Thank you Paul! I've modified my configuration to define the elastic IP as the `leftsubnet` parameter (with `/32` at the end of it) as well as define `%defaultroute` for the `left` parameter, and the tunnel is established, although I'm still unable to ping. When I run `ip xfrm monitor` while pinging (no ping packets returned), no output is returned.
Would you have any suggestions as to how I can debug further? On Tue, Dec 6, 2016 at 9:43 AM, Paul Wouters <[email protected]> wrote: > On Tue, 6 Dec 2016, Brandon Galbraith wrote: > > I'm attempting to create a connection from an AWS EC2 instance (running >> LibreSwan) to a Juniper SRX240. The SRX240 VPN >> endpoint has a public IP, and the subnet I'm attempting to route to over >> the encrypted VPN connection is a public IP. The >> EC2 instance has a private IP within a VPC, but has an elastic IP >> assigned to it. >> Due to limitations on the remote network, RFC1918 network address space >> can't be routed over the IPsec tunnel. >> The connection looks like such with `ipsec auto --status`: >> >> 192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in >> VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host >> ip>/32 >> >> I'm able to successfully establish IPsec SA and ISAKMP SA sessions with >> the destination VPN terminator endpoint, but I'm >> unable to ping across the tunnel; the firewall policy on the other side >> of the tunnel is restricting source packets to be >> from the elastic IP of the EC2 instance (again, due to RFC1918 space >> being unroutable for VPN tunnel purposes). >> > > You need to configure the elastic IP on your VPS, so that the operating > system can use it as source ip address. This is described at: > > https://libreswan.org/wiki/Interoperability#The_elastic_IP_ > and_the_RFC1918_native_IP_address > > (if your VPS is ubuntu/debian, you will have to change > /etc/network/interfaces similarly) > > I've just clarified the above wiki entry, and also updated the AWS example > config: > > https://libreswan.org/wiki/Interoperability#Example_configuration > > But basically: > > conn tunnel1 >> >> authby=secret >> auto=start >> left=192.168.204.177 >> leftid=<elastic ip> >> #leftsubnet=192.168.204.0/22 >> > > So change that to leftsubnet=<elastic ip>/32 > > Is this type of connection possible from within an AWS VPC? >> > > It is! > > Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
