[Openswan Users] Connectivity between multiple sites

FUBU fubu666 at gmail.com
Fri Mar 10 06:54:16 EST 2017 

Hello,

I'm trying to setup a multiple site-tosite connectivity with Openswan as
central point. I'm trying to connect 2 AWS regions and 1 Azure region. I'm
using AWS VPN Gateway in one of AWS regions (AWS-US), VPN Gateway in Azure,
and Openswan in the main AWS region (AWS-EU). I can successfully connect
between AWS regions and main AWS and Azure. So currently I have:

AWS-US<---->AWS-EU<----->Azure

But I'd like to achieve also connectivity between AWS-US and Azure via
AWS-EU:

AWS-US<-------(AWS-EU)--------->Azure

>From the clouds configuration side, all Routing is propagated properly.

CIDR block of networks:

AWS-US: 10.4.0.0/16
AWS-EU: 10.3.0.0/16
Azure: 10.111.0.0/16

So no cidr overlapping.

I tried various configuratoins but always ended up with one region not able
to communicate with another.

My current setup (OS:Amazon Linux, openswan 2.6.49.1):

config setup
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.3.0.0/16,%v4:10.4.0.0/16,%v4:10.111.0.0/16
        oe=off
        plutodebug="control parsing"
        plutostderrlog=/var/log/openswan.log

include /etc/ipsec.d/*.conf

conn awsvpn
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=Openswan.Public.IP
    leftnexthop=%defaultroute
    leftsubnets={10.3.0.0/16,10.111.0.0/16}
    right=AWS-US.VPN.Gateway.IP
    rightsubnets={10.4.0.0/16}
    phase2=esp
    phase2alg=aes128-sha1
    ike=aes128-sha1
    ikelifetime=28800s
    salifetime=3600s
    pfs=yes
    auto=start
    rekey=yes
    keyingtries=%forever
    dpddelay=10
    dpdtimeout=60
    dpdaction=restart_by_peer

conn azure
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=Openswan.Public.IP
    leftnexthop=%defaultroute
    leftsubnets={10.3.0.0/16,10.4.0.0/16}
    right=Azure.VPN.Gateway.Public.IP
    rightsubnets={10.111.0.0/16}
    auto=start
    ike=aes256-sha1-modp1024
    esp=aes256-sha1
    pfs=no

with this setup I have following connectivity working:
AWS-EU<------>Azure
Azure<--------->AWS-EU
Azure<------->AWS-US
AWS-US<----------->Azure

So i'm lacking connectivity between AWS-EU and AWS-US despite tunnel being
up and other cross connectivity working.

ipsec look shows me all the routes I expected to see


Iptables on Openswan instance has no rules applied, traffic on security
groups is allowed,

Any ideas what might be the issue or how to debug?

Thank you in advance.

Barry
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20170310/f0d50592/attachment.html>

More information about the Users mailing list