I'm working on getting an IPSec VPN working between Amazon EC2 and my on-premise. The goal is to be able to safely administer stuff, up/download data, etc. over that tunnel.
I have gotten the tunnel up in openswan between a Fedora 12 instance with an elastic IP and a Cisco router that's also NATted. I think the ipsec part is OK, but I'm having trouble figuring out how to route traffic that way; there's no "ipsec0" virutal interface because on Amazon you have to use netkey and not KLIPS for the vpn. I hear iptables may be required and I'm an iptables noob.
On the left (Amazon), I have a 10. network.
Box 1 is privately 10.254.110.A, publically IP 184.73.168.B.
Netkey tunnel is up.
Box 2 is publically 130.164.26.C, privately 130.164.0.D
And my .conf is:
conn ni
type= tunnel
authby= secret
left= 10.254.110.A
leftid= 184.73.168.B
leftnexthop= %defaultroute
leftsubnet= 10.254.0.0/32
right= 130.164.26.C
rightid= 130.164.0.D
rightnexthop= %defaultroute
rightsubnet= 130.164.0.0/18
keyexchange= ike
pfs= no
auto= start
keyingtries= 3
disablearrivalcheck=no
ikelifetime= 240m
auth= esp
compress= no
keylife= 60m
forceencaps= yes
esp= 3des-md5
I added a route to box 1 (130.164.0.0/18 via 10.254.110.A dev eth0) but that doesn't do it for predictable reasons, when I traceroute the traffic's still going "around" and not through the vpn.
Routing table:
10.254.110.0/23 dev eth0 proto kernel scope link src 10.254.110.A
130.164.0.0/18 via 10.254.110.178 dev eth0 src 10.254.110.A
169.254.0.0/16 dev eth0 scope link metric 1002
Anyone know how to do the routing with a netkey ipsec tunnel where both sides are NATted?
Thanks…
Best Answer
You know about Amazon Virtual Private Cloud, right?
I spent weeks working on a scheme of OpenVPN and fancy routing to accomplish the same thing, after which Amazon released this service and obsoleted my work.