[strongSwan] Strongswan on public Amazon EC2 instance

Eric Germann ekgermann at semperen.com
Wed Aug 31 23:33:08 CEST 2016

Are your encaps/decaps increasing for the SA when it’s up and you’re trying to ping?

We use a number of instances on AWS to connect to about everything under the sun that does IPSec.

Several notes:

- Put the AWS IPSec appliance on a public subnet with an IGW
- Associate an Elastic IP with the appliance instance.
- Make sure the Security Group associated with it permits udp/500 and udp/4500 since they’re doing NAT and NAT-T
- on the AWS appliance in ipsec.conf make sure left = is the internal IP of the appliance.  Make sure leftid = the EIP associated with the instance.
- set right = to be the external IP of the Cisco appliance  
- leftsubnet = the internal subnet of the VPC (we set it to the supernet associated with the whole VPC)
- rightsubnet = what’s behind the Cisco
- make sure your Security Groups allow the remote subnets (from the Cisco side) to connect to things
- add routes to the remote Cisco networks to the routing table(s)
- manually or automatically (leftfirewall, rightfirewall = yes) get the iptables rules updated to forward.
- Forwarding needs to be on in /etc/sysctl.conf
- I usually bump up UDP send/receive buffers

Works for me.


> On Aug 31, 2016, at 4:40 PM, John Gathm <john.gathm at gmail.com> wrote:
> Hi Strongswan User list
> I am trying to do a fake "site to site" IPSec tunnel to a service provider.
> My instance of Strongswan in hosted on an Amazon EC2 instance, and I am trying to reach a service on a server behind a Cisco VPN gateway
> I am trying to do the following thing (IP are fake)
> Amazon EC2 instance:
> <> (dummy linux interface &fake local subnet, only one ip for the instance, this is my leftsubnet
> private EC2 IP:
> AWS NAT internet gateway EC2 IP
> public EC2 IP
> Cisco VPN public IP:
> Cisco Private IP:
> Server to access
> (righsubnet = <>)
> I manage to get the ipsec tunnel up and running (stable in "ipsec statusall"), however I cannot get to reach from my EC2 instance, using interface
> first question is 
> 1) is it possible to reach the remote server through the Strongswan IPSEC gateway itself ?
> 2) does it require special routes& policies not added by Strongswan ?
> 3) would you recommend another setup than using a dummy interface ?
> thanks for any hints
> best  regards
> J.G
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160831/c5cd47c2/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3705 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160831/c5cd47c2/attachment.bin>

More information about the Users mailing list