[Openswan Users] EC2 to Client Route Configuration

Paul Wouters paul at xelerance.com
Wed Sep 14 12:09:38 EDT 2011

On Wed, 14 Sep 2011, James Nelson wrote:

> 1) If the handshake occurs between the elastic ip and the client gateway,
> does the client see the traffic coming from the elastic IP or the
> encrypted domain?

The remote endpoint sees a UDP 4500 packet from the elastic ip (assuming
the right end is outside the amazon cloud, else it sees the local ip),
containing an IPsec packet that has after decryption results in a packet
with source and destination whatever the IP in the remote subnet.

> 2) If the latter, is it possible to make it so that the traffic looks
> like its coming from the elastic ip?

You'd need to build a tunnel where you use left=elasticip instead
of left= You'd probably need to do some NAT to actually make
that happen too, and ensure the NAT rules don't bite IPsec.

> 3) I have created in ifconfig ethX to be the encrypted domain.  Do I have
> to add a change to the routing table to ensure traffic flows properly to
> the client?

You should never need to manually add/remove routes. IPsec policies will
enforce src/dst on the packets, so routing random things into ipsec will
never work.


More information about the Users mailing list