It creates the needed vti interfaces and sets some iptables stuff. Here is mine in it's entirety.
#!/bin/bash while [[ $# > 1 ]]; do case ${1} in -ln|--link-name) TUNNEL_NAME="${2}" TUNNEL_PHY_INTERFACE="${PLUTO_INTERFACE}" shift ;; -ll|--link-local) TUNNEL_LOCAL_ADDRESS="${2}" TUNNEL_LOCAL_ENDPOINT="${PLUTO_ME}" shift ;; -lr|--link-remote) TUNNEL_REMOTE_ADDRESS="${2}" TUNNEL_REMOTE_ENDPOINT="${PLUTO_PEER}" shift ;; -m|--mark) TUNNEL_MARK="${2}" shift ;; -r|--static-route) TUNNEL_STATIC_ROUTE="${2}" shift ;; *) echo "${0}: Unknown argument \"${1}\"" >&2 ;; esac shift done command_exists() { type "$1" >&2 2>&2 } create_interface() { ip link add ${TUNNEL_NAME} type vti local ${TUNNEL_LOCAL_ENDPOINT} remote ${TUNNEL_REMOTE_ENDPOINT} key ${TUNNEL_MARK} ip addr add ${TUNNEL_LOCAL_ADDRESS} remote ${TUNNEL_REMOTE_ADDRESS} dev ${TUNNEL_NAME} ip link set ${TUNNEL_NAME} up mtu 1419 } configure_sysctl() { sysctl -w net.ipv4.ip_forward=1 sysctl -w net.ipv4.conf.${TUNNEL_NAME}.rp_filter=2 sysctl -w net.ipv4.conf.${TUNNEL_NAME}.disable_policy=1 sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_xfrm=1 sysctl -w net.ipv4.conf.${TUNNEL_PHY_INTERFACE}.disable_policy=1 } add_route() { IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}" for i in "${route[@]}"; do ip route add ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK} done iptables -t mangle -A FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -t mangle -A INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d ${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK} ip route flush table 220 } cleanup() { IFS=',' read -ra route <<< "${TUNNEL_STATIC_ROUTE}" for i in "${route[@]}"; do ip route del ${i} dev ${TUNNEL_NAME} metric ${TUNNEL_MARK} done iptables -t mangle -D FORWARD -o ${TUNNEL_NAME} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu iptables -t mangle -D INPUT -p esp -s ${TUNNEL_REMOTE_ENDPOINT} -d ${TUNNEL_LOCAL_ENDPOINT} -j MARK --set-xmark ${TUNNEL_MARK} ip route flush cache } delete_interface() { ip link set ${TUNNEL_NAME} down ip link del ${TUNNEL_NAME} } # main execution starts here command_exists ip || echo "ERROR: ip command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2 command_exists iptables || echo "ERROR: iptables command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2 command_exists sysctl || echo "ERROR: sysctl command is required to execute the script, check if you are running as root, mostly to do with path, /sbin/" >&2 2>&2 case "${PLUTO_VERB}" in up-client) create_interface configure_sysctl add_route ;; down-client) cleanup delete_interface ;; esac Doug Tucker Sr. Director of Networking & Linux Operations o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@navigaglobal.com [cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/> [cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal> [cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal> [cid:image004.png@01D4FEC7.F32F3010] <https://www.linkedin.com/company/navigaglobal/about/> Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. ________________________________ From: Users <users-boun...@lists.strongswan.org> on behalf of Dominik <dr896...@gmail.com> Sent: Thursday, September 17, 2020 9:32 AM To: users@lists.strongswan.org <users@lists.strongswan.org> Subject: Re: [strongSwan] Connection to AWS-VPC Thanks Doug, what does the aws-updown.sh do? Kind regards Dominik On 16.09.20 17:28, Doug Tucker wrote: ipsec.conf: # ipsec.conf - strongSwan IPsec configuration file # Site network admin: # basic configuration config setup # strictcrlpolicy=yes uniqueids = no # charondebug = "ike 2,chd 3, enc 2" # Add connections here. ############################################################ ## Common configuration ############################################################ conn Tunnel1 auto=start left=%defaultroute leftid=1.1.1.1 right=2.2.2.2 type=tunnel leftauth=psk rightauth=psk keyexchange=ikev1 ike=aes256-sha1-modp1024 ikelifetime=8h esp=aes256-sha1-modp1024 lifetime=1h keyingtries=%forever leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 dpddelay=10s dpdtimeout=30s dpdaction=restart mark=100 leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel1 -ll 169.254.x.x/30 -lr 169.254.x.x/30 -m 100 -r 10.x.x.0/20" conn Tunnel2 auto=start left=%defaultroute leftid=1.1.1.1 right=2.2.2.2 type=tunnel leftauth=psk rightauth=psk keyexchange=ikev1 ike=aes128-sha1-modp1024 ikelifetime=8h esp=aes128-sha1-modp1024 lifetime=1h keyingtries=%forever leftsubnet=0.0.0.0/0 rightsubnet=0.0.0.0/0 dpddelay=10s dpdtimeout=30s dpdaction=restart mark=200 leftupdown="/usr/local/etc/aws-updown.sh -ln Tunnel2 -ll 169.254.x.x/30 -lr 169.254.x.x/30 -m 200 -r 10.x.x.0/20" Let me know if there is more you would like to see. Doug Tucker Sr. Director of Networking & Linux Operations o: 817.975.5832 | m: 817.975.5832 e: doug.tuc...@navigaglobal.com [cid:image001.png@01D4FEC7.F32F3010]<https://navigaglobal.com/> [cid:image002.png@01D4FEC7.F32F3010]<https://www.facebook.com/navigaglobal> [cid:image003.png@01D4FEC7.F32F3010] <https://twitter.com/navigaglobal> [cid:image004.png@01D4FEC7.F32F3010] <https://www.linkedin.com/company/navigaglobal/about/> Newscycle Solutions is now Naviga. Learn more.<https://navigaglobal.com/> CONFIDENTIALITY NOTICE: The contents of this email message and any attachments are intended solely for the addressee(s) and may contain confidential and/or privileged information and may be legally protected from disclosure. If you are not the intended recipient of this message or their agent, or if this message has been addressed to you in error, please immediately alert the sender by reply email and then delete this message and any attachments. If you are not the intended recipient, you are hereby notified that any use, dissemination, copying, or storage of this message or its attachments is strictly prohibited. ________________________________ From: Users <users-boun...@lists.strongswan.org><mailto:users-boun...@lists.strongswan.org> on behalf of Dominik Reusser <dr896...@gmail.com><mailto:dr896...@gmail.com> Sent: Tuesday, September 15, 2020 1:19 AM To: users@lists.strongswan.org<mailto:users@lists.strongswan.org> <users@lists.strongswan.org><mailto:users@lists.strongswan.org> Subject: [strongSwan] Connection to AWS-VPC NCS WARNING: External email. Please verify sender before opening attachments or clicking on links. Has anyone successfully connected to AWS VPC? My connection is established and ICMP-Pakets are routed through the AWS cloud. However, UDP and TCP packets - while being sent towards the AWS server (from tcp dump on the client side) - do not appear in the logs of the VPC. With a corresponding setup with OpenSwan I get a working connection. However, I would prefer to use strong Swan. If you have successfully connected to AWS VPC, could you please share your configuration files? Thanks Kind regards Dominik