[strongSwan] Connecting to Amazon VPC with Centos/RHEL 6

[Andrew Noonan]

Hi all,

Does anyone here have experience connecting to the Amazon VPC VPN with
Centos/RHEL 6 using both connections provided by Amazon?

 The Situation:

We'd like to use Amazon's VPN solution for our tunnels, and would also like
to use StrongSwan for the non-AWS endpoints.  Amazon gives two tunnels for
each "VPN", each coming from a different IP.  This is so that they can do
maintenance on one of the devices without taking out customer's connections
for an extended period.  I've been able to set things up so that one tunnel
comes up, but adding a second connection with the same rightsubnet causes
the policies to stomp on each over, resulting in traffic not passing though
either tunnel.  Both tunnels are up OK, just no traffic passes.

OpenVPN Access Server seems to have an approach for this documented here:

https://docs.openvpn.net/how-to-tutorialsguides/administration/extending-vpn-connectivity-to-amazon-aws-vpc-using-aws-vpc-vpn-gateway-service/

but this relies on being able to add a policy in the updown script that
adds a mark.  Unfortunately, the version of iproute frozen by Centos/RHEL 6
is 2.6.32, which is *right* before they added the ability to add policies
with marks.  I'd like to avoid adding a non-standard version of iproute to
the systems if possible, and I really can't nuke the existing systems and
replace them with OpenVPN Access Server appliances.

Does anyone out there have experience with this, or am I just doing this
wrong?

Thanks!
Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20140903/dbbca826/attachment.html>