Avatar of beapit
beapit
 asked on

OpenSwan site to site vpn routing issue

Hello experts,

I have two linux servers with openswan installed. One is in amazon (we'll call it "aws") and the other one is in the corporate network (we'll call it "corp"). Aws has a private ip with a mapped public IP. Corp is in a DMZ and has a public IP (no NAT'ing).

OpenSwan is able to establish a connection between the two servers. From aws, I can ping all the way through the tunnel to private subnets. But, from corp I can not ping back to aws. I get "Destination Host Unreachable".

I've seen several openswan tutorials have iptables commands. Like this one, http://www.systmbx.com/tutorials/tools-utilities/openswan/328-configuring-site-to-site-ipsec-vpn-with-openswan

I don't know what those commands are doing and for my situation, I don't know if I should be adding them to aws or corp, or both.


This is the corp config
config setup
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        nat_traversal=yes
        protostack=netkey
        oe=no

conn vpn_to_aws
        type=tunnel
        authby=secret
        auth=esp
        pfs=no
        rekey=yes
        auto=start

        leftid=168.x.x.x
        left=168.x.x.x
        leftsubnets={[various subnets]}
        leftsourceip=168.x.x.x

        rightid=10.x.x.5
        right=50.x.x.x # untrust interface
        rightsubnets={[various subnets]}

Open in new window


And the config for aws
config setup
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.111.0.0/16
        nat_traversal=yes
        protostack=netkey
        oe=no
        nhelpers=0

conn vpn_to_corp
    type=tunnel
    authby=secret
    auth=esp
    pfs=no
    rekey=yes
    auto=start

    leftid=10.x.x.5
    left=50.x.x.x
    leftsubnets={[various subnets]}
    leftsourceip=10.x.x.5

    rightid=168.x.x.x
    right=168.x.x.x
    rightsubnets={[various subnets]}

Open in new window


Thank you
Linux NetworkingVPNNetworking ProtocolsAWS

Avatar of undefined
Last Comment
beapit

8/22/2022 - Mon
Steven Vona

Here is a good how-to explaining openswan point to point VPN.

http://www.putorius.net/2012/08/creating-end-to-end-ipsec-tunnel.html
beapit

ASKER
Thanks but I've already got the tunnel initiating. I don't see anything in that tutorial that isn't already configured in what I posted.
ASKER CERTIFIED SOLUTION
beapit

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
beapit

ASKER
My solution is the right answer and actually explains what the problem and solution is.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy