I'm working on getting an IPSec VPN working between Amazon EC2 and my on-premise. The goal is to be able to safely administer stuff, up/download data, etc. over that tunnel.
I have gotten the tunnel up in openswan between a Fedora 12 instance with an elastic IP and a Cisco router that's also NATted. I think the ipsec part is OK, but I'm having trouble figuring out how to route traffic that way; there's no "ipsec0" virutal interface because on Amazon you have to use netkey and not KLIPS for the vpn. I hear iptables may be required and I'm an iptables noob.
On the left (Amazon), I have a 10. network. Box 1 is privately 10.254.110.A, publically IP 184.73.168.B. Netkey tunnel is up. Box 2 is publically 130.164.26.C, privately 130.164.0.D
And my .conf is:
conn ni
type= tunnel
authby= secret
left= 10.254.110.A
leftid= 184.73.168.B
leftnexthop= %defaultroute
leftsubnet= 10.254.0.0/32
right= 130.164.26.C
rightid= 130.164.0.D
rightnexthop= %defaultroute
rightsubnet= 130.164.0.0/18
keyexchange= ike
pfs= no
auto= start
keyingtries= 3
disablearrivalcheck=no
ikelifetime= 240m
auth= esp
compress= no
keylife= 60m
forceencaps= yes
esp= 3des-md5
I added a route to box 1 (130.164.0.0/18 via 10.254.110.A dev eth0) but that doesn't do it for predictable reasons, when I traceroute the traffic's still going "around" and not through the vpn.
Routing table:
10.254.110.0/23 dev eth0 proto kernel scope link src 10.254.110.A
130.164.0.0/18 via 10.254.110.178 dev eth0 src 10.254.110.A
169.254.0.0/16 dev eth0 scope link metric 1002
Anyone know how to do the routing with a netkey ipsec tunnel where both sides are NATted?
Thanks...
You know about Amazon Virtual Private Cloud, right?
I spent weeks working on a scheme of OpenVPN and fancy routing to accomplish the same thing, after which Amazon released this service and obsoleted my work.
May I suggest you have a look at vCider? It allows you to create secure, virtual networks even across provider boundaries (in case you want to expand beyond EC2). You can create your own provider-independent VPC. It also offers you to 'cloak' your cloud network: Basically, you can make your cloud nodes disappear from the public network, but you can specify exceptions for individual nodes. It offers specific features to connect your enterprise network to the cloud portion of the network.
Disclaimer: I work for vCider. But please don't let this stop you from having a look at it. You can create virtual private networks for up to 8 hosts for free.