IPSEC tunnel from AWS to DO Help Please

April 11, 2018 352 views
VPN Ubuntu 16.04

We are running Ubuntu 16.04, clean install with latest StrongSWAN. We are creating a IPSEC tunnel between AWS and the droplet. The tunnel is up however we cannot connect to any ports on any AWS servers from the DO droplet.

We verified no firewall rules on the AWS side and no firewall or ufw enabled on the DO side. This same scenario with AWS on one side and hardware VPN's on the other is working, it seems something specific to either the StrongSWAN config or DO infrastructure.

Here is the VPN status:

Security Associations (1 up, 0 connecting):
Tunnel1[1]: ESTABLISHED 26 seconds ago, 162.243.5.4[162.243.5.4]...52.72.253.197[52.72.253.197]
Tunnel1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c849a6e6i d4644947o
Tunnel1{1}: 0.0.0.0/0 === 0.0.0.0/0

VPN Config:

config setup
# strictcrlpolicy=yes
uniqueids = no

conn Tunnel1
auto=start
left=%defaultroute
leftid=162.243.5.4
right=52.72.253.197
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
mark=100

We have gone down so many paths to try to determine what is going on from the CIDR being too close to the DO Private IP to outdated StrongSWAN files. Any help is greatly appreciated. There must be something incredibly obvious we missed even though we have had 4 pairs of eyes on it for two days.

2 Answers

Is it a known issue that DO to AWS IPSEC tunnels cannot work? I have not found a single example of someone being successful in this using StrongSWAN or any other soft VPN based in Digital Ocean. Any insight at all? Thank you.

Hi. While this is not my area of expertise I shared your question on our internal Slack here at DO and one of our infrastructure engineers had some suggestions to share:

we'd first need to know what traffic they are trying to pass through the tunnel. If they are trying to do a simple host to host VPN then I'd guess that the `leftsubnet` and `rightsubnet` declarations are incorrect.

It was also recommended to review the examples:

https://wiki.strongswan.org/projects/strongswan/wiki/IKEv2Examples and https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1Examples

Have another answer? Share your knowledge.