IPSEC between an EC2 instance and another server with a public IPIPSec VPN between Amazon VPC and Linux...
What type of postprocessing gives the effect of people standing out
Linear regression when Y is bounded and discrete
What is a term for a function that when called repeatedly, has the same effect as calling once?
Where is this triangular-shaped space station from?
Six real numbers so that product of any five is the sixth one
Replacement ford fiesta radiator has extra hose
When was drinking water recognized as crucial in marathon running?
Auto Insert date into Notepad
CBP Reminds Travelers to Allow 72 Hours for ESTA. Why?
Can chords be played on the flute?
Borrowing Characters
Sometimes a banana is just a banana
Make me a metasequence
Use comma instead of & in table
What is better: yes / no radio, or simple checkbox?
The change directory (cd) command is not working with a USB drive
Is there any relevance to Thor getting his hair cut other than comedic value?
If nine coins are tossed, what is the probability that the number of heads is even?
I am on the US no-fly list. What can I do in order to be allowed on flights which go through US airspace?
"Murder!" The knight said
Can I become debt free or should I file for bankruptcy? How do I manage my debt and finances?
I can't die. Who am I?
Has the Isbell–Freyd criterion ever been used to check that a category is concretisable?
How to deny access to SQL Server to certain login over SSMS, but allow over .Net SqlClient Data Provider
IPSEC between an EC2 instance and another server with a public IP
IPSec VPN between Amazon VPC and Linux ServerConnecting debian and windows via IPsec VPN with Racoon and ipsec-toolsOpen ports between Elastic Beanstalk and one EC2 instance on AWSAmazon EC2 VPC: NAT instance download speed performance dropIPsec: hide private IP behind Gateway IPIPsec with EC2 client and Elastic IP, but nat_traversal=noSite to Site IPSec between pfSense and Cisco ASACannot connect to EC2 instance in private subnet with openvpnAWS EC2 CentOS 7 with LibreSwan IPsec Tunnel UP (Established), No Traffic flow, cannot ping Peer encryption Domain NodesHow to configure strongswan peer-to-peer vpn tunnel using public IP as encryption domain?
I've been able to setup IPSEC successfully between two Hetzner machine, both of which had only public IP addresses. However, I've been unsuccessful in configuring IPSEC between an EC2 instance and a Hetzner machine, because the EC2 instance has a private IP which goes through some form of NAT-ing to get a public IP.
I'm using ipsec-tools + racoon and trying to follow these docs:
- https://www.mad-hacking.net/documentation/linux/networking/ipsec/nat-vpn.xml
- https://www.netbsd.org/docs/network/ipsec/#sample_vpn
To make things simpler, I've tried taking racoon out of the picture and hard-coded the encryption keys.
How do I get this to work? And probably, more importantly, how do I peek under the hood and see what's going on? Where exactly is the "connection breaking"?
/etc/ipsec-tools.conf
on EC2 instance
flush;
spdflush;
# ec2 -> het
spdadd Ec2PvtIP HetznerIP any -P out ipsec esp/tunnel/Ec2PubIP-HetznerIP/require;
# het -> ec2
spdadd HetznerIP Ec2PvtIP any -P in ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
## Using EC2 Public IP
add Ec2PubIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
add HetznerIP Ec2PubIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
## Using EC2 Private IP
# ec2 -> het
add Ec2PvtIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
# het -> ec2
add HetznerIP Ec2PvtIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
/etc/ipsec-tools.conf
on Hetzner machine
flush;
spdflush;
# het -> ec2
spdadd HetznerIP Ec2PvtIP any -P out ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
# ec2 -> het
spdadd Ec2PvtIP HetznerIP any -P in ipsec esp/transport/Ec2PubIP-HetznerIP/require;
### Using EC2 Public IP
add HetznerIP Ec2PubIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
add Ec2PubIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
### Using EC2 Private IP
# het -> ec2
add HetznerIP Ec2PvtIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
# ec2 -> het
add Ec2PvtIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
amazon-web-services amazon-ec2 nat ipsec
add a comment |
I've been able to setup IPSEC successfully between two Hetzner machine, both of which had only public IP addresses. However, I've been unsuccessful in configuring IPSEC between an EC2 instance and a Hetzner machine, because the EC2 instance has a private IP which goes through some form of NAT-ing to get a public IP.
I'm using ipsec-tools + racoon and trying to follow these docs:
- https://www.mad-hacking.net/documentation/linux/networking/ipsec/nat-vpn.xml
- https://www.netbsd.org/docs/network/ipsec/#sample_vpn
To make things simpler, I've tried taking racoon out of the picture and hard-coded the encryption keys.
