ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0017091ClearOSapp-static-vpn-basic - Static VPN for Homepublic2017-09-13 14:182017-09-13 14:18
ReporterNickH 
Assigned To 
PrioritynormalSeverityfeatureReproducibilityalways
StatusnewResolutionopen 
PlatformOSOS Version
Product Version7.3.1 
Target VersionFixed in Version 
Summary0017091: Add support for IPsec VPN's on AWS to app-static-vpn
DescriptionSetting up IPsec tunnels to AWS requires a very specific set up which the business interface cannot cope with. As a reference document use https://libreswan.org/wiki/Interoperability#Amazon_AWS_VPN. [^]

It looks like on the AWS instance we need to:
1 - add a virtual lo interface configured with the elastic IP, once per machine (and probably not once per tunnel as you'd end up with multiple interfaces with the same IP which *may* give issues). You could possibly take this IP from the leftid which becomes mandatory
2 - allow the use of multiple left/rightsubnets (see bug 15951). This is because one subnet will be needed to access the AWS machine's LAN and another subnet to access the AWS instance itself
3 - Add the option to force ESP encapsulation in UDP which would add "encapsulation=yes" to the conn. This is required for IPsec between two AWS instances but won't harm if only one end is on AWS
4 - Possibly add a custom firewall to exclude packets from being NAT's. This is documented in the link but I don't thing it is needed as our POSTROUTING rule already covers it.
5 - Add an option to open the incoming firewall to open udp:4500
6 - We may need to be able to add the identifier 0.0.0.0 for left in the ipsec.secrets file. The documentation is confusing here because I believe %any overrides anything anyway. I would have thought we could do without the %any.

There is a bit more info in ticket #555759.

Unfortunately AWS is too big to ignore!
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
There are no notes attached to this issue.

- Issue History
Date Modified Username Field Change
2017-09-13 14:18 NickH New Issue