<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><div style="margin: 0px; line-height: normal;" class="">First some background…</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">Our current installation is using ipsec-tools/racoon running on a CentOS server at Rackspace to establish two VPN tunnels to hardware routers at remote installations. 146.x.x.x is a Cisco 2500 and 2.x.x.x is a Comtrend VG-8050. Both remote locations have several servers in subnets that talk over the VPN (10.2.2.x in one location and 10.2.3.x in the other), but they only need to talk to the local server that is running the VPN, so no local subnet, just one server (184.x.x.x). We’ve been running this successfully for several years.</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">We are now moving the local installation to AWS and updating lots of infrastructure. The local server is now running Ubunutu 14.04 and StrongSwan 5.5.1. It is behind an elastic IP (52.x.x.x). The remote installations and hardware have not changed, other than adding the new VPNs to the 52.x.x.x server. We still don’t need to have a local subnet, but you will see one in the config below - i’ve tried almost everything.</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">Although I have read just about every tutorial and similar posting I can find about running StrongSwan on an EC2 instance, I still can not seem to get it to work.</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">Here’s the config files (private info and public IPs edited out):</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class=""><span style="text-decoration: underline" class="">strongswan.conf</span></div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class=""></div><blockquote type="cite" class=""><div style="margin: 0px; line-height: normal;" class="">charon {</div><div style="margin: 0px; line-height: normal;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>load_modular = yes</div><div style="margin: 0px; line-height: normal;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>plugins {</div><div style="margin: 0px; line-height: normal;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>include strongswan.d/charon/*.conf</div><div style="margin: 0px; line-height: normal;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span>}</div><div style="margin: 0px; line-height: normal;" class="">}</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">include strongswan.d/*.conf</div></blockquote><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class=""><span style="text-decoration: underline" class="">ipsec.conf</span></div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class=""></div><blockquote type="cite" class=""><div style="margin: 0px; line-height: normal;" class="">config setup</div><div style="margin: 0px; line-height: normal;" class=""> strictcrlpolicy=no</div><div style="margin: 0px; line-height: normal;" class=""> charondebug=all</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">conn %default</div><div style="margin: 0px; line-height: normal;" class=""> ikelifetime=1h</div><div style="margin: 0px; line-height: normal;" class=""> lifetime=1h</div><div style="margin: 0px; line-height: normal;" class=""> authby=psk</div><div style="margin: 0px; line-height: normal;" class=""> auto=start</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">conn xxxxx</div><div style="margin: 0px; line-height: normal;" class=""> left=172.30.0.9</div><div style="margin: 0px; line-height: normal;" class=""> leftid=52.x.x.x</div><div style="margin: 0px; line-height: normal;" class=""> leftsubnet=172.30.0.0/16</div><div style="margin: 0px; line-height: normal;" class=""> leftauth=psk</div><div style="margin: 0px; line-height: normal;" class=""> right=2.x.x.x</div><div style="margin: 0px; line-height: normal;" class=""> rightsubnet=10.2.2.0/24</div><div style="margin: 0px; line-height: normal;" class=""> rightauth=psk</div><div style="margin: 0px; line-height: normal;" class=""> ike=aes128-sha1-modp1024!</div><div style="margin: 0px; line-height: normal;" class=""> esp=aes128-sha1-modp1024!</div><div style="margin: 0px; line-height: normal;" class=""> aggressive=no</div></blockquote><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">When I try to run ipsec, I get this:</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class=""></div><blockquote type="cite" class=""><div style="margin: 0px; line-height: normal;" class="">Starting strongSwan 5.5.1 IPsec [starter]...</div><div style="margin: 0px; line-height: normal;" class="">00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 3.13.0-74-generic, x86_64)</div><div style="margin: 0px; line-height: normal;" class="">00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'</div><div style="margin: 0px; line-height: normal;" class="">00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'</div><div style="margin: 0px; line-height: normal;" class="">00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'</div><div style="margin: 0px; line-height: normal;" class="">00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'</div><div style="margin: 0px; line-height: normal;" class="">00[CFG] loading crls from '/etc/ipsec.d/crls'</div><div style="margin: 0px; line-height: normal;" class="">00[CFG] loading secrets from '/etc/ipsec.secrets'</div><div style="margin: 0px; line-height: normal;" class="">00[CFG] loaded IKE secret for 2.x.x.x</div><div style="margin: 0px; line-height: normal;" class="">00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic</div><div style="margin: 0px; line-height: normal;" class="">00[JOB] spawning 16 worker threads</div><div style="margin: 0px; line-height: normal;" class="">charon (4321) started after 20 ms</div><div style="margin: 0px; line-height: normal;" class="">08[CFG] received stroke: add connection ‘xxxxx’</div><div style="margin: 0px; line-height: normal;" class="">08[CFG] added configuration ‘xxxxx’</div><div style="margin: 0px; line-height: normal;" class="">11[CFG] received stroke: initiate ‘xxxxx’</div><div style="margin: 0px; line-height: normal;" class="">11[IKE] initiating IKE_SA xxxxx[1] to 2.x.x.x</div><div style="margin: 0px; line-height: normal;" class="">11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]</div><div style="margin: 0px; line-height: normal;" class="">11[NET] sending packet: from 172.30.0.9[500] to 2.x.x.x[500] (336 bytes)</div><div style="margin: 0px; line-height: normal;" class="">15[IKE] retransmit 1 of request with message ID 0</div><div style="margin: 0px; line-height: normal;" class="">15[NET] sending packet: from 172.30.0.9[500] to 2.x.x.x[500] (336 bytes)</div><div style="margin: 0px; line-height: normal;" class="">15[IKE] retransmit 2 of request with message ID 0</div><div style="margin: 0px; line-height: normal;" class="">etc…</div></blockquote><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">I believe it is not connecting because the remote router is seeing a non-routable IP, that is, the private IP of the local server (172.30.0.9). I was under the impression that the lefdid parameter would be sent so the remote router would see the elastic IP. That does not seem to be happening.</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">Of course, if I put the elastic IP in the left parameter, I get nothing but socket errors since the EC2 instance doesn’t know about it. I even put the elastic IP in at localhost in it’s /etc/hosts file, but no difference.</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">Other info:</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">Ports 500 and 4500 are open to the remote routers in the EC2 security group.</div><div style="margin: 0px; line-height: normal;" class="">net.ipv4.ip_forward is set on.</div><div style="margin: 0px; line-height: normal;" class="">IPTables is not running.</div><div style="margin: 0px; line-height: normal;" class="">Source/Dest check for this instance is set off in AWS.</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">Any ideas? ‘Cause I’m almost out!</div><div style="margin: 0px; line-height: normal; min-height: 14px;" class=""><br class=""></div><div style="margin: 0px; line-height: normal;" class="">- Matt</div><div class=""><br class=""></div></body></html>