Re: [strongSwan] Connection to AWS-VPC

2020-09-17 Thread Doug Tucker 
not 
the intended recipient, you are hereby notified that any use, dissemination, 
copying, or storage of this message or its attachments is strictly prohibited.





From: Users  on behalf of Dominik 

Sent: Thursday, September 17, 2020 9:32 AM
To: users@lists.strongswan.org 
Subject: Re: [strongSwan] Connection to AWS-VPC


Thanks Doug,

what does the aws-updown.sh do?

Kind regards

Dominik

On 16.09.20 17:28, Doug Tucker wrote:
ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file
# Site network admin:
# basic configuration

config setup
# strictcrlpolicy=yes
uniqueids = no
# charondebug = "ike 2,chd 3, enc 2"

# Add connections here.


##  Common configuration


conn Tunnel1
auto=start
left=%defaultroute
leftid=1.1.1.1
right=2.2.2.2
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes256-sha1-modp1024
ikelifetime=8h
esp=aes256-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=100
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel1 -ll 169.254.x.x/30 -lr 
169.254.x.x/30 -m 100 -r 10.x.x.0/20"

conn Tunnel2
auto=start
left=%defaultroute
leftid=1.1.1.1
right=2.2.2.2
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=200
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel2 -ll 169.254.x.x/30 -lr 
169.254.x.x/30 -m 200 -r 10.x.x.0/20"

Let me know  if there is more you would like to see.



Doug Tucker
Sr. Director of Networking & Linux Operations

o: 817.975.5832  |  m: 817.975.5832

e: doug.tuc...@navigaglobal.com



[cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/>

[cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal>  
[cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal>   
[cid:image004.png@01D4FEC7.F32F3010] 
<https://www.linkedin.com/company/navigaglobal/about/>



Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments 
are intended solely for the addressee(s) and may contain confidential and/or 
privileged information and may be legally protected from disclosure. If you are 
not the intended recipient of this message or their agent, or if this message 
has been addressed to you in error, please immediately alert the sender by 
reply email and then delete this message and any attachments. If you are not 
the intended recipient, you are hereby notified that any use, dissemination, 
copying, or storage of this message or its attachments is strictly prohibited.





From: Users 
<mailto:users-boun...@lists.strongswan.org> 
on behalf of Dominik Reusser <mailto:dr896...@gmail.com>
Sent: Tuesday, September 15, 2020 1:19 AM
To: users@lists.strongswan.org<mailto:users@lists.strongswan.org> 
<mailto:users@lists.strongswan.org>
Subject: [strongSwan] Connection to AWS-VPC



NCS WARNING: External email. Please verify sender before opening attachments or 
clicking on links.

Has anyone successfully connected to AWS VPC? My connection is established and 
ICMP-Pakets are routed through the AWS cloud. However, UDP and TCP packets - 
while being sent towards the AWS server (from tcp dump on the client side) - do 
not appear in the logs of the VPC.

With a corresponding setup with OpenSwan I get a working connection. However, I 
would prefer to use strong Swan.

If you have successfully connected to AWS VPC, could you please share your 
configuration files?

Thanks
Kind regards
Dominik

Re: [strongSwan] Connection to AWS-VPC

2020-09-17 Thread Dominik 

Thanks Doug,

what does the aws-updown.sh do?

Kind regards

Dominik

On 16.09.20 17:28, Doug Tucker wrote:

ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file
# Site network admin:
# basic configuration

config setup
        # strictcrlpolicy=yes
        uniqueids = no
        # charondebug = "ike 2,chd 3, enc 2"

# Add connections here.


##      Common configuration


conn Tunnel1
        auto=start
        left=%defaultroute
        leftid=1.1.1.1
        right=2.2.2.2
        type=tunnel
        leftauth=psk
        rightauth=psk
        keyexchange=ikev1
        ike=aes256-sha1-modp1024
        ikelifetime=8h
        esp=aes256-sha1-modp1024
        lifetime=1h
        keyingtries=%forever
        leftsubnet=0.0.0.0/0
        rightsubnet=0.0.0.0/0
        dpddelay=10s
        dpdtimeout=30s
        dpdaction=restart
        mark=100
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel1 -ll 
169.254.x.x/30 -lr 169.254.x.x/30 -m 100 -r 10.x.x.0/20"


conn Tunnel2
        auto=start
        left=%defaultroute
        leftid=1.1.1.1
        right=2.2.2.2
        type=tunnel
        leftauth=psk
        rightauth=psk
        keyexchange=ikev1
        ike=aes128-sha1-modp1024
        ikelifetime=8h
        esp=aes128-sha1-modp1024
        lifetime=1h
        keyingtries=%forever
        leftsubnet=0.0.0.0/0
        rightsubnet=0.0.0.0/0
        dpddelay=10s
        dpdtimeout=30s
        dpdaction=restart
        mark=200
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel2 -ll 
169.254.x.x/30 -lr 169.254.x.x/30 -m 200 -r 10.x.x.0/20"


Let me know  if there is more you would like to see.


