Re: [strongSwan] Strongswan on public Amazon EC2 instance

[Eric Germann]

Are your encaps/decaps increasing for the SA when it’s up and you’re trying to 
ping?

We use a number of instances on AWS to connect to about everything under the 
sun that does IPSec.

Several notes:

- Put the AWS IPSec appliance on a public subnet with an IGW
- Associate an Elastic IP with the appliance instance.
- Make sure the Security Group associated with it permits udp/500 and udp/4500 
since they’re doing NAT and NAT-T
- on the AWS appliance in ipsec.conf make sure left = is the internal IP of the 
appliance.  Make sure leftid = the EIP associated with the instance.
- set right = to be the external IP of the Cisco appliance  
- leftsubnet = the internal subnet of the VPC (we set it to the supernet 
associated with the whole VPC)
- rightsubnet = what’s behind the Cisco
- make sure your Security Groups allow the remote subnets (from the Cisco side) 
to connect to things
- add routes to the remote Cisco networks to the routing table(s)
- manually or automatically (leftfirewall, rightfirewall = yes) get the 
iptables rules updated to forward.
- Forwarding needs to be on in /etc/sysctl.conf
- I usually bump up UDP send/receive buffers

Works for me.

EKG



> On Aug 31, 2016, at 4:40 PM, John Gathm  wrote:
> 
> Hi Strongswan User list
> 
> I am trying to do a fake "site to site" IPSec tunnel to a service provider.
> My instance of Strongswan in hosted on an Amazon EC2 instance, and I am 
> trying to reach a service on a server behind a Cisco VPN gateway
> 
> 
> I am trying to do the following thing (IP are fake)
> 
> 
> Amazon EC2 instance:
> 123.123.22.22/32  (dummy linux interface  local 
> subnet, only one ip for the instance, this is my leftsubnet
> private EC2 IP:
> 10.0.0.5
> 
> AWS NAT internet gateway EC2 IP
> 10.0.0.1
> public EC2 IP
> 81.98.242.23
> 
> 
> Cisco VPN public IP:
> 82.58.243.24
> Cisco Private IP:
> 192.168.0.1
> 
> Server to access
> 192.168.0.5 (righsubnet = 192.168.0.5/24 )
> 
> I manage to get the ipsec tunnel up and running (stable in "ipsec 
> statusall"), however I cannot get to reach 192.168.0.5 from my EC2 instance, 
> using interface 123.123.22.22
> 
> first question is 
> 1) is it possible to reach the remote server through the Strongswan IPSEC 
> gateway itself ?
> 2) does it require special routes& policies not added by Strongswan ?
> 3) would you recommend another setup than using a dummy interface ?
> 
> thanks for any hints
> 
> best  regards
> J.G
> ___
> Users mailing list
> Users@lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users



smime.p7s
Description: S/MIME cryptographic signature
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

[strongSwan] Strongswan on public Amazon EC2 instance

[John Gathm]

Hi Strongswan User list

I am trying to do a fake "site to site" IPSec tunnel to a service provider.
My instance of Strongswan in hosted on an Amazon EC2 instance, and I am
trying to reach a service on a server behind a Cisco VPN gateway


I am trying to do the following thing (IP are fake)


Amazon EC2 instance:
123.123.22.22/32 (dummy linux interface  local subnet, only one ip for
the instance, this is my leftsubnet
private EC2 IP:
10.0.0.5

AWS NAT internet gateway EC2 IP
10.0.0.1
public EC2 IP
81.98.242.23


Cisco VPN public IP:
82.58.243.24
Cisco Private IP:
192.168.0.1

Server to access
192.168.0.5 (righsubnet = 192.168.0.5/24)

I manage to get the ipsec tunnel up and running (stable in "ipsec
statusall"), however I cannot get to reach 192.168.0.5 from my EC2
instance, using interface 123.123.22.22

first question is
1) is it possible to reach the remote server through the Strongswan IPSEC
gateway itself ?
2) does it require special routes& policies not added by Strongswan ?
3) would you recommend another setup than using a dummy interface ?

thanks for any hints

best  regards
J.G
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

Re: [strongSwan] Replay window upper limit

[Tobias Brunner]

Hi Kapil,

> What is the upper limit on replay window size ? i didn't find any
> documentation on upper limit. is it dependent on Hardware, if so how to
> find the limit

There is no hard limit.  But since storing the window requires a certain
amount of memory per SA there is definitely some upper limit on any
given system.  Maintaining the window also imposes some overhead
(probably only relevant if the window is huge).

> After a certain limit, i am having some problem with IPsec connection. 

What number are we talking about here?  And what problem are you having?

Regards,
Tobias

___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users