ClearFoundation Tracker - ClearOS
View Issue Details
0017091ClearOSapp-static-vpn-basic - Static VPN for Homepublic2017-09-13 14:182021-11-09 07:01
NickH 
 
normalfeaturealways
closedwon't fix 
7.3.1 
 
0017091: Add support for IPsec VPN's on AWS to app-static-vpn
Setting up IPsec tunnels to AWS requires a very specific set up which the business interface cannot cope with. As a reference document use https://libreswan.org/wiki/Interoperability#Amazon_AWS_VPN. [^]

It looks like on the AWS instance we need to:
1 - add a virtual lo interface configured with the elastic IP, once per machine (and probably not once per tunnel as you'd end up with multiple interfaces with the same IP which *may* give issues). You could possibly take this IP from the leftid which becomes mandatory
2 - allow the use of multiple left/rightsubnets (see bug 15951). This is because one subnet will be needed to access the AWS machine's LAN and another subnet to access the AWS instance itself
3 - Add the option to force ESP encapsulation in UDP which would add "encapsulation=yes" to the conn. This is required for IPsec between two AWS instances but won't harm if only one end is on AWS
4 - Possibly add a custom firewall to exclude packets from being NAT's. This is documented in the link but I don't thing it is needed as our POSTROUTING rule already covers it.
5 - Add an option to open the incoming firewall to open udp:4500
6 - We may need to be able to add the identifier 0.0.0.0 for left in the ipsec.secrets file. The documentation is confusing here because I believe %any overrides anything anyway. I would have thought we could do without the %any.

There is a bit more info in ticket #555759.

Unfortunately AWS is too big to ignore!
No tags attached.
Issue History
2017-09-13 14:18NickHNew Issue
2017-09-25 08:51user2Statusnew => acknowledged
2021-11-09 07:01NickHStatusacknowledged => closed
2021-11-09 07:01NickHResolutionopen => won't fix

There are no notes attached to this issue.