Site to site vpn using Strongswan on AWS 2 EC2 only ping works

Question

Hi i have two AWS account i created 2 ec2 with Ubuntu 20.04 in each account. In each account one machine is setup as Strongswan and another a private instance

I have completed all the configuration of tunnel security groups and AWS route table, note that I a have configure policy based vpn. Also security groups are completely open as of now, updated the source destination check on strong swan instance

Currently tunnel shows established and I am able to ping from one private instance ip in an AWS account to the private instance in the other account and vice versa,

I setup an niginx server hosting a page in one pvt instance, and from local network it returns a response when i do telnet ip 80, but when i telnet from the pvt ip in other AWS account i see no response.

Ufw is allowed on port 80

I used tcpdump and found that from src pvt ip to src strongswan getting the packets but for some reason it is not leaving the src strongswan I don't see any packet being sent in ipsec statusall from this src strongswan (when i do ping i do see packet counter increment)

Not sure what am i missing, ping works but http traffic is not sent, please help

Answer 1

Ok finally figured it. It was UFW.

When I disabled ufw on strongswan instance, it allowed the TCP traffic.

How I figured: I run tail -f /var/log/syslog on strongswan instance and triggered a telnet X.X.X.X 80 from my Private instance

I saw following UFW BLOCK log entries

[UFW BLOCK] IN=ens5 OUT=ens5 MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=Y.Y.Y.Y DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=54490 DF PROTO=TCP SPT=50814 DPT=80 WINDOW=62727 RES=0x00 SYN URGP=0

I am not sure why traffic was blocked even thou ufw allow 80 on ipv4 and ipv6 everywhere.