[Openswan Users] EC2 to Client Route Configuration
James Nelson
james.nelson.ii at gmail.com
Wed Sep 14 11:48:40 EDT 2011
I believe that Openswan is configured correctly, but I have a few simpler
networking questions that I seem to be still confused with. I have an
Ubuntu server running Openswan on EC2 attempting to NAT-T to a client. The
EC2 instance has it's local IP, an elastic IP, and 10.5.5.5 as an encrypted
domain. The ipsec.conf is listed below:
config setup
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:<CLIENT CHECKPOINT>,%v4:10.5.5.5/32
# OE is now off by default. Uncomment and change to on, to enable.
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey
conn ec2check
connaddrfamily=ipv4
type=tunnel
authby=secret
ike=3des-md5
Ikelifetime=86400s
phase2=esp
phase2alg=3des-md5
lifetime=28800s
forceencaps=yes
pfs=no
left=<EC2 INSTANCE IP>
leftid=<EC2 ELASTIC IP>
leftnexthop=%defaultroute
leftsubnet=10.5.5.5/32
leftsourceip=10.5.5.5
right=<CLIENT GATEWAY IP>
rightid=<CLIENT GATEWAY IP>
rightsubnet=<CLIENT DOMAIN>
auto=add
The secrets file contains the client gateway, the elastic ip, and the local
ec2 ip and the handshake configures properly between the two sites.
1) If the handshake occurs between the elastic ip and the client gateway,
does the client see the traffic coming from the elastic IP or the 10.5.5.5
encrypted domain?
2) If the latter, is it possible to make it so that the traffic looks like
its coming from the elastic ip?
3) I have created in ifconfig ethX to be the encrypted domain. Do I have to
add a change to the routing table to ensure traffic flows properly to the
client?
Thanks for all of your help,
-James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110914/ef7d3e29/attachment.html
More information about the Users
mailing list