How do I get this to work? And probably, more importantly, how do I peek under the hood and see what's going on? Where exactly is the "connection breaking"?
/etc/ipsec-tools.conf
on EC2 instance
flush;
spdflush;
# ec2 -> het
spdadd Ec2PvtIP HetznerIP any -P out ipsec esp/tunnel/Ec2PubIP-HetznerIP/require;
# het -> ec2
spdadd HetznerIP Ec2PvtIP any -P in ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
## Using EC2 Public IP
add Ec2PubIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
add HetznerIP Ec2PubIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
## Using EC2 Private IP
# ec2 -> het
add Ec2PvtIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
# het -> ec2
add HetznerIP Ec2PvtIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
/etc/ipsec-tools.conf
on Hetzner machine
flush;
spdflush;
# het -> ec2
spdadd HetznerIP Ec2PvtIP any -P out ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
# ec2 -> het
spdadd Ec2PvtIP HetznerIP any -P in ipsec esp/transport/Ec2PubIP-HetznerIP/require;
### Using EC2 Public IP
add HetznerIP Ec2PubIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
add Ec2PubIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
### Using EC2 Private IP
# het -> ec2
add HetznerIP Ec2PvtIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
# ec2 -> het
add Ec2PvtIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
amazon-web-services amazon-ec2 nat ipsec
Is there any reason you're not using an AWS Virtual Private Gateway? That connects your whole AWS network to the VPN. If your AWS instance is behind a NAT with no public IP then you can't connect to it, NAT is for outgoing connections. In AWS you can use VPC Flow Logs to try to diagnose network issues.
– Tim
5 hours ago
add a comment |
I've been able to setup IPSEC successfully between two Hetzner machine, both of which had only public IP addresses. However, I've been unsuccessful in configuring IPSEC between an EC2 instance and a Hetzner machine, because the EC2 instance has a private IP which goes through some form of NAT-ing to get a public IP.
I'm using ipsec-tools + racoon and trying to follow these docs:
- https://www.mad-hacking.net/documentation/linux/networking/ipsec/nat-vpn.xml
- https://www.netbsd.org/docs/network/ipsec/#sample_vpn
To make things simpler, I've tried taking racoon out of the picture and hard-coded the encryption keys.
How do I get this to work? And probably, more importantly, how do I peek under the hood and see what's going on? Where exactly is the "connection breaking"?
/etc/ipsec-tools.conf
on EC2 instance
flush;
spdflush;
# ec2 -> het
spdadd Ec2PvtIP HetznerIP any -P out ipsec esp/tunnel/Ec2PubIP-HetznerIP/require;
# het -> ec2
spdadd HetznerIP Ec2PvtIP any -P in ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
## Using EC2 Public IP
add Ec2PubIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
add HetznerIP Ec2PubIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
## Using EC2 Private IP
# ec2 -> het
add Ec2PvtIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
# het -> ec2
add HetznerIP Ec2PvtIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
/etc/ipsec-tools.conf
on Hetzner machine
flush;
spdflush;
# het -> ec2
spdadd HetznerIP Ec2PvtIP any -P out ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
# ec2 -> het
spdadd Ec2PvtIP HetznerIP any -P in ipsec esp/transport/Ec2PubIP-HetznerIP/require;
### Using EC2 Public IP
add HetznerIP Ec2PubIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
add Ec2PubIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
### Using EC2 Private IP
# het -> ec2
add HetznerIP Ec2PvtIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
# ec2 -> het
add Ec2PvtIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
amazon-web-services amazon-ec2 nat ipsec
I've been able to setup IPSEC successfully between two Hetzner machine, both of which had only public IP addresses. However, I've been unsuccessful in configuring IPSEC between an EC2 instance and a Hetzner machine, because the EC2 instance has a private IP which goes through some form of NAT-ing to get a public IP.
I'm using ipsec-tools + racoon and trying to follow these docs:
- https://www.mad-hacking.net/documentation/linux/networking/ipsec/nat-vpn.xml
- https://www.netbsd.org/docs/network/ipsec/#sample_vpn
To make things simpler, I've tried taking racoon out of the picture and hard-coded the encryption keys.
How do I get this to work? And probably, more importantly, how do I peek under the hood and see what's going on? Where exactly is the "connection breaking"?
