Notes about IPSec.D and AWS
It’s been awhile since I wrote. My boss quit and I’ve been by myself. I have found this to be something that happens to me a lot; person who hires me quits after a couple of months, now I am there to hold the team together(?). What is funny is that the team is just me.
A couple of months ago, probably 4, I wrote about IPSec.d and MTU clamping and the problem I had about MTU negotiation between multiple AWS Regions. Don’t want to scroll? HERE.
First, my opinion on this is AWS should really support region-to-region VPNs within their product. The fact that you do this yourself by either (a) doing it yourself or (b) using the AWS Marketplace is stupid. Really stupid. I hate it. It is such an oversight on their part.
Second, the documentation on how to set up IPSec.D is pretty straightforward but only applies to the application (openswan, strongswan) and how to connect the VPN tunnel. But, there are some things that do not exist in that documentation that I would like to point out.
Now, I am learning all of this with no guidance so to some of you readers will go “duh”. I mean, I said “duh” after I banged my head against a brick wall but it is something I overlooked.
The first and important thing is to use DNS names for your endpoints. This will make changing VPN nodes down the road easier.
Routes do NOT get automagically populated. This is something I could not figure out cause I took AWS for granted. Routes need to be managed in the VPC and point them.
TL;DR - VPC routes need to be assigned to the VPN node that is establishing the connection.
Add the IPs to the Routes (in the Route Tables) and the Target should be the NIC assigned to the VPN node.
Check that the routes got populated from other nodes in the same region.
Look - you are probably reading this going DUH. I got so safe with AWS magically handling everything that this was a dumb venture for me.
I am bringing awareness to dumbness.
UNTIL NEXT TIME!