First, THANK YOU Tom for making Shorewall and the rest of the team for supporting! I’ve used it for over 10 years and have been very happy.
I’ve looked for weeks for an answer to this with no success. I suspect I’m at risk of getting flamed for being off-topic or missing an article but I’m not sure where to go. I’m trying to setup a site-to-site VPN using AWS, ipsec and Shorewall. I realized that some of my questions may be more AWS than Shorewall, but I’m honestly unclear on where the delineation exists. I would be glad to write-up a How-To once I get this figured out. Situation: I have successfully setup a VPN connection using StrongSwan between my local network (Customer Gateway) and AWS (Virtual Private Gateway) using this article: https://aravindkrishnaswamy.wordpress.com/2014/11/26/site-to-site-vpn-between-openvpn-and-aws/. It shows that the VPN connection is “UP”. The VPN connection and public IP all run over my “eth1” interface. “eth0” is my internal subnet. I have Shorewall setup on my Customer Gateway box with standard rules for my network. I augmented these by following this article: https://danielpocock.com/practical-linux-vpns-with-strongswan-shorewall-and-openwrt, without it making any apparent difference. When I attempt to ping the Customer Gateway (on 192.168.90.0/24) from an AWS EC2 instance (10.0.0.0/16) it tells me “From 192.168.90.1 icmp_seq=1 Destination Host Unreachable”. This tells me that the gateway on my local network is responding. This falls into the “local-gateway-to-remote-gateway” configuration and I have read all of the related articles (VPNBasics, IPSec) with no clear use-case that maps to mine. My questions: I do not have specific VPN interfaces like “vti0” associated with the VPN. StrongSwan has simply established a VPN tunnel over UDP to the Remote Gateway at AWS. Should I somehow create these and what is the proper way? If not, what is the correct way for Shorewall to recognize that I have both local traffic going to the internet AND traffic destined for the remote network going over the tunnel all on the same “eth1” interface? I recognized that at least part of my problem is setting up routing properly. AWS provides a config file that references the “Inside IP addresses”, which is a /30 CIDR block and the next hop address. I’ve tried creating routes on the Customer Gateway doing stuff like “ip route add 169.254.24.1/32 via 18.111.233.123 dev eth1” but none work. Most say “invalid argument” or “network unreachable”. Should Shorewall be configured to somehow manage routing? Should I be configuring this elsewhere with a way for Shorewall to recognized that it exists? Any ideas on how to troubleshoot or what my overall Shorewall and/or network configuration are much appreciated. john
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