/etc/ipsec-tools.conf
on EC2 instance
flush;
spdflush;
# ec2 -> het
spdadd Ec2PvtIP HetznerIP any -P out ipsec esp/tunnel/Ec2PubIP-HetznerIP/require;
# het -> ec2
spdadd HetznerIP Ec2PvtIP any -P in ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
## Using EC2 Public IP
add Ec2PubIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
add HetznerIP Ec2PubIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
## Using EC2 Private IP
# ec2 -> het
add Ec2PvtIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
# het -> ec2
add HetznerIP Ec2PvtIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
/etc/ipsec-tools.conf
on Hetzner machine
flush;
spdflush;
# het -> ec2
spdadd HetznerIP Ec2PvtIP any -P out ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
# ec2 -> het
spdadd Ec2PvtIP HetznerIP any -P in ipsec esp/transport/Ec2PubIP-HetznerIP/require;
### Using EC2 Public IP
add HetznerIP Ec2PubIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
add Ec2PubIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
### Using EC2 Private IP
# het -> ec2
add HetznerIP Ec2PvtIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
# ec2 -> het
add Ec2PvtIP HetznerIP esp 0x74fce30b -E aes-cbc 0xf46c3187e253e5b25b8f8525da056080 -A hmac-sha256 0x9e7c6f6c7a1ccdd7634bb0a9eeaea5a8ed7bdfed89fd3f7dc86b2e8a522ae6e8 ;
amazon-web-services amazon-ec2 nat ipsec
amazon-web-services amazon-ec2 nat ipsec
edited 6 hours ago
MLu
8,77212142
8,77212142
asked 14 hours ago
Saurabh NandaSaurabh Nanda
157110
157110
Is there any reason you're not using an AWS Virtual Private Gateway? That connects your whole AWS network to the VPN. If your AWS instance is behind a NAT with no public IP then you can't connect to it, NAT is for outgoing connections. In AWS you can use VPC Flow Logs to try to diagnose network issues.
– Tim
5 hours ago
add a comment |
Is there any reason you're not using an AWS Virtual Private Gateway? That connects your whole AWS network to the VPN. If your AWS instance is behind a NAT with no public IP then you can't connect to it, NAT is for outgoing connections. In AWS you can use VPC Flow Logs to try to diagnose network issues.
– Tim
5 hours ago
Is there any reason you're not using an AWS Virtual Private Gateway? That connects your whole AWS network to the VPN. If your AWS instance is behind a NAT with no public IP then you can't connect to it, NAT is for outgoing connections. In AWS you can use VPC Flow Logs to try to diagnose network issues.
– Tim
5 hours ago
Is there any reason you're not using an AWS Virtual Private Gateway? That connects your whole AWS network to the VPN. If your AWS instance is behind a NAT with no public IP then you can't connect to it, NAT is for outgoing connections. In AWS you can use VPC Flow Logs to try to diagnose network issues.
– Tim
5 hours ago
add a comment |
1 Answer
1
active
oldest
votes
As long as your Security Group and the local firewall* on your Linux machine permit access for **protocol ESP it should work.
One problem I see in your setup is with the SPDs. The EC2 doesn't know about its Public IP and Hetzner doesn't know about its private IP. Also you've got transport
in the second SPD on Hetzner. You'll have to get the mix right.
On EC2
# EC2 only knows its private IP - the tunnel must reflect that
spdadd Ec2PvtIP HetznerIP any -P out ipsec esp/tunnel/Ec2PvtIP-HetznerIP/require;
spdadd HetznerIP Ec2PvtIP any -P in ipsec esp/tunnel/HetznerIP-Ec2PvtIP/require;
On Hetzner
# ESP is between the Public IPs, SPD uses the EC2 Private IP
spdadd HetznerIP Ec2PvtIP any -P out ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
# This must be tunnel too, not transport
spdadd Ec2PvtIP HetznerIP any -P in ipsec esp/tunnel/Ec2PubIP-HetznerIP/require;
On Hetzner you'll then have to add a route to Ec2PvtIP
via Ec2PubIP
.
Also I find it easier and less confusing if the the tunnel internal addresses are completely independent from the endpoint addresses. E.g. I would create dummy0 = 10.0.1.1/32
on EC2 and dummy0 = 10.0.1.2/32
on Hetzner and configure the tunnels appropriately:
spdadd 10.0.1.1 10.0.1.2 esp/tunnel/Ec2PvtIP-HetznerIP/require;
...
Routing is then more explicit too:
root@ec2 ~ # ip route add 10.0.1.2 via HetznerIP src 10.0.1.1
Alternatively use LibreSwan / OpenSwan rather than ipsec-tools where a simple config like this should work on an EC2 instance with a public IP, including key exchange and route management:
# On EC2
conn hetzner
left=%defaultroute
leftsubnet=10.0.1.1/32
right=HetznetIP
rightsubnet=10.0.1.2/32
authby=secret
auto=start
After years of using ipsec-tools I have now switched to LibreSwan and found it much easier to work with.
