During a recent project, Openswan (or Freeswan) tunnels weren’t coming up for me.
I really couldn’t figure out why, and the documentation was a little scarce surrounding this.
According to a few different sources:
“You can use the identical configuration file on both left and right hosts.”
I found this not to be the case, and eventually managed to get the following working, where the left was the instance’s own details, and the right the details of the target instance.
Below is an example of a tunnel I had in
Auto ignore in this case means that when the instance/server restarts, you’ll have to manually bring up the ipsec tunnel to let traffic flow.
You can set it to:
so that it will start when the ipsec service starts.
This isn’t always ideal… especially if your project is to make a highly-available cross-region VPN, with tunnel failover - More on that in future posts…
/etc/ipsec.secrets I had something like:
Add before up
So I had my config all added in, and the ipsec service has been started.
I noticed that sometimes, my tunnels wouldn’t come up when I told them to…
Even when I set
I eventually found out that the tunnels must be “added” on either VPN endpoint, before an ipsec tunnel can be brought “up”:
Again, this needs to be run on both endpoints before you can run:
If it’s successful you’ll get output like this from the
And don’t forget…
AWS instances need to have Source/Destination Checks disabled, if they’re going to send traffic with source/destination traffic that isn’t their own IP address.
This can be done by right clicking the instance in the console, hovering over Networking and pressing Change Source/Dest. Check, and pressing, Yes, Disable.
This isn’t all you’ll need to do for a proper site-to-site VPN to let traffic flow through the VPN endpoints though, one last step.
/etc/sysctl.conf, make sure the following are set like so:
and then apply these updates with the command: