I have been trying to setup a site to site vpn connection between aws and my on-prem network. We have a dedicated strongswan vpn gateway in our on-prem network and aws managed vpn gateway on the aws side. Whatever I do I am unable to setup the tunnel. Here is my strongswan config.
conn Tunnel1
type=tunnel
auto=add
keyexchange=ikev2
authby=psk
leftid=<Outside-tunnel-ip>
leftsubnet=<AWS CIDR>
right=<Outside-tunnel-ip>
rightsubnet=<ON-PREM CIDR>
aggressive=no
ikelifetime=28800s
lifetime=3600s
margintime=270s
rekey=yes
rekeyfuzz=100%
fragmentation=yes
replay_window=1024
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
keyingtries=%forever
mark=100
leftupdown="/etc/ipsec.d/aws-updown.sh -ln Tunnel1 -ll <tunnel inside ip> -lr <tunnel outside ip> -m 100 -r <aws_vpc_id>"
I have made sure the configuration I have on aws side matches with configuration on strongswan side. But I still can't establish the tunnel.
Logs from strongswan daemon.
ipsec[164912]: Starting strongSwan 5.9.5 IPsec [starter]...
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-1004-aws, x86_64)
charon: 00[LIB] providers loaded by OpenSSL: legacy default
charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 00[CFG] loaded IKE secret for <outside tunnel ip left> <outside tunnel ip right>
charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
charon: 00[JOB] spawning 16 worker threads
ipsec[164912]: charon (164916) started after 20 ms
charon: 05[CFG] received stroke: add connection 'Tunnel1'
charon: 05[CFG] added configuration 'Tunnel1'
You have now the full strongswan and openswan configuration avaible in the download configuration button in the aws console.
It will help you to understand what you are missing.
If you are behind a NAT make sure have defined the local IP in the local_addrs (legacy left) parameter so strongswan/libreswan will setup the IKE propertly. Second important point : the local_ts (legacy leftsunet) and remote_ts (legacy rightsubnet) parameters must match what you have defined on the site2site config otherwise the child SA will be rejected.