On Tue, 6 Dec 2016, Brandon Galbraith wrote:
I'm attempting to create a connection from an AWS EC2 instance (running
LibreSwan) to a Juniper SRX240. The SRX240 VPN
endpoint has a public IP, and the subnet I'm attempting to route to over the
encrypted VPN connection is a public IP. The
EC2 instance has a private IP within a VPC, but has an elastic IP assigned to
it.
Due to limitations on the remote network, RFC1918 network address space can't
be routed over the IPsec tunnel.
The connection looks like such with `ipsec auto --status`:
192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in
VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host ip>/32
I'm able to successfully establish IPsec SA and ISAKMP SA sessions with the
destination VPN terminator endpoint, but I'm
unable to ping across the tunnel; the firewall policy on the other side of the
tunnel is restricting source packets to be
from the elastic IP of the EC2 instance (again, due to RFC1918 space being
unroutable for VPN tunnel purposes).
You need to configure the elastic IP on your VPS, so that the operating
system can use it as source ip address. This is described at:
https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
(if your VPS is ubuntu/debian, you will have to change /etc/network/interfaces
similarly)
I've just clarified the above wiki entry, and also updated the AWS example
config:
https://libreswan.org/wiki/Interoperability#Example_configuration
But basically:
conn tunnel1
authby=secret
auto=start
left=192.168.204.177
leftid=<elastic ip>
#leftsubnet=192.168.204.0/22
So change that to leftsubnet=<elastic ip>/32
Is this type of connection possible from within an AWS VPC?
It is!
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