*Doug Tucker
*Sr. Director of Networking & Linux Operations

*o:* 817.975.5832 | * m:* 817.975.5832

*e:* doug.tuc...@navigaglobal.com

<https://navigaglobal.com/>


<https://www.facebook.com/navigaglobal><https://twitter.com/navigaglobal> 
<https://www.linkedin.com/company/navigaglobal/about/>


*/Newscycle Solutions is now Naviga. Learn more. 
<https://navigaglobal.com/>/*


*
*CONFIDENTIALITY NOTICE: The contents of this email message and any 
attachments are intended solely for the addressee(s) and may contain 
confidential and/or privileged information and may be legally 
protected from disclosure. If you are not the intended recipient of 
this message or their agent, or if this message has been addressed to 
you in error, please immediately alert the sender by reply email and 
then delete this message and any attachments. If you are not the 
intended recipient, you are hereby notified that any use, 
dissemination, copying, or storage of this message or its attachments 
is strictly prohibited.




*From:* Users  on behalf of 
Dominik Reusser 

*Sent:* Tuesday, September 15, 2020 1:19 AM
*To:* users@lists.strongswan.org 
*Subject:* [strongSwan] Connection to AWS-VPC



NCS WARNING: External email. Please verify sender before opening 
attachments or clicking on links.



Has anyone successfully connected to AWS VPC? My connection is 
established and ICMP-Pakets are routed through the AWS cloud. However, 
UDP and TCP packets - while being sent towards the AWS server (from 
tcp dump on the client side) - do not appear in the logs of the VPC.


With a corresponding setup with OpenSwan I get a working connection. 
However, I would prefer to use strong Swan.


If you have successfully connected to AWS VPC, could you please share 
your configuration files?


Thanks
Kind regards
Dominik

Re: [strongSwan] Connection to AWS-VPC

2020-09-16 Thread Doug Tucker 
ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file
# Site network admin:
# basic configuration

config setup
# strictcrlpolicy=yes
uniqueids = no
# charondebug = "ike 2,chd 3, enc 2"

# Add connections here.


##  Common configuration


conn Tunnel1
auto=start
left=%defaultroute
leftid=1.1.1.1
right=2.2.2.2
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes256-sha1-modp1024
ikelifetime=8h
esp=aes256-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=100
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel1 -ll 169.254.x.x/30 -lr 
169.254.x.x/30 -m 100 -r 10.x.x.0/20"

conn Tunnel2
auto=start
left=%defaultroute
leftid=1.1.1.1
right=2.2.2.2
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=200
leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel2 -ll 169.254.x.x/30 -lr 
169.254.x.x/30 -m 200 -r 10.x.x.0/20"

Let me know  if there is more you would like to see.



Doug Tucker
Sr. Director of Networking & Linux Operations

o: 817.975.5832  |  m: 817.975.5832

e: doug.tuc...@navigaglobal.com



[cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/>

[cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal>  
[cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal>   
[cid:image004.png@01D4FEC7.F32F3010] 
<https://www.linkedin.com/company/navigaglobal/about/>



Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/>

CONFIDENTIALITY NOTICE: The contents of this email message and any attachments 
are intended solely for the addressee(s) and may contain confidential and/or 
privileged information and may be legally protected from disclosure. If you are 
not the intended recipient of this message or their agent, or if this message 
has been addressed to you in error, please immediately alert the sender by 
reply email and then delete this message and any attachments. If you are not 
the intended recipient, you are hereby notified that any use, dissemination, 
copying, or storage of this message or its attachments is strictly prohibited.





From: Users  on behalf of Dominik Reusser 

Sent: Tuesday, September 15, 2020 1:19 AM
To: users@lists.strongswan.org 
Subject: [strongSwan] Connection to AWS-VPC


NCS WARNING: External email. Please verify sender before opening attachments or 
clicking on links.

Has anyone successfully connected to AWS VPC? My connection is established and 
ICMP-Pakets are routed through the AWS cloud. However, UDP and TCP packets - 
while being sent towards the AWS server (from tcp dump on the client side) - do 
not appear in the logs of the VPC.