Hope that helps :)
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956640%2fipsec-between-an-ec2-instance-and-another-server-with-a-public-ip%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
As long as your Security Group and the local firewall* on your Linux machine permit access for **protocol ESP it should work.
One problem I see in your setup is with the SPDs. The EC2 doesn't know about its Public IP and Hetzner doesn't know about its private IP. Also you've got transport
in the second SPD on Hetzner. You'll have to get the mix right.
On EC2
# EC2 only knows its private IP - the tunnel must reflect that
spdadd Ec2PvtIP HetznerIP any -P out ipsec esp/tunnel/Ec2PvtIP-HetznerIP/require;
spdadd HetznerIP Ec2PvtIP any -P in ipsec esp/tunnel/HetznerIP-Ec2PvtIP/require;
On Hetzner
# ESP is between the Public IPs, SPD uses the EC2 Private IP
spdadd HetznerIP Ec2PvtIP any -P out ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
# This must be tunnel too, not transport
spdadd Ec2PvtIP HetznerIP any -P in ipsec esp/tunnel/Ec2PubIP-HetznerIP/require;
On Hetzner you'll then have to add a route to Ec2PvtIP
via Ec2PubIP
.
Also I find it easier and less confusing if the the tunnel internal addresses are completely independent from the endpoint addresses. E.g. I would create dummy0 = 10.0.1.1/32
on EC2 and dummy0 = 10.0.1.2/32
on Hetzner and configure the tunnels appropriately:
spdadd 10.0.1.1 10.0.1.2 esp/tunnel/Ec2PvtIP-HetznerIP/require;
...
Routing is then more explicit too:
root@ec2 ~ # ip route add 10.0.1.2 via HetznerIP src 10.0.1.1
Alternatively use LibreSwan / OpenSwan rather than ipsec-tools where a simple config like this should work on an EC2 instance with a public IP, including key exchange and route management:
# On EC2
conn hetzner
left=%defaultroute
leftsubnet=10.0.1.1/32
right=HetznetIP
rightsubnet=10.0.1.2/32
authby=secret
auto=start
After years of using ipsec-tools I have now switched to LibreSwan and found it much easier to work with.
Hope that helps :)
add a comment |
As long as your Security Group and the local firewall* on your Linux machine permit access for **protocol ESP it should work.
One problem I see in your setup is with the SPDs. The EC2 doesn't know about its Public IP and Hetzner doesn't know about its private IP. Also you've got transport
in the second SPD on Hetzner. You'll have to get the mix right.
On EC2
# EC2 only knows its private IP - the tunnel must reflect that
spdadd Ec2PvtIP HetznerIP any -P out ipsec esp/tunnel/Ec2PvtIP-HetznerIP/require;
spdadd HetznerIP Ec2PvtIP any -P in ipsec esp/tunnel/HetznerIP-Ec2PvtIP/require;
On Hetzner
# ESP is between the Public IPs, SPD uses the EC2 Private IP
spdadd HetznerIP Ec2PvtIP any -P out ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
# This must be tunnel too, not transport
spdadd Ec2PvtIP HetznerIP any -P in ipsec esp/tunnel/Ec2PubIP-HetznerIP/require;
On Hetzner you'll then have to add a route to Ec2PvtIP
via Ec2PubIP
.
Also I find it easier and less confusing if the the tunnel internal addresses are completely independent from the endpoint addresses. E.g. I would create dummy0 = 10.0.1.1/32
on EC2 and dummy0 = 10.0.1.2/32
on Hetzner and configure the tunnels appropriately:
spdadd 10.0.1.1 10.0.1.2 esp/tunnel/Ec2PvtIP-HetznerIP/require;
...
Routing is then more explicit too:
root@ec2 ~ # ip route add 10.0.1.2 via HetznerIP src 10.0.1.1
Alternatively use LibreSwan / OpenSwan rather than ipsec-tools where a simple config like this should work on an EC2 instance with a public IP, including key exchange and route management:
# On EC2
conn hetzner
left=%defaultroute
leftsubnet=10.0.1.1/32
right=HetznetIP
rightsubnet=10.0.1.2/32
authby=secret
auto=start
After years of using ipsec-tools I have now switched to LibreSwan and found it much easier to work with.
Hope that helps :)
add a comment |
As long as your Security Group and the local firewall* on your Linux machine permit access for **protocol ESP it should work.
