strongSwan IPsec server with AWS EC2 VPC VPN client

I'm trying to create a VPN tunnel between 2 AWS regions. The way I'm trying to do this is by setting up a IPsec server in Linux with strongSwan in one region, and then a VPC VPN in the other region.
The problem is I can't come up with a configuration that works right.

AWS provides the following info for setting up the IPsec VPN:

#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key 
  - Pre-Shared Key           : ***********************
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space, 
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following 
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption

#3: Tunnel Interface Configuration

Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.



The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.

The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.

The Customer Gateway inside IP address should be configured on your tunnel
interface. 

Outside IP Addresses:
  - Customer Gateway                : 54.241.138.199 
  - Virtual Private Gateway         : 87.238.85.44

Inside IP Addresses
  - Customer Gateway                : 169.254.254.6/30
  - Virtual Private Gateway         : 169.254.254.5/30

Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU     : 1436 bytes


#4: Static Routing Configuration:

To route traffic between your internal network and your VPC, 
you will need a static route added to your router.

Static Route Configuration Options:

  - Next hop       : 169.254.254.5

You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over 
the tunnels.  

The private subnet on the local strongSwan side is 10.2.0.0/16.
The private subnet on the remote VPN side is 10.4.0.0/16.

With this I tried using a configuration as follows:

conn eu-west-1-1
        left=10.2.0.40
        leftsubnet=0.0.0.0/0
        right=87.238.85.40
        rightsubnet=10.4.0.0/16
        auto=add
        type=tunnel
        keyexchange=ikev1
        authby=secret
        ikelifetime=28800s
        keylife=28800s
        ike=aes128
        esp=aes128

However this results in the following error:

pluto[1763]: "eu-west-1-1" #12: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===10.2.0.40[10.2.0.40]...87.238.85.40[87.238.85.40]===0.0.0.0/0

Following one idea I found on the strongSwan mailing list, I tried putting 0.0.0.0/0 for the leftsubnet and rightsubnet, and this does cause the tunnel to come up (as reported by the AWS web GUI), but I lose all connectivity to the server (I'm guessing it's creating a route to 0.0.0.0/0 that blackholes all traffic).

Can anyone provide any hints on how to adjust the config to get this working?

Yes, I know I can just use 2 strongSwan, OpenVPN, or other software VPN on both ends, but by using AWS's VPN functionality, I only have to worry about maintaining one end of the VPN instead of both.


I know it's been a while since you posted this, but I have done what you describe, here is a sample connection block using your values:

conn vpc1
        type=tunnel
        compress=no
        keyexchange=ikev1
        ike=aes128-sha1-modp1024!
        auth=esp
        authby=psk
        left=54.241.138.199 
        leftid=54.241.138.199 
        leftsubnet=169.254.254.6/32,10.2.0.0/16
        rightsubnet=169.254.254.5/32,10.4.0.0/16
        right=87.238.85.44
        rightid=87.238.85.44
        esp=aes128-sha1-modp1024!
        auto=route

Then you can do ipsec up vpc1 ; ipsec route vpc1.

Left is your local side, right is the Amazon VPC VPN side. Hopefully I've gotten the IP's right.

The problem is that the ipsec has to create the correct ip xfrm policy in the kernel, without the proper settings it will not know how to do the tunnel. That and the encryption settings have to be perfect.

It took me many attempts and finally working with strongswan devs to figure this one out. Caveats: This connection is not doing DPD properly, and sometimes drops. It also doesn't start+route when service ipsec start is called.

Good luck!