With a corresponding setup with OpenSwan I get a working connection. However, I 
would prefer to use strong Swan.

If you have successfully connected to AWS VPC, could you please share your 
configuration files?

Thanks
Kind regards
Dominik

Re: [strongSwan] Connection to AWS-VPC

2020-09-15 Thread Noel Kuntze 
I did it a couple of times. Not that that specific piece of information would 
help you in any way.

Am 15.09.20 um 15:40 schrieb Dominik Reusser:
> The security group settings should be fine. It does work with open swan with 
> the same credentials.
> 
> Am Di., 15. Sept. 2020 um 08:47 Uhr schrieb Aurélien Vallée 
> mailto:vallee.aurel...@gmail.com>>:
> 
> We do use strongswan successfully as VPN to connect to AWS gateways in a 
> VPC.
> Did you check the security groups to make sure strongswan traffic can 
> pass through?
> 
> On Tue, Sep 15, 2020 at 2:20 PM Dominik Reusser  > wrote:
> 
> Has anyone successfully connected to AWS VPC? My connection is 
> established and ICMP-Pakets are routed through the AWS cloud. However, UDP 
> and TCP packets - while being sent towards the AWS server (from tcp dump on 
> the client side) - do not appear in the logs of the VPC.
> 
> With a corresponding setup with OpenSwan I get a working connection. 
> However, I would prefer to use strong Swan.
> 
> If you have successfully connected to AWS VPC, could you please share 
> your configuration files?
> 
> Thanks
> Kind regards
> Dominik
> 
> 
> 
> -- 
> Aurélien Vallée
> Phone +33 9 77 19 85 61
> 



signature.asc
Description: OpenPGP digital signature

Re: [strongSwan] Connection to AWS-VPC

2020-09-15 Thread Dominik Reusser 
The security group settings should be fine. It does work with open swan
with the same credentials.

Am Di., 15. Sept. 2020 um 08:47 Uhr schrieb Aurélien Vallée <
vallee.aurel...@gmail.com>:

> We do use strongswan successfully as VPN to connect to AWS gateways in a
> VPC.
> Did you check the security groups to make sure strongswan traffic can pass
> through?
>
> On Tue, Sep 15, 2020 at 2:20 PM Dominik Reusser 
> wrote:
>
>> Has anyone successfully connected to AWS VPC? My connection is
>> established and ICMP-Pakets are routed through the AWS cloud. However, UDP
>> and TCP packets - while being sent towards the AWS server (from tcp dump on
>> the client side) - do not appear in the logs of the VPC.
>>
>> With a corresponding setup with OpenSwan I get a working connection.
>> However, I would prefer to use strong Swan.
>>
>> If you have successfully connected to AWS VPC, could you please share
>> your configuration files?
>>
>> Thanks
>> Kind regards
>> Dominik
>>
>
>
> --
> Aurélien Vallée
> Phone +33 9 77 19 85 61
>

Re: [strongSwan] Connection to AWS-VPC

2020-09-15 Thread Aurélien Vallée 
We do use strongswan successfully as VPN to connect to AWS gateways in a
VPC.
Did you check the security groups to make sure strongswan traffic can pass
through?

On Tue, Sep 15, 2020 at 2:20 PM Dominik Reusser  wrote:

> Has anyone successfully connected to AWS VPC? My connection is established
> and ICMP-Pakets are routed through the AWS cloud. However, UDP and TCP
> packets - while being sent towards the AWS server (from tcp dump on the
> client side) - do not appear in the logs of the VPC.
>
> With a corresponding setup with OpenSwan I get a working connection.
> However, I would prefer to use strong Swan.
>
> If you have successfully connected to AWS VPC, could you please share your
> configuration files?
>
> Thanks
> Kind regards
> Dominik
>


-- 
Aurélien Vallée
Phone +33 9 77 19 85 61

[strongSwan] Connection to AWS-VPC

2020-09-15 Thread Dominik Reusser 
Has anyone successfully connected to AWS VPC? My connection is established
and ICMP-Pakets are routed through the AWS cloud. However, UDP and TCP
packets - while being sent towards the AWS server (from tcp dump on the
client side) - do not appear in the logs of the VPC.

With a corresponding setup with OpenSwan I get a working connection.
However, I would prefer to use strong Swan.

If you have successfully connected to AWS VPC, could you please share your
configuration files?

Thanks
Kind regards
Dominik