[strongSwan] Running on AWS behind Elastic IP

Mathew Marulla matt_m at me.com
Wed Nov 16 06:27:46 CET 2016 

First some background…

Our current installation is using ipsec-tools/racoon running on a CentOS server at Rackspace to establish two VPN tunnels to hardware routers at remote installations.  146.x.x.x is a Cisco 2500 and 2.x.x.x is a Comtrend VG-8050.  Both remote locations have several servers in subnets that talk over the VPN (10.2.2.x in one location and 10.2.3.x in the other), but they only need to talk to the local server that is running the VPN, so no local subnet, just one server (184.x.x.x).  We’ve been running this successfully for several years.

We are now moving the local installation to AWS and updating lots of infrastructure.  The local server is now running Ubunutu 14.04 and StrongSwan 5.5.1.  It is behind an elastic IP (52.x.x.x).  The remote installations and hardware have not changed, other than adding the new VPNs to the 52.x.x.x server.  We still don’t need to have a local subnet, but you will see one in the config below - i’ve tried almost everything.

Although I have read just about every tutorial and similar posting I can find about running StrongSwan on an EC2 instance, I still can not seem to get it to work.

Here’s the config files (private info and public IPs edited out):

strongswan.conf

> charon {
> 	load_modular = yes
> 	plugins {
> 		include strongswan.d/charon/*.conf
> 	}
> }
> 
> include strongswan.d/*.conf

ipsec.conf

> config setup
>   strictcrlpolicy=no
>   charondebug=all
> 
> conn %default
>   ikelifetime=1h
>   lifetime=1h
>   authby=psk
>   auto=start
> 
> conn xxxxx
>   left=172.30.0.9
>   leftid=52.x.x.x
>   leftsubnet=172.30.0.0/16
>   leftauth=psk
>   right=2.x.x.x
>   rightsubnet=10.2.2.0/24
>   rightauth=psk
>   ike=aes128-sha1-modp1024!
>   esp=aes128-sha1-modp1024!
>   aggressive=no

When I try to run ipsec, I get this:

> Starting strongSwan 5.5.1 IPsec [starter]...
> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 3.13.0-74-generic, x86_64)
> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
> 00[CFG] loading crls from '/etc/ipsec.d/crls'
> 00[CFG] loading secrets from '/etc/ipsec.secrets'
> 00[CFG]   loaded IKE secret for 2.x.x.x
> 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
> 00[JOB] spawning 16 worker threads
> charon (4321) started after 20 ms
> 08[CFG] received stroke: add connection ‘xxxxx’
> 08[CFG] added configuration ‘xxxxx’
> 11[CFG] received stroke: initiate ‘xxxxx’
> 11[IKE] initiating IKE_SA xxxxx[1] to 2.x.x.x
> 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
> 11[NET] sending packet: from 172.30.0.9[500] to 2.x.x.x[500] (336 bytes)
> 15[IKE] retransmit 1 of request with message ID 0
> 15[NET] sending packet: from 172.30.0.9[500] to 2.x.x.x[500] (336 bytes)
> 15[IKE] retransmit 2 of request with message ID 0
> etc…

I believe it is not connecting because the remote router is seeing a non-routable IP, that is, the private IP of the local server (172.30.0.9).  I was under the impression that the lefdid parameter would be sent so the remote router would see the elastic IP.  That does not seem to be happening.

Of course, if I put the elastic IP in the left parameter, I get nothing but socket errors since the EC2 instance doesn’t know about it.  I even put the elastic IP in at localhost in it’s /etc/hosts file, but no difference.

Other info:

Ports 500 and 4500 are open to the remote routers in the EC2 security group.
net.ipv4.ip_forward is set on.
IPTables is not running.
Source/Dest check for this instance is set off in AWS.

Any ideas? ‘Cause I’m almost out!

- Matt

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161116/d1858b81/attachment.html>

More information about the Users mailing list