[184864] in North American Network Operators' Group
Re: VPS in DC/VA on L3?
daemon@ATHENA.MIT.EDU (Jay Ashworth)
Fri Oct 23 12:03:20 2015
X-Original-To: nanog@nanog.org
Date: Fri, 23 Oct 2015 12:03:14 -0400 (EDT)
From: Jay Ashworth <jra@baylink.com>
To: NANOG <nanog@nanog.org>
In-Reply-To: <CAL9jLaZV8c2KjQLu+mft6VuK+e1FmyPBLJ2nasPdR1_EB=VveA@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
----- Original Message -----
> From: "Christopher Morrow" <morrowc.lists@gmail.com>
> On Fri, Oct 23, 2015 at 11:02 AM, Jay Ashworth <jra@baylink.com>
> wrote:
> > We need to do host-mode IPSEC out of AWS to a company in the DC/VA area that
> > is on L3; AWS apparently will only do network mode IPSEC, and they won't take
> > that, so we'll need to hop.
>
> 'will only do network mode' .... because the VM you run in aws can't
> do ipsec to your pix?
Pick your problem:
AWS's productized IPSEC VPC gateway won't do host-mode, or so I am told, and
Our customer won't do network mode, and
Our customer also won't accept IPSEC traffic that's been NATted, so we can't do
it from an AWS host cause EIPs are natted; there is, TTBOMK *no* way to get a
non-natted IP on an EC2/VPC host.
Cheers,
-- jra
--
Jay R. Ashworth Baylink jra@baylink.com
Designer The Things I Think RFC 2100
Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII
St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
