unable to ping across strongswan site-to-site vpn in aws

Question

We have two Ubuntu-20.04 servers in aws, different VPC, both installed StrongSwan and have configuration as below (ipsec.conf):

# basic configuration
config setup
# Add connections here.
conn %default
 ikelifetime=28800s
 lifetime=3600s
#rekeymargin= You choose; must match other side
 keyingtries=%forever
 keyexchange=ikev2
 authby=secret
 mobike=no

conn remote-side
# private ip
 left=10.0.0.7

# vpc cidr
 leftsubnet=10.0.0.0/24

# elastic ip
 leftid=xxx.xxx.xxx.xxx

# private ip
 leftsourceip=10.0.0.7

# elastic ip
 right=xxx.xxx.xxx.xxx

# vpc cidr
 rightsubnet=172.31.0.0/16

 auto=start
 type=tunnel
 ike=aes256-sha1-modp1024!
 esp=aes256-sha1!
 dpddelay=30s
 dpdtimeout=120s
 dpdaction=restart

Left & right are switch on server 2, other config are identical

Pre shared key (ipsec.secrets) as below:

Server-1-IP Server-2-IP : PSK "AAABBBCCCDDD"

Also the two IPs are switched on server 2

IP forwarding:

net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0

After run "sudo ipsec restart" the tunnel seems to build successfully.

#sudo ipsec status

Security Associations (1 up, 0 connecting):
 remote-side[1]: ESTABLISHED 6 minutes ago, 10.0.0.7[xxx.xxx.xxx.xxx]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]

#sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-1028-aws, x86_64):
  uptime: 7 minutes, since May 26 01:47:35 2021
  malloc: sbrk 2580480, mmap 0, used 620272, free 1960208
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  10.0.0.7
Connections:
 remote-side:  10.0.0.7...xxx.xxx.xxx.xxx  IKEv2, dpddelay=30s
 remote-side:   local:  [xxx.xxx.xxx.xxx] uses pre-shared key authentication
 remote-side:   remote: [xxx.xxx.xxx.xxx] uses pre-shared key authentication
 remote-side:   child:  10.0.0.0/24 === 172.31.0.0/16 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
 remote-side[1]: ESTABLISHED 7 minutes ago, 10.0.0.7[xxx.xxx.xxx.xxx]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
 remote-side[1]: IKEv2 SPIs: d32eda951e3c567e_i* 6b2ae87360a4a4dc_r, pre-shared key reauthentication in 7 hours
 remote-side[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

UFW is inactive, aws security group is set to accept all TCP & UDP from anywhere (I know it's unsafe).

Both instances disabled source/destination check

However from either server I could not ping the other server by private ip address.

Any help is appreciated.

score 0 · Answer 1 · answered May 26 '21 at 14:19

0

OK, I'm new to this, didn't know after all the steps above, I was supposed to run

sudo ipsec up conn_name

Here conn_name is whatever name in the conn line defined in ipsec.conf

After that it started to work and I am able to ping across.

answered May 26 '21 at 14:19

Cal

189
1
2
7

unable to ping across strongswan site-to-site vpn in aws

1 Answers1