What VPN configuration do I need to connect an AWS VPC to a VPN using strongSWAN?

I need to connect the system I’m helping develop that’s deployed on AWS to another system through a VPN. Looking at the remote system VPN configuration I saw that it is based on a linux machine running strongSWAN. The authentication is done through pre-shared keys.
Both systems need to exchange information but I don’t know exactly at which rate.

Given this scenario, would it make sense to use the AWS VPN managed solution? Unless I missed something, it seems I should be able to connect the two of them through static routing.
But according to the AWS documentation, the communication needs to be started from the other system, as the VPG cannot open the connection by itself. Which leaves me to implement a ping mechanism that would always depend on the other system starting a new connection whenever the previous one is broken. And I don’t have access to the other system so I cannot create this mechanism.

Would it make more sense in this case to go the same route as the other system and just deploy a software VPN on an EC2 instance (or on many for high availability), strongSWAN or another?

Go to Source
Author: Juan Vega

l2tp/ipsec unable to connect on linux

I’m trying to connect to cisco l2tp/ipsec vpn with PSK and IKEv1 username/password.

According to this article, I’ve found that server supports following authentification methods:

SA=(Enc=3DES Hash=MD5 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=128 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)
SA=(Enc=AES KeyLength=256 Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800)

I’m using networkmanager-l2tp package. Tried both openswan and libreswan (manually built with USE_DH2=true as described in this patchnote).

My .nmconnection file looks like this:

[connection]
id=etis
uuid=70147d0a-5d7f-467a-80ee-9048601960e1
type=vpn
permissions=user:***:;

[vpn]
gateway=vpn.psu.ru
ipsec-enabled=yes
ipsec-esp=aes128-sha1,3des-md5
ipsec-ike=aes128-sha1-modp1024,3des-sha1-modp1024
ipsec-psk=***
password-flags=1
user=***
service-type=org.freedesktop.NetworkManager.l2tp

When I’m trying to connect I’m getting the following log:

log using strongswan

log using libreswan with USE_DH2=true

From what I see, it seems like both ways ipsec connection is being established successfully, but then this happens:

xl2tpd[106869]: Listening on IP address 0.0.0.0, port 1701
xl2tpd[106869]: Connecting to host 212.192.80.206, port 1701
xl2tpd[106869]: death_handler: Fatal signal 15 received

Strongswan log also has this suspicious message in between of the above:

charon[78694]: 01[NET] received packet: from 212.192.80.206[4500] to 192.168.5.28[4500] (164 bytes)
charon[78694]: 01[IKE] received retransmit of response with ID 1610789051, but next request already sent

At this point I’ve depleted my google skills. If anybody could tell me where to go next or at least tell me if this problem is connected with ipsec or l2tp part of the equation, I would greately appreciate that.

Go to Source
Author: Denis Sheremet