<div dir="ltr">I forgot to include the output of <b>"ipsec auto --status"</b>, which should be useful:<div><br></div><div><div><b><font face="monospace, monospace">000</font></b></div><div><b><font face="monospace, monospace">000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}</font></b></div><div><b><font face="monospace, monospace">000</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-1": <a href="http://10.20.50.0/24===10.20.50.15[52.4.101.228]...52.7.165.219">10.20.50.0/24===10.20.50.15[52.4.101.228]...52.7.165.219</a><52.7.165.219>===<a href="http://10.20.30.0/24">10.20.30.0/24</a>; erouted; eroute owner: #10</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-1": myip=unset; hisip=unset;</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-1": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0;</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-1": newest ISAKMP SA: #12; newest IPsec SA: #10;</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-1": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-2": <a href="http://10.20.50.0/24===10.20.50.15[52.4.101.228]---169.254.44.209...54.173.211.136">10.20.50.0/24===10.20.50.15[52.4.101.228]---169.254.44.209...54.173.211.136</a><54.173.211.136>===<a href="http://10.20.30.0/24">10.20.30.0/24</a>; unrouted; eroute owner: #0</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-2": myip=169.254.44.210; hisip=unset;</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-2": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-2": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0;</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-2": newest ISAKMP SA: #11; newest IPsec SA: #0;</font></b></div><div><b><font face="monospace, monospace">000 "amos-spoke-c-amos-hub-2": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048</font></b></div><div><b><font face="monospace, monospace">000</font></b></div><div><b><font face="monospace, monospace">000 #12: "amos-spoke-c-amos-hub-1":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2393s; newest ISAKMP; lastdpd=0s(seq in:0 out:0); idle; import:admin initiate</font></b></div><div><b><font face="monospace, monospace">000 #10: "amos-spoke-c-amos-hub-1":4500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 820s; newest IPSEC; eroute owner; isakmp#9; idle; import:admin initiate</font></b></div><div><b><font face="monospace, monospace">000 #10: "amos-spoke-c-amos-hub-1" <a href="mailto:esp.481523e2@52.7.165.219">esp.481523e2@52.7.165.219</a> <a href="mailto:esp.fdb3b3d8@10.20.50.15">esp.fdb3b3d8@10.20.50.15</a> <a href="mailto:tun.0@52.7.165.219">tun.0@52.7.165.219</a> <a href="mailto:tun.0@10.20.50.15">tun.0@10.20.50.15</a> ref=0 refhim=4294901761</font></b></div><div><b><font face="monospace, monospace">000 #9: "amos-spoke-c-amos-hub-1":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 454s; lastdpd=151s(seq in:0 out:0); idle; import:admin initiate</font></b></div><div><b><font face="monospace, monospace">000 #11: "amos-spoke-c-amos-hub-2":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2162s; newest ISAKMP; lastdpd=730s(seq in:0 out:0); idle; import:admin initiate</font></b></div><div><b><font face="monospace, monospace">000 #8: "amos-spoke-c-amos-hub-2":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 3s; lastdpd=3587s(seq in:0 out:0); idle; import:admin initiate</font></b></div></div><div><b><font face="monospace, monospace"><br></font></b></div><div><font face="arial, helvetica, sans-serif">I notice that the first tunnel (the one which comes up) has </font><b style="font-family:monospace,monospace">"myip=unset; hisip=unset;"</b><font face="arial, helvetica, sans-serif"> is this significant? The other tunnel probably has "myip" set because I set leftsourceip as part of my experiments.</font></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 19 February 2016 at 12:58, Amos Shapira <span dir="ltr"><<a href="mailto:amos.shapira@gmail.com" target="_blank">amos.shapira@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hello,<div><br></div><div>I got OpenSwan talking to AWS Virtual Gateway just fine, and can now route directly between two VPC's using static routes.</div><div>But I have to switch to BGP routing in order to do smarter routing (e.g. have a Virtual Gateway act as a hub between multiple VPC's and non-VPC networks).</div><div><br></div><div>I tried configuring bgpd from Quagga but it fails to initiate the connection, and I suspect that it might be related to the IPSec tunnel not having routable end-points(?)</div><div>(I might be talking rubbish here, I'm a noob when it comes to ipsec).</div><div><br></div><div>Here is the configuration I have in a test network. It's a VPC running OpenSwan on Ubuntu 14.04 on EC2 with a subnet of 10.20.50/24 and connecting to a Virtual GW in another VPC (the test "Hub") which has a subnet of 10.20.30/24).