<div> mark=200</div>
<div>leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel2 -ll 169.254.x.x/30 -lr 169.254.x.x/30 -m 200 -r 10.x.x.0/20"</div>
<div><br>
</div>
<div>Let me know if there is more you would like to see.</div>
</div>
<br>
</div>
<div><br>
</div>
<div id="x_Signature">
<div>
<meta content="text/html; charset=UTF-8">
<div id="x_divtagdefaultwrapper" dir="ltr">
<p class="x_x_MsoNormal"><b><span>Doug Tucker<br>
</span></b><span>Sr. Director of Networking & Linux Operations</span><span></span></p>
<p class="x_x_MsoNormal"><b><span>o:</span></b><span> 817.975.5832 | <b> m:</b> 817.975.5832<br>
</span></p>
<p><span><b>e:</b> doug.tucker</span><span>@navigaglobal.com</span></p>
<p><span> </span></p>
<p><span><a href="https://navigaglobal.com/" target="_blank" rel="noopener noreferrer" title="https://navigaglobal.com/ Ctrl+Click or tap
to follow the link"><span><img class="x_EmojiInsert" id="OWAPstImg750417" data-outlook-trace="F:0|T:2" src="cid:image001.png@01D4FEC7.F32F3010"></span></a></span></p>
<p><span><br>
</span><a href="https://www.facebook.com/navigaglobal" target="_blank" rel="noopener noreferrer"><span><img class="x_EmojiInsert" id="OWAPstImg217983" data-outlook-trace="F:0|T:2" src="cid:image002.png@01D4FEC7.F32F3010"></span></a><span> <a href="https://twitter.com/navigaglobal" target="_blank" rel="noopener noreferrer"><span><img class="x_EmojiInsert" id="OWAPstImg993761" data-outlook-trace="F:0|T:2" src="cid:image003.png@01D4FEC7.F32F3010"></span></a> <a href="https://www.linkedin.com/company/navigaglobal/about/" target="_blank" rel="noopener noreferrer"><span><img class="x_EmojiInsert" id="OWAPstImg727145" data-outlook-trace="F:0|T:2" src="cid:image004.png@01D4FEC7.F32F3010"></span></a></span></p>
<p><span> </span></p>
<p><b><i><span><a href="https://navigaglobal.com/" target="_blank" rel="noopener noreferrer"><span>Newscycle Solutions is now Naviga. Learn more.</span></a></span></i></b></p>
<p><b><span><br>
</span></b><span>CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not
the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are
hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited.</span></p>
<br>
<p class="x_x_MsoNormal"><span> </span></p>
<p class="x_x_MsoNormal"><span></span></p>
<p><span></span></p>
</div>
</div>
</div>
</div>
<hr tabindex="-1">
<div id="x_divRplyFwdMsg" dir="ltr"><b>From:</b> Users <a class="x_moz-txt-link-rfc2396E" href="mailto:users-bounces@lists.strongswan.org">
<users-bounces@lists.strongswan.org></a> on behalf of Dominik Reusser <a class="x_moz-txt-link-rfc2396E" href="mailto:dr896543@gmail.com">
<dr896543@gmail.com></a><br>
<b>Sent:</b> Tuesday, September 15, 2020 1:19 AM<br>
<b>To:</b> <a class="x_moz-txt-link-abbreviated" href="mailto:users@lists.strongswan.org">
users@lists.strongswan.org</a> <a class="x_moz-txt-link-rfc2396E" href="mailto:users@lists.strongswan.org">
<users@lists.strongswan.org></a><br>
<b>Subject:</b> [strongSwan] Connection to AWS-VPC
<div> </div>
</div>
<div>
<table class="x_x_MsoNormalTable" width="`"100%`"">
<tbody>
<tr>
<td><br>
</td>
<td width="`"100%`"">
<div>
<p class="x_x_MsoNormal"><span>NCS WARNING: External email. Please verify sender before opening attachments or clicking on links.</span></p>
</div>
</td>
</tr>
</tbody>
</table>
<br>
<div>
<div dir="ltr">
<div>Has anyone successfully connected to AWS VPC? My connection is established and ICMP-Pakets are routed through the AWS cloud. However, UDP and TCP packets - while being sent towards the AWS server (from tcp dump on the client side) - do not appear in the
logs of the VPC. <br>
</div>
<div><br>
</div>
<div>With a corresponding setup with OpenSwan I get a working connection. However, I would prefer to use strong Swan.
<br>
</div>
<div><br>
</div>
<div>If you have successfully connected to AWS VPC, could you please share your configuration files?</div>
<div><br>
</div>
<div>Thanks</div>
<div>Kind regards</div>
<div>Dominik<br>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</body>
</html>