[Openswan Users] Connecting to AWS with BGP routing

Amos Shapira amos.shapira at gmail.com
Thu Feb 18 20:58:33 EST 2016


I got OpenSwan talking to AWS Virtual Gateway just fine, and can now route
directly between two VPC's using static routes.
But I have to switch to BGP routing in order to do smarter routing (e.g.
have a Virtual Gateway act as a hub between multiple VPC's and non-VPC

I tried configuring bgpd from Quagga but it fails to initiate the
connection, and I suspect that it might be related to the IPSec tunnel not
having routable end-points(?)
(I might be talking rubbish here, I'm a noob when it comes to ipsec).

Here is the configuration I have in a test network. It's a VPC running
OpenSwan on Ubuntu 14.04 on EC2 with a subnet of 10.20.50/24 and connecting
to a Virtual GW in another VPC (the test "Hub") which has a subnet of

*version 2.0*
*config setup*
* dumpdir=/var/run/pluto/*
* nat_traversal=yes*
* oe=off*
* protostack=netkey*
* interfaces=%defaultroute*
*include /etc/ipsec.d/*.conf*
*conn amos-spoke-c-amos-hub-1*
*    type=tunnel*
*    authby=secret*
*    forceencaps=yes*
*    auto=start*
*    left=%defaultroute*
*    leftid=*
*    leftnexthop=%defaultroute*
*    leftsubnet= <>*
*    right=*
*    rightid=*
*    rightsubnet= <>*


*! Zebra configuration saved from vty*
*!   2016/02/18 05:51:54*
*hostname ip-10-20-50-15*
*password zebra*
*log stdout*
*debug bgp events*
*debug bgp keepalives*
*debug bgp updates*
*debug bgp fsm*
*debug bgp filters*
*router bgp 65102*
* bgp router-id*
* neighbor remote-as 7224*
* neighbor timers 10 30*
* neighbor timers connect 30*
* neighbor soft-reconfiguration inbound*
*line vty*

The VirtualGateway configuration in generic format is below (I tried to
keep only relevant parts). I suspect that the issue boils down to that my
configuration doesn't mention any of the "*Inside IP Addresses*" from that
file, but I don't know how am I supposed to do that.

Could you please explain to me what should I change?


*Amazon Web Services*
*Virtual Private Cloud*

*IPSec Tunnel #1*
*#1: Internet Key Exchange Configuration*
*The Customer Gateway and Virtual Private Gateway each have two addresses
that relate*
*to this IPSec tunnel. Each contains an outside address, upon which
*traffic is exchanged. Each also contain an inside address associated with*
*the tunnel interface.*

*The Customer Gateway outside IP address was provided when the Customer
*was created. Changing the IP address requires the creation of a new*
*Customer Gateway.*

*The Customer Gateway inside IP address should be configured on your tunnel*
*interface. *

*Outside IP Addresses:*
*  - Customer Gateway        : *
*  - Virtual Private Gateway        :*
*Inside IP Addresses*
*  - Customer Gateway         :
*  - Virtual Private Gateway             :

*Configure your tunnel to fragment at the optimal size:*
*  - Tunnel interface MTU     : 1436 bytes*

*#4: Border Gateway Protocol (BGP) Configuration:*

*The Border Gateway Protocol (BGPv4) is used within the tunnel, between the
*IP addresses, to exchange routes from the VPC to your home network. Each*
*BGP router has an Autonomous System Number (ASN). Your ASN was provided *
*to AWS when the Customer Gateway was created.*

*BGP Configuration Options:*
*  - Customer Gateway ASN          : 65102 *
*  - Virtual Private  Gateway ASN          : 7224*
*  - Neighbor IP Address      :*
*  - Neighbor Hold Time       : 30*

*Configure BGP to announce routes to the Virtual Private Gateway. The
*will announce prefixes to your customer gateway based upon the prefix you *
*assigned to the VPC at creation time.*

*(Tunnel 2 configuration removed)*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160219/3436f67b/attachment.html>

More information about the Users mailing list