[strongSwan] Site-to-Site vpn setup on AWS EC2
Ismail Yenigul
ismailyenigul at gmail.com
Mon Apr 27 22:52:07 CEST 2020
Hi,
I have an ubuntu ec2 instance on AWS and I have other instances in the same
vpc and same subnet. This instance has single network interface (10.0.1.100)
source check disabled and forwarding active
net.ipv4.ip_forward=1
I configured site-to-site vpn on this ubuntu server to a remote Juniper box.
But at Juniper side, their rightsubnet is just a public IP, not internal
subnet
I see that tunnel connects
leftsubnet=10.0.0.0/24
rightsubnet=193.x.y.z/32
I have another Centos instance which has a single network interface
(10.0.1.200 ) and public interface enabled in the same VPC
I added a manual route on this centos instance
# route add 93.x.y.z/32 gw 10.0.1.100
When I try to traceroute from 10.0.1.200 to 193.x.y.z
traffic goes to the internet.
Should I create two interfaces on Ubuntu which strongswan installed and
site-to-site vpn configured to avoid direct routing from VPC internet
gateway?
This is the routing created by ipsec tunnel
# ip route show table all
*193.201.x.y via 10.0.0.1 dev eth0 table 220 proto static src 10.0.0.100 *
default via 10.0.0.1 dev eth0 proto dhcp src 10.0.0.100 metric 100
# ipsec statusall
Security Associations (1 up, 0 connecting):
tosrx[1]: ESTABLISHED 35 minutes ago, 10.0.0.100[18.X.X.X]...
Y.Y.Y..Y[Y.Y.Y.Y]
tosrx[1]: IKEv2 SPIs: 552fc130bbd_i* 3c9b77da964_r, pre-shared key
reauthentication in 7 hours
tosrx[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
tosrx{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cca011de_i
deb94bf2_o
tosrx{1}: AES_CBC_256/HMAC_SHA1_96, 360 bytes_i (6 pkts, 1238s
ago), 2859 bytes_o (50 pkts, 509s ago), rekeying in 6 minutes
tosrx{1}: 10.0.0.0/24 === 193.X.Y.Z/32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200427/b81bc784/attachment.html>
More information about the Users
mailing list