[strongSwan] Connecting Multiple VPCs using StrongSwan with, VPC VPN connections

Yaron Sheffer yaronf.ietf at gmail.com
Mon Jan 13 12:09:28 CET 2014 

Hi Supratik,

I would bet you are missing a "forceencaps" directive, so that you'll 
have ESP-over-UDP. I've seen it with StrongSwan and IKEv2, but I assume 
it works similarly with IKEv1.

Thanks,
	Yaron

>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 13 Jan 2014 09:43:40 +0530
> From: Supratik Goswami <supratiksekhar at gmail.com>
> Subject: [strongSwan] Connecting Multiple VPCs using StrongSwan with
> 	VPC VPN	connections
> To: users at lists.strongswan.org
> Message-ID:
> 	<CANs4eSCrUFLkpfM8sH3wiJODvrasDst-eoXG132XDe1CuCLOdg at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi
>
> I am using multiple AWS accounts for production/test environments, each
> environment is running a VPC. I have configured Amazon VPC VPN connections
> in each of the VPC. There is a another AWS account in which I have
> configured
> StrongSwan in EC2 instance.
>
> I am able to create the IPSec tunnels from the StrongSwan instance to the
> other
> VPC VPN tunnels. When I check the "status" of the tunnels it shows all
> established.
>
> When I try to ping from the EC2 instance (running StrongSwan) to any EC2
> instance
> running in the other VPC it fails but when I ping from the other end I am
> able to
> see the ICMP requests from the tcpdump but reply is not reaching back to
> those instances.
>
> Below is my ipsec.conf configuration.
>
> conn %default
> keyexchange=ikev1
> keyingtries=%forever
>   esp=aes128-sha1-modp1024
> ike=aes128-sha1-modp1024
> ikelifetime=8h
>   auto=start
> authby=secret
> dpdaction=restart
> closeaction=restart
>   dpddelay=10s
> dpdtimeout=30s
> leftsubnet=0.0.0.0/0
>   installpolicy=no
>
> conn VPC-CUST-GW1
> left=10.255.0.5
> right=72.21.209.194
>   rightsubnet=10.21.0.0/16
> leftfirewall=yes
>
> conn VPC-CUST-GW2
>   left=10.255.0.5
> right=72.21.209.226
> rightsubnet=10.21.0.0/16
>   leftfirewall=yes
>
> conn VPC-CUST-GW3
> left=10.255.0.127
> right=72.21.209.192
>   rightsubnet=10.30.0.0/16
> leftfirewall=yes
>
> conn VPC-CUST-GW4
>          left=10.255.0.127
>          right=72.21.209.226
> rightsubnet=10.30.0.0/16
> leftfirewall=yes
>
> Can anyone help me to figure out what I am missing here?
>

More information about the Users mailing list