Generally, running strongSwan on a cloud platform is relatively painless,
because only the hardware is virtualized. The kernel- and userspace is untouched.
General Warnings And Problems¶
Generally, in a cloud environment, the underlying network checks the source IP address
of the sent IP packets. You need to be able to deactivate this check in order
to use strongSwan as a VPN gateway, either in a roadwarrior or a site-to-site scenario, except
if you masquerade the source address of all packets that are transmitted over the network.
It is advisable to avoid NAT though at any cost, because it prevents you from
adressing remote endpoints.
This only applies to the outermost IP packet though, so it does not pertain
the inner IP packet of any tunneling protocol.
As an alternative, the packets from and to the VPN gateway can be transported to
the hosts on the local network using other means than directly on top of Ethernet,
like by using IPsec in tunnel mode, GRE, IPinIP or other protocols.
Container virtualized environments often do not offer a working IPsec stack to
software in the container. Therefore, kernel-libipsec has to be used instead.
To use kernel-libipsec, tun devices have to be available. Keep in mind that using
kernel-libipsec has drawbacks and is generally discouraged. Change to a hardware
virtualized virtual machine, if possible.
OpenVZ uses container virtualization.
Virtuozzo can also be a container. With Virtuozzo, it depends on the VM type.
If charon complains about not being able to find a usable IPsec stack, then it's very likely container virtualized.
strongSwan in a docker container works with kernel a kernel IPsec, if the host operating system has a working IPsec
stack and if the docker container, as well as strongSwan have the necessary privileges to access it (
You do not have to enable host networking.
- Generally Linux namespaces
On AWS, the source check of a machine can be disabled in the EC2 management menu.
Disabling it is required if the host running strongSwan is supposed to make the whole Internet available to the hosts in the VPC. Otherwise, add the routes to the remote network in the VPC's route settings.
This is not required if you protect the traffic between the other hosts and the "central gateway" in the VPC (not the AWS provided Internet Gateway) using IPsed in tunnel mode.
Generally, the source check only has to be disabled if the routing table of the VPC disagrees with the direction the traffic goes into and comes from (the return path check fails). That is the same mechanism as the rp_filter on Linux.
Google Cloud Engine¶
No specialties about GCE are known at this point.
On DigitalOcean, the source check can not be disabled.