I am trying to setup a IPSec VPN client on a debian-10 AWS instance.
Unfortunately, I do not have access to the VPN server as it is configured by another party, so all I know is they told me it is configured for my my-aws-public-ip.
I am trying to use a Strongswan - Linux strongSwan U5.7.2/K4.19.0-16-cloud-amd64
Here is my conf file:
config setup
uniqueids=no
charondebug="all"
conn vpn
type=tunnel
keyexchange=ikev2
aggressive=no
authby=secret
auto=add
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
ikelifetime=28800s
left=my-aws-internal-ip
leftid=my-aws-public-ip
leftsubnet=192.168.140.120/29
leftsourceip=192.168.140.121
right=another-party-peer-ip
rightsubnet=another-party-tunnel-network/mask
dpddelay=300s
dpdtimeout=120s
dpdaction=restart
rekey=yes
reauth=yes
keylife=3600s
closeaction=restart
encap=yes
forceencaps=yes
installpolicy=yes
When I sudo systemctl restart strongswan, I get an active service. However, it seems I am not part of the VPN as I can not ping any of the another-party-tunnel-network ip addresses.
Using an elastic IP on AWS, I presume I am behind a NAT. Is that a problem for transfering packages through the IPSec tunnel?
Do you see something wrong with my conf file?
Last but not least, when I was told by the other party that they have configured the VPN for my-aws-public-ip, I received a file with information about the network - like the IKE Version, Authenticaiton Mode, Preshared Key, etc. I have inserted the Preshared key in /etc/ipsec.secrets using the following syntax: : PSK "my-preshared-key"
Additionally in the file with network information, it is said that they have configured VPN Tunnel Access List Information for the network: 192.168.140.120/29, and Firewall security rules for 192.168.140.121, hence I added leftsubnet and leftsourceip in the config file. This is not my AWS subnet. Is that an issue? I have added an interface with sudo ip address add 192.168.140.121/29 dev ens5, and I see it with ip a.
Any help will be greatly appreciated.
Thanks
