Hello,
I managed to establish BGP connection from Strongswan box to AWS VPC. I can
ping internal interfaces from AWS to that Linux box, even the traffic
passes through that box successfully encrypted/decrypted. The only thing i
can't make work right now is the ping from Strongswan box to Amazon
update 2d20h47m ago
10.254.1.182, via p2p1.401
10.254.1.180, via p2p2.400
Seems like the one which goes through vti1 is rejected. (no response found)
could you elaborate why this behaviour could be ?
Thanks
-- Forwarded message -----
From: Edvinas Kairys
Date: Fri, Mar 6, 202
Hello,
I've established BGP connection from my Centos Linux box to Amazon VPC -
using this guide:
https://www.edge-cloud.net/2019/07/18/aws-site-2-site-vpn-with-strongswan-frrouting/#strongswan-setup
The only strange thing is that on IPtables mangle table - I don't see any
matches on MARK
ST SYN -m comment --comment "6.5_set_tcp_mss" -m
tcpmss --mss 1361:1541 -j TCPMSS --set-mss 1360-A FORWARD -m comment
--comment 007 -j ACCEPTCOMMIT# Completed on Sat May 1 20:43:46 2021*
On Sat, May 1, 2021 at 1:51 PM Noel Kuntze
wrote:
> Hi,
>
> Provide output of ipt
uodate 3:
seems changing xmark from INPUT chain to PREROUTING - did not help. Packets
are still no matched, but everything works.
Maybe newer Linux versions (CentOS Linux release 7.7) already maps MARKs
automatically ?
On Sat, May 1, 2021 at 11:06 PM Edvinas Kairys
wrote:
> as I digged m
as I digged more - it could be due to the marking configured not on the
PREROUTING, but on INPUT chain. On Monday i will try to change the marking
to PREROUTING chain.
Also, it's interesting why the connection works if INPUT chain marking
doesnt..
On Sat, May 1, 2021 at 10:39 PM Edvinas Kairys
. The more i dig, the more I think
it's not needed. I would be grateful if someone would reassure me. Maybe
it was needed for some extra features ?
On Sun, May 2, 2021 at 12:49 AM Edvinas Kairys
wrote:
> uodate 3:
>
> seems changing xmark from INPUT chain to PREROUTING - did not help.
I've established route-based IPSec connection via IPIP tunnel to Amazon
(using strongSwan 5.7.2), and on tunnel statistics I see incrementing
discards:
inet 169.254.134.26 netmask 255.255.255.252 destination 169.254.134.25
> inet6 fe80::200:5efe:b954:3ce9 prefixlen 64 scopeid