[strongSwan] Strongswan in AWS (NATed), connecting to Cisco 72xx, fails
Tormod Macleod
TMacleod at paywizard.com
Wed May 20 11:11:35 CEST 2015
Hi Florin,
We also use Strongswan to connect to our AWS environments. We run it on CentOS6. Whenever we tried CentOS7 we consistently lost around 3% of the packets. I've got a case open with AWS and they've been pretty stumped so far but are continuing to work with me on it and are being pretty helpful. I just wondered whether you'd noticed any packet loss?
We've confirmed that the packets make it over the VPN connection from our site to AWS and appear to leave the CentOS7 instance (which is also routing) bound for the far end device within AWS but they never arrive there. Hopefully this isn't affecting you but I'd be interested to know if it is.
Cheers,
Tormod
>>> Florin Andrei <florin at andrei.myip.org> 19/05/2015 02:35 >>>
Noel,
That's it. The PSK was wrong. Also, the other side uses IKEv1, whereas
the implicit default with Strongswan is IKEv2. I've explicitly enforced
IKEv1. Works great now.
Other potential issues: The other side is picky about cipher suites, so
I had to add some explicit cipher suite lists. Also, we're running
Strongswan in Amazon, and AWS is doing 1:1 NAT for our instances, so I
added some conf items for that. Key lifetimes were also important to
tweak.
Not sure if all the config lines here are mandatory, but anyway, this is
what works for us now:
########################################
config setup
nat_traversal=yes
conn %default
conn us2them
authby=psk
left=%any
leftsubnet=our_subnet/netmask
leftid=private.ip.of.our.VPN.instance
right=ip.of.their.VPN.gateway
rightsubnet=their_subnet/netmask
rightid=ip.of.their.VPN.gateway
auto=start
ike = some-list-of-ciphers-that-works
esp = some-other-list-of-ciphers-that-works
ikelifetime = some-lifetime-interval
lifetime = some-other-lifetime-interval
forceencaps = yes
keyexchange=ikev1
########################################
Again, this is for Strongswan in the AWS cloud, connecting to Cisco 72xx
with some custom settings.
Thank you.
--
Florin Andrei
https://urldefense.proofpoint.com/v2/url?u=http-3A__florin.myip.org_&d=BQICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=Jr4atqVkXS4Qv5TtvYkK3shxyHw5mu1maC_nWQNfG8Q&m=2k4OvTVvIcBT7-3S2WyR4g&s=GCMDvjNmN80LVT22fg-6SFVpgA1hy4kkTUCtbme0M7E&e=
_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.strongswan.org_mailman_listinfo_users&d=BQICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=Jr4atqVkXS4Qv5TtvYkK3shxyHw5mu1maC_nWQNfG8Q&m=2k4OvTVvIcBT7-3S2WyR4g&s=0RoW30Dutl9uFWKcdaMYGqHMT0WCdCFaOcAKn9Wnqx4&e=
Please consider the environment before printing this email
*********************************************************************
This e-mail and any attachments are confidential. If it is not for you, please inform us and delete it immediately without disclosing, copying, or distributing it. If the content is not about the business of PayWizard Group PLC or its clients, then it is neither from nor sanctioned by PayWizard Group PLC. Use of this or any other PayWizard Group PLC e-mail facility signifies consent to interception by PayWizard Group PLC. The views expressed in this email or any attachments may not reflect the views and opinions of PayWizard Group PLC. This message has been scanned for viruses and dangerous content by MailScanner, but PayWizard Group PLC accepts no liability for any damage caused by the transmission of any viruses. PayWizard Group PLC is a public limited company registered in Scotland (SC175703) with its registered office at Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ. ********************************************************************
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150520/a2d79bf6/attachment.html>
More information about the Users
mailing list