One problem I see in your setup is with the SPDs. The EC2 doesn't know about its Public IP and Hetzner doesn't know about its private IP. Also you've got transport
in the second SPD on Hetzner. You'll have to get the mix right.
On EC2
# EC2 only knows its private IP - the tunnel must reflect that
spdadd Ec2PvtIP HetznerIP any -P out ipsec esp/tunnel/Ec2PvtIP-HetznerIP/require;
spdadd HetznerIP Ec2PvtIP any -P in ipsec esp/tunnel/HetznerIP-Ec2PvtIP/require;
On Hetzner
# ESP is between the Public IPs, SPD uses the EC2 Private IP
spdadd HetznerIP Ec2PvtIP any -P out ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
# This must be tunnel too, not transport
spdadd Ec2PvtIP HetznerIP any -P in ipsec esp/tunnel/Ec2PubIP-HetznerIP/require;
On Hetzner you'll then have to add a route to Ec2PvtIP
via Ec2PubIP
.
Also I find it easier and less confusing if the the tunnel internal addresses are completely independent from the endpoint addresses. E.g. I would create dummy0 = 10.0.1.1/32
on EC2 and dummy0 = 10.0.1.2/32
on Hetzner and configure the tunnels appropriately:
spdadd 10.0.1.1 10.0.1.2 esp/tunnel/Ec2PvtIP-HetznerIP/require;
...
Routing is then more explicit too:
root@ec2 ~ # ip route add 10.0.1.2 via HetznerIP src 10.0.1.1
Alternatively use LibreSwan / OpenSwan rather than ipsec-tools where a simple config like this should work on an EC2 instance with a public IP, including key exchange and route management:
# On EC2
conn hetzner
left=%defaultroute
leftsubnet=10.0.1.1/32
right=HetznetIP
rightsubnet=10.0.1.2/32
authby=secret
auto=start
After years of using ipsec-tools I have now switched to LibreSwan and found it much easier to work with.
Hope that helps :)
As long as your Security Group and the local firewall* on your Linux machine permit access for **protocol ESP it should work.
One problem I see in your setup is with the SPDs. The EC2 doesn't know about its Public IP and Hetzner doesn't know about its private IP. Also you've got transport
in the second SPD on Hetzner. You'll have to get the mix right.
On EC2
# EC2 only knows its private IP - the tunnel must reflect that
spdadd Ec2PvtIP HetznerIP any -P out ipsec esp/tunnel/Ec2PvtIP-HetznerIP/require;
spdadd HetznerIP Ec2PvtIP any -P in ipsec esp/tunnel/HetznerIP-Ec2PvtIP/require;
On Hetzner
# ESP is between the Public IPs, SPD uses the EC2 Private IP
spdadd HetznerIP Ec2PvtIP any -P out ipsec esp/tunnel/HetznerIP-Ec2PubIP/require;
# This must be tunnel too, not transport
spdadd Ec2PvtIP HetznerIP any -P in ipsec esp/tunnel/Ec2PubIP-HetznerIP/require;
On Hetzner you'll then have to add a route to Ec2PvtIP
via Ec2PubIP
.
Also I find it easier and less confusing if the the tunnel internal addresses are completely independent from the endpoint addresses. E.g. I would create dummy0 = 10.0.1.1/32
on EC2 and dummy0 = 10.0.1.2/32
on Hetzner and configure the tunnels appropriately:
spdadd 10.0.1.1 10.0.1.2 esp/tunnel/Ec2PvtIP-HetznerIP/require;
...
Routing is then more explicit too:
root@ec2 ~ # ip route add 10.0.1.2 via HetznerIP src 10.0.1.1
Alternatively use LibreSwan / OpenSwan rather than ipsec-tools where a simple config like this should work on an EC2 instance with a public IP, including key exchange and route management:
# On EC2
conn hetzner
left=%defaultroute
leftsubnet=10.0.1.1/32
right=HetznetIP
rightsubnet=10.0.1.2/32
authby=secret
auto=start
After years of using ipsec-tools I have now switched to LibreSwan and found it much easier to work with.
Hope that helps :)
answered 6 hours ago
MLuMLu
8,77212142
8,77212142
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956640%2fipsec-between-an-ec2-instance-and-another-server-with-a-public-ip%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Is there any reason you're not using an AWS Virtual Private Gateway? That connects your whole AWS network to the VPN. If your AWS instance is behind a NAT with no public IP then you can't connect to it, NAT is for outgoing connections. In AWS you can use VPC Flow Logs to try to diagnose network issues.
– Tim
5 hours ago