[strongSwan] Strongwan Linux to Amazon VPC

2020-03-06 Thread Edvinas Kairys
Hello, I managed to establish BGP connection from Strongswan box to AWS VPC. I can ping internal interfaces from AWS to that Linux box, even the traffic passes through that box successfully encrypted/decrypted. The only thing i can't make work right now is the ping from Strongswan box to Amazon

[strongSwan] Fwd: Strongwan Linux to Amazon VPC

2020-03-09 Thread Edvinas Kairys
update 2d20h47m ago 10.254.1.182, via p2p1.401 10.254.1.180, via p2p2.400 Seems like the one which goes through vti1 is rejected. (no response found) could you elaborate why this behaviour could be ? Thanks -- Forwarded message ----- From: Edvinas Kairys Date: Fri, Mar 6, 202

[strongSwan] connecting Linux Centos Box to Amazon VPC

2021-05-01 Thread Edvinas Kairys
Hello, I've established BGP connection from my Centos Linux box to Amazon VPC - using this guide: https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup The only strange thing is that on IPtables mangle table - I don't see any matches on MARK

[strongSwan] Fwd: connecting Linux Centos Box to Amazon VPC

2021-05-01 Thread Edvinas Kairys
ST SYN -m comment --comment "6.5_set_tcp_mss" -m tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360-A FORWARD -m comment --comment 007 -j ACCEPTCOMMIT# Completed on Sat May 1 20:43:46 2021* On Sat, May 1, 2021 at 1:51 PM Noel Kuntze wrote: > Hi, > > Provide output of ipt

Re: [strongSwan] connecting Linux Centos Box to Amazon VPC

2021-05-01 Thread Edvinas Kairys
uodate 3: seems changing xmark from INPUT chain to PREROUTING - did not help. Packets are still no matched, but everything works. Maybe newer Linux versions (CentOS Linux release 7.7) already maps MARKs automatically ? On Sat, May 1, 2021 at 11:06 PM Edvinas Kairys wrote: > as I digged m

Re: [strongSwan] connecting Linux Centos Box to Amazon VPC

2021-05-01 Thread Edvinas Kairys
as I digged more - it could be due to the marking configured not on the PREROUTING, but on INPUT chain. On Monday i will try to change the marking to PREROUTING chain. Also, it's interesting why the connection works if INPUT chain marking doesnt.. On Sat, May 1, 2021 at 10:39 PM Edvinas Kairys

Re: [strongSwan] connecting Linux Centos Box to Amazon VPC

2021-05-03 Thread Edvinas Kairys
. The more i dig, the more I think it's not needed. I would be grateful if someone would reassure me. Maybe it was needed for some extra features ? On Sun, May 2, 2021 at 12:49 AM Edvinas Kairys wrote: > uodate 3: > > seems changing xmark from INPUT chain to PREROUTING - did not help.

[strongSwan] IPIP virtual interface experiencing discards

2021-10-07 Thread Edvinas Kairys
I've established route-based IPSec connection via IPIP tunnel to Amazon (using strongSwan 5.7.2), and on tunnel statistics I see incrementing discards: inet 169.254.134.26 netmask 255.255.255.252 destination 169.254.134.25 > inet6 fe80::200:5efe:b954:3ce9 prefixlen 64 scopeid