1

I want to establish a site-to-site IPsec VPN connection between an AWS EKS-Kubernetes-Cluster and a server from a different provider using AWS Site-to-Site VPN. Pings get through the VPN, but TCP traffic does not.

The server on the other end runs Ubuntu 20.04 and uses libreswan. The configuration file from AWS for the VPN for openswan has been altered in two ways (that I think should not matter):

  • auth=esp has been commented out as libreswan would not start otherwise (libreswan 3.29)
  • The VPN has been configured to use VTI.

When sending a HTTP request from the AWS site: tcpdump on the libreswan-site shows SYN arriving and SYN-ACK being sent back while tcpdump on the EC2-instance (and in a pod as well) only registers SYN.

All incoming traffic has been allowed in security groups and ACLs etc.

Talinx
  • 11
  • 2

1 Answers1

0

Did you have any luck figuring this?

I setup two aws account with strongswan installed on both sides (I even tried strongswan and libreswan combination)

I am able to ping, but unable to see any tcp packet getting passed.

Thanks.

Update: I found my issue, it was related to UFW

When I disabled ufw on strongswan instance, it allowed the TCP traffic.

How I figured: I run tail -f /var/log/syslog on strongswan instance and triggered a telnet X.X.X.X 80 from my Private instance

I saw following UFW BLOCK log entries

[UFW BLOCK] IN=ens5 OUT=ens5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=Y.Y.Y.Y DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54490 DF PROTO=TCP SPT=50814 DPT=80 WINDOW=62727 RES=0x00 SYN URGP=0

I am not sure why traffic was blocked even thou ufw allow 80 on ipv4 and ipv6 anywhere.

karmendra
  • 101
  • 3
  • No, I haven't had any luck. Thank you for describing your issue, but it must be a different problem for me. – Talinx Jan 23 '23 at 19:50