[Openswan Users] EC2 to Client Route Configuration

James Nelson james.nelson.ii at gmail.com
Wed Sep 14 11:48:40 EDT 2011


I believe that Openswan is configured correctly, but I have a few simpler
networking questions that I seem to be still confused with.  I have an
Ubuntu server running Openswan on EC2 attempting to NAT-T to a client.  The
EC2 instance has it's local IP, an elastic IP, and 10.5.5.5 as an encrypted
domain.  The ipsec.conf is listed below:

config setup
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%v4:<CLIENT CHECKPOINT>,%v4:10.5.5.5/32
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey

conn ec2check
        connaddrfamily=ipv4
        type=tunnel
        authby=secret
        ike=3des-md5
        Ikelifetime=86400s
        phase2=esp
        phase2alg=3des-md5
        lifetime=28800s
        forceencaps=yes
        pfs=no
        left=<EC2 INSTANCE IP>
        leftid=<EC2 ELASTIC IP>
        leftnexthop=%defaultroute
        leftsubnet=10.5.5.5/32
        leftsourceip=10.5.5.5
        right=<CLIENT GATEWAY IP>
        rightid=<CLIENT GATEWAY IP>
        rightsubnet=<CLIENT DOMAIN>
        auto=add

The secrets file contains the client gateway, the elastic ip, and the local
ec2 ip and the handshake configures properly between the two sites.

1) If the handshake occurs between the elastic ip and the client gateway,
does the client see the traffic coming from the elastic IP or the 10.5.5.5
encrypted domain?
2) If the latter, is it possible to make it so that the traffic looks like
its coming from the elastic ip?
3) I have created in ifconfig ethX to be the encrypted domain.  Do I have to
add a change to the routing table to ensure traffic flows properly to the
client?

Thanks for all of your help,

-James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110914/ef7d3e29/attachment.html 


More information about the Users mailing list