I have just setup a site-to-site vpn between a Strongswan instance and an AWS VPN Gateway, as the follows:
1.1.1.1 <-----> Strongswan (2.2.2.2) <---> AWS (VPC 172.0.0.0/8)
From the AWS, I can ping IPs in 1.1.1.1. From the Strongswan instance I can also ping EC2 on my VPC. The problem is that if I try to establish a connection from an EC2 to the Strongswan instance the connection always fails.
The routes on 2.2.2.2:
172.0.0.0/16 dev Tunnel1 scope link metric 100
172.0.0.0/16 dev Tunnel2 scope link metric 200
Iptables mangle rules:
Chain INPUT (policy ACCEPT)
target prot opt source destination
MARK esp -- <aws-endpoint> 2.2.2.2 MARK set 0x64
MARK esp -- <aws-endpoint> 2.2.2.2 MARK set 0xc8
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
Checking with tshark on 2.2.2.2, I noticed that SYN/ACK isn't reaching the EC2, causing retransmissions and eventual failure.
Any idea why the SYN/ACK isn't reaching the EC2, which initiated the connection?
