On 10/03/2018 03:12 PM, John Peak via Shorewall-users wrote: > First, THANK YOU Tom for making Shorewall and the rest of the team for > supporting! I’ve used it for over 10 years and have been very happy. > > > > I’ve looked for weeks for an answer to this with no success. I suspect > I’m at risk of getting flamed for being off-topic or missing an article > but I’m not sure where to go. I’m trying to setup a site-to-site VPN > using AWS, ipsec and Shorewall. I realized that some of my questions > may be more AWS than Shorewall, but I’m honestly unclear on where the > delineation exists. I would be glad to write-up a How-To once I get > this figured out. > > > > Situation: > > * I have successfully setup a VPN connection using StrongSwan between > my local network (Customer Gateway) and AWS (Virtual Private > Gateway) using this article: > > https://aravindkrishnaswamy.wordpress.com/2014/11/26/site-to-site-vpn-between-openvpn-and-aws/. > > It shows that the VPN connection is “UP”. The VPN connection and > public IP all run over my “eth1” interface. “eth0” is my internal > subnet. > * I have Shorewall setup on my Customer Gateway box with standard > rules for my network. I augmented these by following this article: > > https://danielpocock.com/practical-linux-vpns-with-strongswan-shorewall-and-openwrt, > without it making any apparent difference. > * When I attempt to ping the Customer Gateway (on 192.168.90.0/24) > from an AWS EC2 instance (10.0.0.0/16) it tells me “From > 192.168.90.1 icmp_seq=1 Destination Host Unreachable”. This tells > me that the gateway on my local network is responding.
No, it doesn't. > * This falls into the “local-gateway-to-remote-gateway” configuration > and I have read all of the related articles (VPNBasics, IPSec) with > no clear use-case that maps to mine. > > > > My questions: > > * I do not have specific VPN interfaces like “vti0” associated with > the VPN. StrongSwan has simply established a VPN tunnel over UDP to > the Remote Gateway at AWS. Should I somehow create these and what > is the proper way? No -- Since kernel 2.6, there is no special interface created by IPSEC. > If not, what is the correct way for Shorewall to > recognize that I have both local traffic going to the internet AND > traffic destined for the remote network going over the tunnel all on > the same “eth1” interface? The IPSEC-2.6 article (http://www.shorewall.org/IPSEC-2.6.html) covers this configuration. See the answer to your next question for additional clarification. > * I recognized that at least part of my problem is setting up routing > properly. That is unlikely. IPSEC is parallel to routing. Traffic to be handled by IPSEC is initially routed via the standard routing tables, which usually means that it will be routed out of your eth1 interface. The IP stack, however, understands that this traffic is going to be handled by IPSEC, and Shorewall generates rules using the IPSEC 'policy' match to apply rules that apply to traffic that is being sent to the appropriate 'ipsec' zone. Rather than sending the traffic directly out of eth1, the IP stack consults the IPSEC Security Policy Database (SPD) and Security Association Database (SAD) and encrypts/encapsulates the traffic and sends it to the appropriate remote gateway. > AWS provides a config file that references the “Inside IP > addresses”, which is a /30 CIDR block and the next hop address. > I’ve tried creating routes on the Customer Gateway doing stuff like > “ip route add 169.254.24.1/32 via 18.111.233.123 dev eth1” but none > work. Most say “invalid argument” or “network unreachable”. Should > Shorewall be configured to somehow manage routing? Should I be > configuring this elsewhere with a way for Shorewall to recognized > that it exists? > > Any ideas on how to troubleshoot or what my overall Shorewall and/or > network configuration are much appreciated. > My advice is to first get IPSEC working without Shorewall, such that traffic between AWS and your local network is flowing. THEN add Shorewall. If you do it that way, then any problems that arise when adding Shorewall represent Shorewall configuration issues. If you reach that point and things stop working, then please submit a Shorewall dump as described at http://www.shorewall.org/support.htm#Guidelines -Tom -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.org \ understand \_______________________________________________
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
