[strongSwan] Running on AWS behind Elastic IP
matt_m at me.com
Wed Nov 16 18:56:27 CET 2016
I know the leftid parameter relates to certificates, which I am not using, but does it also relate to sending the right identity to the remote router? I assumed so based on this passage in the docs:
how the left|right participant should be identified for authentication;
But after re-reading, it seems to just be for identifying the cert.
If I am reading your reply correctly, it seems you are getting this to work by not using an elastic IP, but just the public IP of your instance. Then using a script to update it as needed. Maybe that’s the only way…
I will try removing the elastic IP and seeing if the instance is aware of it’s own public IP, i.e.; by looking in ifconfig. Because the elastic IP certainly does not show up there.
> On Nov 16, 2016, at 7:40 AM, Turbo Fredriksson <turbo at bayour.com> wrote:
> On 16 Nov 2016, at 05:27, Mathew Marulla <matt_m at me.com> wrote:
>> Although I have read just about every tutorial and similar posting I can find about running StrongSwan on an EC2 instance, I still can not seem to get it to work.
> I’m doing the same thing, but I started “from scratch” (didn’t have any existing
> setup so this is the first setup).
> My ipsec.conf:
> —— s n i p ——
> config setup
> # NOTE: The 'leftid' must be present as a "Subject Alternative Name" in the cert!!
> conn %default
> ca domain
> conn client
> —— s n i p ——
> %ETH0% and %DNS% is changed by a script at boot (by first finding the IP of
> ‘eth0’ and the ’nameserver’ entry in resolv.conf) because EC2 instances use DHCP.
> So I’m not coding any ‘external’ IP (EIP), just the ‘internal’ (DHCP/private) one..
> I’m not, currently, using any (ELB) load balancers in front of StrongSWAN, but
> I might do that in the future. Maybe.
> I can authenticate and setup the route etc - I can access the ‘internal’ IP via the
> VPN just fine.
> I have yet to get access to the other VPCs over the VPN. I can access them
> if I first ssh into the VPN server and then ssh to a host in another VPC.
> This is done with VPC peering, but I had _assumed_ that that would work
> for VPN as well. But it’s not..
> I can’t access any other instance in the VPN VPC though.
> I’m pretty sure that have something to do with the routing table(s), but I haven’t
> had time to look into this. I’m pretty sure the StrongSWAN setup is working
> correctly though, I’m using the exact same setup at home and there everything
> work just fine.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users