[strongSwan] Running on AWS behind Elastic IP

Turbo Fredriksson turbo at bayour.com
Wed Nov 16 13:40:21 CET 2016 

On 16 Nov 2016, at 05:27, Mathew Marulla <matt_m at me.com> wrote:

> Although I have read just about every tutorial and similar posting I can find about running StrongSwan on an EC2 instance, I still can not seem to get it to work.

I’m doing the same thing, but I started “from scratch” (didn’t have any existing
setup so this is the first setup).

My ipsec.conf:

—— s n i p ——
config setup
        uniqueids=no
        strictcrlpolicy=no

# NOTE: The 'leftid' must be present as a "Subject Alternative Name" in the cert!!
conn %default
        left=%ETH0%
        leftid=vpn.domain.tld
        leftcert=hostname.pem
        leftsubnet=<VPC_CIDR>
        leftfirewall=yes
        leftsendcert=always
        leftdns=%DNS%

        rightdns=%DNS%

        keyexchange=ikev2
        dpdaction=clear
        dpddelay=2400s
        fragmentation=yes
        forceencaps=yes
        compress=yes

ca domain
        cacert=domain.tld.pem
        auto=add

conn client
        leftsourceip=%ETH0%

        right=%any
        rightid=%any
        rightsourceip=<VPN_CIDR>
        rightauth=eap-mschapv2

        eap_identity=%identity
        type=tunnel
        auto=add
—— s n i p ——

%ETH0% and %DNS% is changed by a script at boot (by first finding the IP of
‘eth0’ and the ’nameserver’ entry in resolv.conf) because EC2 instances use DHCP.
So I’m not coding any ‘external’ IP (EIP), just the ‘internal’ (DHCP/private) one..

I’m not, currently, using any (ELB) load balancers in front of StrongSWAN, but
I might do that in the future. Maybe.


I can authenticate and setup the route etc - I can access the ‘internal’ IP via the
VPN just fine.

I have yet to get access to the other VPCs over the VPN. I can access them
if I first ssh into the VPN server and then ssh to a host in another VPC.

This is done with VPC peering, but I had _assumed_ that that would  work
for VPN as well. But it’s not..

I can’t access any other instance in the VPN VPC though.

I’m pretty sure that have something to do with the routing table(s), but I haven’t
had time to look into this. I’m pretty sure the StrongSWAN setup is working
correctly though, I’m using the exact same setup at home and there everything
work just fine.

More information about the Users mailing list