[Openswan Users] EC2 to Client Route Configuration
James Nelson
james.nelson.ii at gmail.com
Wed Sep 14 17:23:02 EDT 2011
>
> You'd probably need to do some NAT to actually make
> that happen too, and ensure the NAT rules don't bite IPsec.
Besides enabling NAT_transversal, is there any additional configuration that
I have to perform to get NAT-T working? Is there any way to test whether or
not NAT is up and running?
-James
On Wed, Sep 14, 2011 at 11:09 AM, Paul Wouters <paul at xelerance.com> wrote:
> On Wed, 14 Sep 2011, James Nelson wrote:
>
> 1) If the handshake occurs between the elastic ip and the client gateway,
>> does the client see the traffic coming from the elastic IP or the
>> 10.5.5.5 encrypted domain?
>>
>
> The remote endpoint sees a UDP 4500 packet from the elastic ip (assuming
> the right end is outside the amazon cloud, else it sees the local ip),
> containing an IPsec packet that has after decryption results in a packet
> with source 10.5.5.5 and destination whatever the IP in the remote subnet.
>
>
> 2) If the latter, is it possible to make it so that the traffic looks
>> like its coming from the elastic ip?
>>
>
> You'd need to build a tunnel where you use left=elasticip instead
> of left=10.5.5.5. You'd probably need to do some NAT to actually make
> that happen too, and ensure the NAT rules don't bite IPsec.
>
>
> 3) I have created in ifconfig ethX to be the encrypted domain. Do I have
>> to add a change to the routing table to ensure traffic flows properly to
>> the client?
>>
>
> You should never need to manually add/remove routes. IPsec policies will
> enforce src/dst on the packets, so routing random things into ipsec will
> never work.
>
> Paul
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110914/7c233650/attachment.html
More information about the Users
mailing list