</div><div><br></div><div><div><b><font face="monospace, monospace">version 2.0</font></b></div><div><b><font face="monospace, monospace">config setup</font></b></div><div><b><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span>dumpdir=/var/run/pluto/</font></b></div><div><b><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span>nat_traversal=yes</font></b></div><div><b><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.20.50.0/24" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!10.20.50.0/24</a></font></b></div><div><b><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span>oe=off</font></b></div><div><b><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span>protostack=netkey</font></b></div><div><b><font face="monospace, monospace"><span style="white-space:pre-wrap"> </span>interfaces=%defaultroute</font></b></div><div><b><font face="monospace, monospace">include /etc/ipsec.d/*.conf</font></b></div></div><div><div><b><font face="monospace, monospace">conn amos-spoke-c-amos-hub-1</font></b></div><div><b><font face="monospace, monospace"> type=tunnel</font></b></div><div><b><font face="monospace, monospace"> authby=secret</font></b></div><div><b><font face="monospace, monospace"> forceencaps=yes</font></b></div><div><b><font face="monospace, monospace"> auto=start</font></b></div><div><b><font face="monospace, monospace"> left=%defaultroute</font></b></div><div><b><font face="monospace, monospace"> leftid=52.4.101.228</font></b></div><div><b><font face="monospace, monospace"> leftnexthop=%defaultroute</font></b></div><div><b><font face="monospace, monospace"> leftsubnet=<a href="http://10.20.50.0/24" target="_blank">10.20.50.0/24</a></font></b></div><div><b><font face="monospace, monospace"> right=52.7.165.219</font></b></div><div><b><font face="monospace, monospace"> rightid=52.7.165.219</font></b></div><div><b><font face="monospace, monospace"> rightsubnet=<a href="http://10.20.30.0/24" target="_blank">10.20.30.0/24</a></font></b></div></div><div><br></div><div><br></div><div>bgpd.conf:</div><div><br></div><div><div><b><font face="monospace, monospace">!</font></b></div><div><b><font face="monospace, monospace">! Zebra configuration saved from vty</font></b></div><div><b><font face="monospace, monospace">! 2016/02/18 05:51:54</font></b></div><div><b><font face="monospace, monospace">!</font></b></div><div><b><font face="monospace, monospace">hostname ip-10-20-50-15</font></b></div><div><b><font face="monospace, monospace">password zebra</font></b></div><div><b><font face="monospace, monospace">log stdout</font></b></div><div><b><font face="monospace, monospace">!</font></b></div><div><b><font face="monospace, monospace">debug bgp events</font></b></div><div><b><font face="monospace, monospace">debug bgp keepalives</font></b></div><div><b><font face="monospace, monospace">debug bgp updates</font></b></div><div><b><font face="monospace, monospace">debug bgp fsm</font></b></div><div><b><font face="monospace, monospace">debug bgp filters</font></b></div><div><b><font face="monospace, monospace">!</font></b></div><div><b><font face="monospace, monospace">router bgp 65102</font></b></div><div><b><font face="monospace, monospace"> bgp router-id 0.0.0.0</font></b></div><div><b><font face="monospace, monospace"> neighbor 169.254.44.121 remote-as 7224</font></b></div><div><b><font face="monospace, monospace"> neighbor 169.254.44.121 timers 10 30</font></b></div><div><b><font face="monospace, monospace"> neighbor 169.254.44.121 timers connect 30</font></b></div><div><b><font face="monospace, monospace"> neighbor 169.254.44.121 soft-reconfiguration inbound</font></b></div><div><b><font face="monospace, monospace">!</font></b></div><div><b><font face="monospace, monospace">line vty</font></b></div><div><b><font face="monospace, monospace">!</font></b></div></div><div><b><font face="monospace, monospace"><br></font></b></div><div>The VirtualGateway configuration in generic format is below (I tried to keep only relevant parts). I suspect that the issue boils down to that my configuration doesn't mention any of the "<b><font face="monospace, monospace">Inside IP Addresses</font></b>" from that file, but I don't know how am I supposed to do that.</div><div><br></div><div>Could you please explain to me what should I change?</div><div><br></div><div>Thanks.</div><div><br></div><div><div><b><font face="monospace, monospace">Amazon Web Services</font></b></div><div><b><font face="monospace, monospace">Virtual Private Cloud</font></b></div><div><b><font face="monospace, monospace"><br></font></b></div><div><b><font face="monospace, monospace">IPSec Tunnel #1</font></b><br></div><div><b><font face="monospace, monospace">================================================================================</font></b></div><div><b><font face="monospace, monospace">#1: Internet Key Exchange Configuration</font></b></div><div><span style="white-space:pre-wrap"><b><font face="monospace, monospace"> </font></b></span></div><div><b><font face="monospace, monospace">...