Are your encaps/decaps increasing for the SA when it’s up and you’re trying to ping?
We use a number of instances on AWS to connect to about everything under the sun that does IPSec. Several notes: - Put the AWS IPSec appliance on a public subnet with an IGW - Associate an Elastic IP with the appliance instance. - Make sure the Security Group associated with it permits udp/500 and udp/4500 since they’re doing NAT and NAT-T - on the AWS appliance in ipsec.conf make sure left = is the internal IP of the appliance. Make sure leftid = the EIP associated with the instance. - set right = to be the external IP of the Cisco appliance - leftsubnet = the internal subnet of the VPC (we set it to the supernet associated with the whole VPC) - rightsubnet = what’s behind the Cisco - make sure your Security Groups allow the remote subnets (from the Cisco side) to connect to things - add routes to the remote Cisco networks to the routing table(s) - manually or automatically (leftfirewall, rightfirewall = yes) get the iptables rules updated to forward. - Forwarding needs to be on in /etc/sysctl.conf - I usually bump up UDP send/receive buffers Works for me. EKG > On Aug 31, 2016, at 4:40 PM, John Gathm <john.ga...@gmail.com> wrote: > > Hi Strongswan User list > > I am trying to do a fake "site to site" IPSec tunnel to a service provider. > My instance of Strongswan in hosted on an Amazon EC2 instance, and I am > trying to reach a service on a server behind a Cisco VPN gateway > > > I am trying to do the following thing (IP are fake) > > > Amazon EC2 instance: > 123.123.22.22/32 <http://123.123.22.22/32> (dummy linux interface &fake local > subnet, only one ip for the instance, this is my leftsubnet > private EC2 IP: > 10.0.0.5 > > AWS NAT internet gateway EC2 IP > 10.0.0.1 > public EC2 IP > 81.98.242.23 > > > Cisco VPN public IP: > 82.58.243.24 > Cisco Private IP: > 192.168.0.1 > > Server to access > 192.168.0.5 (righsubnet = 192.168.0.5/24 <http://192.168.0.5/24>) > > I manage to get the ipsec tunnel up and running (stable in "ipsec > statusall"), however I cannot get to reach 192.168.0.5 from my EC2 instance, > using interface 123.123.22.22 > > first question is > 1) is it possible to reach the remote server through the Strongswan IPSEC > gateway itself ? > 2) does it require special routes& policies not added by Strongswan ? > 3) would you recommend another setup than using a dummy interface ? > > thanks for any hints > > best regards > J.G > _______________________________________________ > Users mailing list > Users@lists.strongswan.org > https://lists.strongswan.org/mailman/listinfo/users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users