I'm trying to create a VPN tunnel between 2 AWS regions. The way I'm
trying to do this is by setting up a strongSwan server in one region,
and then a VPC VPN in the other region (the VPC VPN is an IPsec VPN
provided and controlled by Amazon).
The problem is I can't come up with a configuration that works right.
AWS provides the following info for setting up the IPsec VPN:
> #1: Internet Key Exchange Configuration
>
> Configure the IKE SA as follows
> - Authentication Method : Pre-Shared Key
> - Pre-Shared Key : ***********************
> - Authentication Algorithm : sha1
> - Encryption Algorithm : aes-128-cbc
> - Lifetime : 28800 seconds
> - Phase 1 Negotiation Mode : main
> - Perfect Forward Secrecy : Diffie-Hellman Group 2
>
> #2: IPSec Configuration
>
> Configure the IPSec SA as follows:
> - Protocol : esp
> - Authentication Algorithm : hmac-sha1-96
> - Encryption Algorithm : aes-128-cbc
> - Lifetime : 3600 seconds
> - Mode : tunnel
> - Perfect Forward Secrecy : Diffie-Hellman Group 2
>
> IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
> recommend configuring DPD on your endpoint as follows:
> - DPD Interval : 10
> - DPD Retries : 3
>
> IPSec ESP (Encapsulating Security Payload) inserts additional
> headers to transmit packets. These headers require additional space,
> which reduces the amount of space available to transmit application data.
> To limit the impact of this behavior, we recommend the following
> configuration on your Customer Gateway:
> - TCP MSS Adjustment : 1387 bytes
> - Clear Don't Fragment Bit : enabled
> - Fragmentation : Before encryption
>
> #3: Tunnel Interface Configuration
>
> Your Customer Gateway must be configured with a tunnel interface that is
> associated with the IPSec tunnel. All traffic transmitted to the tunnel
> interface is encrypted and transmitted to the Virtual Private Gateway.
>
>
>
> The Customer Gateway and Virtual Private Gateway each have two
addresses that relate
> to this IPSec tunnel. Each contains an outside address, upon which
encrypted
> traffic is exchanged. Each also contain an inside address associated with
> the tunnel interface.
>
> The Customer Gateway outside IP address was provided when the
Customer Gateway
> was created. Changing the IP address requires the creation of a new
> Customer Gateway.
>
> The Customer Gateway inside IP address should be configured on your
tunnel
> interface.
>
> Outside IP Addresses:
> - Customer Gateway : 54.241.138.199
> - Virtual Private Gateway : 87.238.85.44
>
> Inside IP Addresses
> - Customer Gateway : 169.254.254.6/30
> - Virtual Private Gateway : 169.254.254.5/30
>
> Configure your tunnel to fragment at the optimal size:
> - Tunnel interface MTU : 1436 bytes
>
>
> #4: Static Routing Configuration:
>
> To route traffic between your internal network and your VPC,
> you will need a static route added to your router.
>
> Static Route Configuration Options:
>
> - Next hop : 169.254.254.5
>
> You should add static routes towards your internal network on the VGW.
> The VGW will then send traffic towards your internal network over
> the tunnels.
The private subnet on the local strongSwan side is `10.2.0.0/16`.
The private subnet on the remote VPN side is `10.4.0.0/16`.
With this I tried using a configuration as follows:
> conn eu-west-1-1
> left=10.2.0.40
> leftsubnet=10.2.0.0/16
> right=87.238.85.40
> rightsubnet=10.4.0.0/16
> auto=add
> type=tunnel
> keyexchange=ikev1
> authby=secret
> ikelifetime=28800s
> keylife=28800s
> ike=aes128
> esp=aes128
However this results in the following error:
> pluto[1763]: "eu-west-1-1" #12: cannot respond to IPsec SA request
because no connection is known for
0.0.0.0/0===10.2.0.40[10.2.0.40]...87.238.85.40[87.238.85.40]===0.0.0.0/0
Following one idea I found on the mailing list, I tried putting
`0.0.0.0/0` for the `leftsubnet` and `rightsubnet`, and this does cause
the tunnel to come up (as reported by the AWS web GUI), but I lose all
connectivity to the server (I'm guessing it's creating a route to
0.0.0.0/0 that blackholes all traffic).
Can anyone provide any hints on how to adjust the config to get this
working?
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
