[strongSwan] Connecting with AWS VPC VPN

Patrick Hemmer strongswan at stormcloud9.net
Thu Dec 13 04:18:35 CET 2012 

I'm trying to create a VPN tunnel between 2 AWS regions. The way I'm 
trying to do this is by setting up a strongSwan server in one region, 
and then a VPC VPN in the other region (the VPC VPN is an IPsec VPN 
provided and controlled by Amazon).
The problem is I can't come up with a configuration that works right.

AWS provides the following info for setting up the IPsec VPN:

 > #1: Internet Key Exchange Configuration
 >
 > Configure the IKE SA as follows
 >   - Authentication Method    : Pre-Shared Key
 >   - Pre-Shared Key           : ***********************
 >   - Authentication Algorithm : sha1
 >   - Encryption Algorithm     : aes-128-cbc
 >   - Lifetime                 : 28800 seconds
 >   - Phase 1 Negotiation Mode : main
 >   - Perfect Forward Secrecy  : Diffie-Hellman Group 2
 >
 > #2: IPSec Configuration
 >
 > Configure the IPSec SA as follows:
 >   - Protocol                 : esp
 >   - Authentication Algorithm : hmac-sha1-96
 >   - Encryption Algorithm     : aes-128-cbc
 >   - Lifetime                 : 3600 seconds
 >   - Mode                     : tunnel
 >   - Perfect Forward Secrecy  : Diffie-Hellman Group 2
 >
 > IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
 > recommend configuring DPD on your endpoint as follows:
 >   - DPD Interval             : 10
 >   - DPD Retries              : 3
 >
 > IPSec ESP (Encapsulating Security Payload) inserts additional
 > headers to transmit packets. These headers require additional space,
 > which reduces the amount of space available to transmit application data.
 > To limit the impact of this behavior, we recommend the following
 > configuration on your Customer Gateway:
 >   - TCP MSS Adjustment       : 1387 bytes
 >   - Clear Don't Fragment Bit : enabled
 >   - Fragmentation            : Before encryption
 >
 > #3: Tunnel Interface Configuration
 >
 > Your Customer Gateway must be configured with a tunnel interface that is
 > associated with the IPSec tunnel. All traffic transmitted to the tunnel
 > interface is encrypted and transmitted to the Virtual Private Gateway.
 >
 >
 >
 > The Customer Gateway and Virtual Private Gateway each have two 
addresses that relate
 > to this IPSec tunnel. Each contains an outside address, upon which 
encrypted
 > traffic is exchanged. Each also contain an inside address associated with
 > the tunnel interface.
 >
 > The Customer Gateway outside IP address was provided when the 
Customer Gateway
 > was created. Changing the IP address requires the creation of a new
 > Customer Gateway.
 >
 > The Customer Gateway inside IP address should be configured on your 
tunnel
 > interface.
 >
 > Outside IP Addresses:
 >   - Customer Gateway                 : 54.241.138.199
 >   - Virtual Private Gateway            : 87.238.85.44
 >
 > Inside IP Addresses
 >   - Customer Gateway                 : 169.254.254.6/30
 >   - Virtual Private Gateway         : 169.254.254.5/30
 >
 > Configure your tunnel to fragment at the optimal size:
 >   - Tunnel interface MTU     : 1436 bytes
 >
 >
 > #4: Static Routing Configuration:
 >
 > To route traffic between your internal network and your VPC,
 > you will need a static route added to your router.
 >
 > Static Route Configuration Options:
 >
 >   - Next hop       : 169.254.254.5
 >
 > You should add static routes towards your internal network on the VGW.
 > The VGW will then send traffic towards your internal network over
 > the tunnels.


The private subnet on the local strongSwan side is `10.2.0.0/16`.
The private subnet on the remote VPN side is `10.4.0.0/16`.

With this I tried using a configuration as follows:


 > conn eu-west-1-1
 >     left=10.2.0.40
 >     leftsubnet=10.2.0.0/16
 >     right=87.238.85.40
 >     rightsubnet=10.4.0.0/16
 >     auto=add
 >     type=tunnel
 >     keyexchange=ikev1
 >     authby=secret
 >     ikelifetime=28800s
 >     keylife=28800s
 >     ike=aes128
 >     esp=aes128


However this results in the following error:

 > pluto[1763]: "eu-west-1-1" #12: cannot respond to IPsec SA request 
because no connection is known for 
0.0.0.0/0===10.2.0.40[10.2.0.40]...87.238.85.40[87.238.85.40]===0.0.0.0/0

Following one idea I found on the mailing list, I tried putting 
`0.0.0.0/0` for the `leftsubnet` and `rightsubnet`, and this does cause 
the tunnel to come up (as reported by the AWS web GUI), but I lose all 
connectivity to the server (I'm guessing it's creating a route to 
0.0.0.0/0 that blackholes all traffic).

Can anyone provide any hints on how to adjust the config to get this 
working?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20121212/6c61ed8a/attachment.html>

More information about the Users mailing list