AWS IPsec links: Difference between revisions
Jump to navigation
Jump to search
| (2 intermediate revisions by the same user not shown) | |||
| Line 74: | Line 74: | ||
== Sydney AWS VPN (OpenVPN) list == | == Sydney AWS VPN (OpenVPN) list == | ||
Notes: | |||
* Although strongSwan will re-establish a connection that has dropped due to, say, a disconnected network cable, the desired traffic may not resume flowing because the connected needs to be rekeyed. The script <code>/etc/strongswan/aws1tunnel-poll.sh</code> will regularly ping a known host on the AWS VPC/subnetwork and will force a rekey if the host does not reply. Of course, this host must be one which you are sure will remain up otherwise rekeying will keep happening uselessly. | |||
** See <code>/etc/strongswan/aws1tunnel1-updown.sh</code>, which is run by strongSwan to bring up and down connections and which runs the above script. | |||
** See also <code>/etc/strongswan/ipsec.conf</code> | |||
== aws-ipsec-to-k17 == | == aws-ipsec-to-k17 == | ||
Not in use. Never completed. | |||
== aws1 == | == aws1 == | ||
Latest revision as of 17:53, 1 August 2022
Sydney VPC list
| VPC name | VPC ID | IPv4 CIDR | Description | Notable hosts |
|---|---|---|---|---|
| nw-sydney | vpc-0e6039446916e2d4e | 10.197.84.0/22 | CSE production | nw-syd-cfengine-hub |
| nw-sydney2 | vpc-0d909b2f0f3cab97a | 10.197.92.0/24 | Network experiments | experimental-networking-nw-sydney2 (54.253.107.94) |
| csgproduction | vpc-081c8a619f02801f6 | 172.17.254.0/24 | CSG production | techdocs, cfplaypen |
| aws1 | vpc-044951ecd1f85d3a2 | 172.16.254.0/24 | Non-CSG production | comp6443, cs1511-request-tracker, zzen9212-pen-testing-server1, zzen9212-pen-testing-server2 |
Sydney AWS VPN (IPsec) list
| AWS region | VPN name | VPN ID | Description | Customer gateway | Remote CIDR | Type | Tunnel 1 | Tunnel 2 | Comments | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| Sydney | aws-ipsec-to-k17 | vpn-0329f8fc12afa0c09 | cserouter1 | 129.94.39.21 cserouter1 |
0.0.0.0/0 | ipsec.1 | 52.63.191.33 169.254.187.12/30 |
52.64.121.168 169.254.38.88/30 |
All tunnel options set to defaults at AWS end | Not in use |
| Sydney | aws1 | vpn-0640a3802b05574e5 | vmfarm endpoint for testing | 129.94.242.18 centos7 |
172.16.254.0/24 (csgproduction) |
ipsec.1 | 13.238.86.95 169.254.52.236/30 |
54.79.34.39 169.254.176.252/30 |
All tunnel options set to defaults at AWS end | Operating. Use as exemplar |
Sydney AWS VPN (OpenVPN) list
Notes:
- Although strongSwan will re-establish a connection that has dropped due to, say, a disconnected network cable, the desired traffic may not resume flowing because the connected needs to be rekeyed. The script
/etc/strongswan/aws1tunnel-poll.shwill regularly ping a known host on the AWS VPC/subnetwork and will force a rekey if the host does not reply. Of course, this host must be one which you are sure will remain up otherwise rekeying will keep happening uselessly.- See
/etc/strongswan/aws1tunnel1-updown.sh, which is run by strongSwan to bring up and down connections and which runs the above script. - See also
/etc/strongswan/ipsec.conf
- See
aws-ipsec-to-k17
Not in use. Never completed.
aws1
- Connect to CSE endpoint:
root@vmfram1 # ssh -l root -A centos7 - Start strongSwan:
root@centos7 # systemctl start strongswan - Display strongSwan status:
[root@centos7 system]# strongswan status Security Associations (2 up, 0 connecting): aws1tunnel2[2]: ESTABLISHED 11 minutes ago, 129.94.242.18[129.94.242.18]...54.79.34.39[54.79.34.39] aws1tunnel2{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: f82804db_i c110cd07_o aws1tunnel2{2}: 0.0.0.0/0 === 172.16.254.0/24 aws1tunnel1[1]: ESTABLISHED 11 minutes ago, 129.94.242.18[129.94.242.18]...13.238.86.95[13.238.86.95] aws1tunnel1{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: f0acb0c7_i c29fc1ef_o aws1tunnel1{1}: 0.0.0.0/0 === 172.16.254.0/24 [root@centos7 system]#