I have been trying to get strongswan tunnel working from one AWS VPC to another VPC where site-to-site(s2s) VPN is configured for the last two days and the ping doesn't work. No connectivity at all between the instances in two VPC's. The runnel is up and strongswan log says it sent packets to the outside public IP of the s2s VPN and it receives as well. But ping from EC2 in VPC1 to EC2 in VPC2 doesn't work. My setup is below.
VPC1(call it as AWS VPC)
Created private subnet 10.10.1.0/24 and no public subnet in this. Created s2s VPN setup. Created virtual gateway(VGW) and attached to VPC1. Created customer gateway with the public IP of the EC2 instance that is running with strongswan in VPC2. Added static route to the s2s VPN connection as the private subnet(10.20.0.0/24) of VPC2. VGW propagates this route to the VPC1 route table with destination as VGW Associate VPC1 private subnet to VPC route table Created an EC2 in the VPC1(vpc server) private subnet with IP 10.10.1.140 Security group allows all traffic inbound and out bound
VPC2(call it as on-premise) in Another AWS account
Created public subnet 10.20.1.0/24 and a private subnet 10.20.2.0/24 Create an EC2 with IP 10.20.1.73 and an Elastic IP - 52.x.x.x Install strongswan in it. Added net.ipv4.ip_forward = 1 in /etc/sysctl.conf of strongswan EC2 and run sysctl -p /etc/sysctl.conf Security group allows all traffic inbound and out bound of VPC2 Created another EC2 instance(on-premise server) in the private subnet with IP 10.20.2.132 Updated the private route table to add all traffic to 10.10.1.0/24 to forward to ENI of the strongswan EC2
strongswan config
$ cat /etc/strongswan/ipsec.conf
config setup
uniqueids = no
conn Tunnel1
auto=start
left=%defaultroute
leftid=52.x.x.x (Elastic IP of my strongswan EC2)
right=52.y.y.y (Outside IP address of my s2s VPN Tunnel1)
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=100
$ cat /etc/strongswan/ipsec.secrets
52.y.y.y : PSK "<pre shared key of tunnel1>"
strongswan service is running and no errors
when I check the status I see
$strongswan status
Security Associations (1 up, 0 connecting):
Tunnel1[1]: ESTABLISHED 23 minutes ago, 10.20.1.73[52.x.x.x]...52.y.y.y[52.y.y.y]
Tunnel1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c9970cfa_i ce7ad76d_o
Tunnel1{1}: 0.0.0.0/0 === 0.0.0.0/0
I did all these but I cannot ping the on-premise server from vpc server or the other-way round. What else I need to do? Do I need to do any IP tables rules in strongswan instance
any help is really appreciated. Please let me know if you need more details.
Thanks Manoj
Explained above. the ping should be working
Without seeing a screenshot of your route tables, I cannot rule out a routing issue. However, one thing which you did not mention to set and which by default is causing issues is EC2 feature "Source/Dest. Check". It has to be disabled on EC2 instances running StrongSwan.
Please see this post for more details including screenshots: https://stackoverflow.com/a/52223611/4806599