</font></b></div><div><b><font face="monospace, monospace">The Customer Gateway and Virtual Private Gateway each have two addresses that relate</font></b><br></div><div><b><font face="monospace, monospace">to this IPSec tunnel. Each contains an outside address, upon which encrypted</font></b></div><div><b><font face="monospace, monospace">traffic is exchanged. Each also contain an inside address associated with</font></b></div><div><b><font face="monospace, monospace">the tunnel interface.</font></b></div><div><b><font face="monospace, monospace"> </font></b></div><div><b><font face="monospace, monospace">The Customer Gateway outside IP address was provided when the Customer Gateway</font></b></div><div><b><font face="monospace, monospace">was created. Changing the IP address requires the creation of a new</font></b></div><div><b><font face="monospace, monospace">Customer Gateway.</font></b></div><div><b><font face="monospace, monospace"><br></font></b></div><div><b><font face="monospace, monospace">The Customer Gateway inside IP address should be configured on your tunnel</font></b></div><div><b><font face="monospace, monospace">interface. </font></b></div><div><b><font face="monospace, monospace"><br></font></b></div><div><b><font face="monospace, monospace">Outside IP Addresses:</font></b></div><div><b><font face="monospace, monospace"> - Customer Gateway <span style="white-space:pre-wrap"> </span> : 52.4.101.228 </font></b></div><div><b><font face="monospace, monospace"> - Virtual Private Gateway<span style="white-space:pre-wrap"> </span> : 52.7.165.219</font></b></div><div><span style="white-space:pre-wrap"><b><font face="monospace, monospace"> </font></b></span></div><div><b><font face="monospace, monospace">Inside IP Addresses</font></b></div><div><b><font face="monospace, monospace"> - Customer Gateway <span style="white-space:pre-wrap"> </span>: <a href="http://169.254.44.122/30" target="_blank">169.254.44.122/30</a></font></b></div><div><b><font face="monospace, monospace"> - Virtual Private Gateway : <a href="http://169.254.44.121/30" target="_blank">169.254.44.121/30</a></font></b></div><div><b><font face="monospace, monospace"><br></font></b></div><div><b><font face="monospace, monospace">Configure your tunnel to fragment at the optimal size:</font></b></div><div><b><font face="monospace, monospace"> - Tunnel interface MTU : 1436 bytes</font></b></div><div><b><font face="monospace, monospace"> </font></b></div><div><b><font face="monospace, monospace">#4: Border Gateway Protocol (BGP) Configuration:</font></b></div><div><b><font face="monospace, monospace"><br></font></b></div><div><b><font face="monospace, monospace">The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside</font></b></div><div><b><font face="monospace, monospace">IP addresses, to exchange routes from the VPC to your home network. Each</font></b></div><div><b><font face="monospace, monospace">BGP router has an Autonomous System Number (ASN). Your ASN was provided </font></b></div><div><b><font face="monospace, monospace">to AWS when the Customer Gateway was created.</font></b></div><div><b><font face="monospace, monospace"><br></font></b></div><div><b><font face="monospace, monospace">BGP Configuration Options:</font></b></div><div><b><font face="monospace, monospace"> - Customer Gateway ASN<span style="white-space:pre-wrap"> </span> : 65102 </font></b></div><div><b><font face="monospace, monospace"> - Virtual Private Gateway ASN : 7224</font></b></div><div><b><font face="monospace, monospace"> - Neighbor IP Address <span style="white-space:pre-wrap"> </span> : 169.254.44.121</font></b></div><div><b><font face="monospace, monospace"> - Neighbor Hold Time : 30</font></b></div><div><b><font face="monospace, monospace"><br></font></b></div><div><b><font face="monospace, monospace">Configure BGP to announce routes to the Virtual Private Gateway. The gateway</font></b></div><div><b><font face="monospace, monospace">will announce prefixes to your customer gateway based upon the prefix you </font></b></div><div><b><font face="monospace, monospace">assigned to the VPC at creation time.</font></b></div><div><b><font face="monospace, monospace"><br></font></b></div><div><b><font face="monospace, monospace">...</font></b></div><div><b><font face="monospace, monospace">(Tunnel 2 configuration removed)</font></b></div><div><br></div></div><div><div><br></div>
</div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><a href="http://au.linkedin.com/in/gliderflyer" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png"></a><br></div></div>
</div>