[strongSwan] Running on AWS behind Elastic IP

Mathew Marulla matt_m at me.com
Wed Nov 16 18:56:27 CET 2016


I know the leftid parameter relates to certificates, which I am not using, but does it also relate to sending the right identity to the remote router?  I assumed so based on this passage in the docs:

how the left|right participant should be identified for authentication;

But after re-reading, it seems to just be for identifying the cert.

If I am reading your reply correctly, it seems you are getting this to work by not using an elastic IP, but just the public IP of your instance.  Then using a script to update it as needed.  Maybe that’s the only way…

I will try removing the elastic IP and seeing if the instance is aware of it’s own public IP, i.e.; by looking in ifconfig.  Because the elastic IP certainly does not show up there.

- Matt

> On Nov 16, 2016, at 7:40 AM, Turbo Fredriksson <turbo at bayour.com> wrote:
> 
> On 16 Nov 2016, at 05:27, Mathew Marulla <matt_m at me.com> wrote:
> 
>> Although I have read just about every tutorial and similar posting I can find about running StrongSwan on an EC2 instance, I still can not seem to get it to work.
> 
> I’m doing the same thing, but I started “from scratch” (didn’t have any existing
> setup so this is the first setup).
> 
> My ipsec.conf:
> 
> —— s n i p ——
> config setup
>        uniqueids=no
>        strictcrlpolicy=no
> 
> # NOTE: The 'leftid' must be present as a "Subject Alternative Name" in the cert!!
> conn %default
>        left=%ETH0%
>        leftid=vpn.domain.tld
>        leftcert=hostname.pem
>        leftsubnet=<VPC_CIDR>
>        leftfirewall=yes
>        leftsendcert=always
>        leftdns=%DNS%
> 
>        rightdns=%DNS%
> 
>        keyexchange=ikev2
>        dpdaction=clear
>        dpddelay=2400s
>        fragmentation=yes
>        forceencaps=yes
>        compress=yes
> 
> ca domain
>        cacert=domain.tld.pem
>        auto=add
> 
> conn client
>        leftsourceip=%ETH0%
> 
>        right=%any
>        rightid=%any
>        rightsourceip=<VPN_CIDR>
>        rightauth=eap-mschapv2
> 
>        eap_identity=%identity
>        type=tunnel
>        auto=add
> —— s n i p ——
> 
> %ETH0% and %DNS% is changed by a script at boot (by first finding the IP of
> ‘eth0’ and the ’nameserver’ entry in resolv.conf) because EC2 instances use DHCP.
> So I’m not coding any ‘external’ IP (EIP), just the ‘internal’ (DHCP/private) one..
> 
> I’m not, currently, using any (ELB) load balancers in front of StrongSWAN, but
> I might do that in the future. Maybe.
> 
> 
> I can authenticate and setup the route etc - I can access the ‘internal’ IP via the
> VPN just fine.
> 
> I have yet to get access to the other VPCs over the VPN. I can access them
> if I first ssh into the VPN server and then ssh to a host in another VPC.
> 
> This is done with VPC peering, but I had _assumed_ that that would  work
> for VPN as well. But it’s not..
> 
> I can’t access any other instance in the VPN VPC though.
> 
> I’m pretty sure that have something to do with the routing table(s), but I haven’t
> had time to look into this. I’m pretty sure the StrongSWAN setup is working
> correctly though, I’m using the exact same setup at home and there everything
> work just fine.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161116/a0b69da6/attachment-0001.html>


More information about the Users mailing list