[strongSwan] Fun with AWS, primary connection there but can't route out to remote subnets
whit at transpect.com
Sat Sep 23 21:24:20 CEST 2017
A small bit of evidence on where I'm stuck:
Both ends can ping through the tunnel each other on any of their several
When the non-Amazon end pings addresses behind the AWS instance, those pings
make it to the AwS instance. When the AWS instance pings addresses behind
the non-Amazon end, the pings don't make it that far.
So something's screwed up with the routing out of Amazon. I do have a
routing table set up in AWS to send traffic for the office-side subnets to
the interface ID of the strongSwan instance.
So this route, to an IP on the strongSwan box, works for pings:
# ip ro get 172.17.10.3
172.17.10.3 via 172.18.30.1 dev eth0 src 172.18.30.93
This, to another IP on that same subnet, does not get to 172.17.10.3 as it
# ip ro get 172.17.10.2
172.17.10.2 via 172.18.30.1 dev eth0 src 172.18.30.93
However it routes to the public just fine:
# ip ro get 18.104.22.168
22.214.171.124 via 172.18.30.1 dev eth0 src 172.18.30.93
I don't really know what Amazon has at 172.18.30.1, nor what's required to
clear that in the right way. Perhaps it's not Netfilter at all, but just the
opaque operations of AWS that block me.
More information about the Users