When I run "ping -I elasticip remoteip" I receive the following from "ip xfrm monitor":
Async event (0x20) timer expired src 192.168.204.177 dst <remote_ip> reqid 0x4005 protocol esp SPI 0xf6511e90 Async event (0x20) timer expired src 192.168.204.177 dst <remote_ip> reqid 0x4005 protocol esp SPI 0xf6511e90 Async event (0x20) timer expired src 192.168.204.177 dst <remote_ip> reqid 0x4005 protocol esp SPI 0xf6511e90 ...ad infinitum... (with the 192.168.204.177 being the internal IP of the EC2 instance) On Tue, Dec 6, 2016 at 11:57 AM, Paul Wouters <[email protected]> wrote: > Try ping -I elasticip remoteip? > > If you NAT on there machine, exclude NAT for -s elasticip -d remoteip > > Sent from my iPhone > > On Dec 6, 2016, at 12:54, Brandon Galbraith <[email protected]> > wrote: > > Thank you Paul! I've modified my configuration to define the elastic IP as > the `leftsubnet` parameter (with `/32` at the end of it) as well as define > `%defaultroute` for the `left` parameter, and the tunnel is established, > although I'm still unable to ping. When I run `ip xfrm monitor` while > pinging (no ping packets returned), no output is returned. > > Would you have any suggestions as to how I can debug further? > > On Tue, Dec 6, 2016 at 9:43 AM, Paul Wouters <[email protected]> wrote: > >> On Tue, 6 Dec 2016, Brandon Galbraith wrote: >> >> I'm attempting to create a connection from an AWS EC2 instance (running >>> LibreSwan) to a Juniper SRX240. The SRX240 VPN >>> endpoint has a public IP, and the subnet I'm attempting to route to over >>> the encrypted VPN connection is a public IP. The >>> EC2 instance has a private IP within a VPC, but has an elastic IP >>> assigned to it. >>> Due to limitations on the remote network, RFC1918 network address space >>> can't be routed over the IPsec tunnel. >>> The connection looks like such with `ipsec auto --status`: >>> >>> 192.168.204.177<192.168.204.177>[xx.xx.xx.xxx (elastic IP in >>> VPC)]...vpn-terminator-public-ip<vpn-terminator-pubic-ip>==<public host >>> ip>/32 >>> >>> I'm able to successfully establish IPsec SA and ISAKMP SA sessions with >>> the destination VPN terminator endpoint, but I'm >>> unable to ping across the tunnel; the firewall policy on the other side >>> of the tunnel is restricting source packets to be >>> from the elastic IP of the EC2 instance (again, due to RFC1918 space >>> being unroutable for VPN tunnel purposes). >>> >> >> You need to configure the elastic IP on your VPS, so that the operating >> system can use it as source ip address. This is described at: >> >> https://libreswan.org/wiki/Interoperability#The_elastic_IP_a >> nd_the_RFC1918_native_IP_address >> >> (if your VPS is ubuntu/debian, you will have to change >> /etc/network/interfaces similarly) >> >> I've just clarified the above wiki entry, and also updated the AWS >> example config: >> >> https://libreswan.org/wiki/Interoperability#Example_configuration >> >> But basically: >> >> conn tunnel1 >>> >>> authby=secret >>> auto=start >>> left=192.168.204.177 >>> leftid=<elastic ip> >>> #leftsubnet=192.168.204.0/22 >>> >> >> So change that to leftsubnet=<elastic ip>/32 >> >> Is this type of connection possible from within an AWS VPC? >>> >> >> It is! >> >> Paul >> > >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
