[strongSwan] Site-to-Site vpn setup on AWS EC2

Ismail Yenigul ismailyenigul at gmail.com
Mon Apr 27 22:52:07 CEST 2020


I have an ubuntu ec2 instance on AWS and I have other instances in the same
vpc and same subnet. This instance has single network interface (
source check disabled and forwarding active

I configured site-to-site vpn on this ubuntu server to a remote Juniper box.
But at Juniper side, their rightsubnet is just a public IP, not internal
I see that tunnel connects


I have another Centos instance which has a single network interface
( ) and public interface enabled in the same VPC
I added a manual route on this centos instance

# route add 93.x.y.z/32 gw

When I try to traceroute from to 193.x.y.z
traffic goes to the internet.

Should I create two interfaces on Ubuntu which strongswan installed and
site-to-site vpn configured to avoid direct routing from VPC internet
This is the routing created by ipsec tunnel

# ip route show table  all
*193.201.x.y via dev eth0 table 220 proto static src *
default via dev eth0 proto dhcp src metric 100

# ipsec statusall

Security Associations (1 up, 0 connecting):
       tosrx[1]: ESTABLISHED 35 minutes ago,[18.X.X.X]...
       tosrx[1]: IKEv2 SPIs: 552fc130bbd_i* 3c9b77da964_r, pre-shared key
reauthentication in 7 hours
       tosrx[1]: IKE proposal:
       tosrx{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cca011de_i
       tosrx{1}:  AES_CBC_256/HMAC_SHA1_96, 360 bytes_i (6 pkts, 1238s
ago), 2859 bytes_o (50 pkts, 509s ago), rekeying in 6 minutes
       tosrx{1}: === 193.X.Y.Z/32
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200427/b81bc784/attachment.html>

More information about the Users mailing list