[strongSwan] Fun with AWS, primary connection there but can't route out to remote subnets

Whit Blauvelt whit at transpect.com
Sat Sep 23 21:24:20 CEST 2017

A small bit of evidence on where I'm stuck:

Both ends can ping through the tunnel each other on any of their several

When the non-Amazon end pings addresses behind the AWS instance, those pings
make it to the AwS instance. When the AWS instance pings addresses behind
the non-Amazon end, the pings don't make it that far. 

So something's screwed up with the routing out of Amazon. I do have a
routing table set up in AWS to send traffic for the office-side subnets to
the interface ID of the strongSwan instance.

So this route, to an IP on the strongSwan box, works for pings:

# ip ro get via dev eth0  src 

This, to another IP on that same subnet, does not get to as it

# ip ro get via dev eth0  src 

However it routes to the public just fine:

# ip ro get via dev eth0  src 

I don't really know what Amazon has at, nor what's required to
clear that in the right way. Perhaps it's not Netfilter at all, but just the
opaque operations of AWS that block me. 


More information about the Users mailing list