[strongSwan] Running on AWS behind Elastic IP

Bruce Ferrell bferrell at baywinds.org
Thu Nov 17 06:46:44 CET 2016


Sorry Matthew,  typo.  I meant natting host.

https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal

http://serverfault.com/questions/575815/strongswan-setup-where-both-sides-are-behind-nat

I think from these you can extrapolate

On 11/16/2016 09:48 AM, Mathew Marulla wrote:
> Bruce - 
>
> Not sure what you mean by “netting host”.  Can you be more specific or point me to a link?
>
> - Matt
>
>
>> On Nov 16, 2016, at 12:34 AM, Bruce Ferrell <bferrell at baywinds.org> wrote:
>>
>>
>> Try setting it up as if the AWS instance is a netting host
>>
>> On 11/15/2016 09:27 PM, Mathew Marulla wrote:
>>> First some background…
>>>
>>> Our current installation is using ipsec-tools/racoon running on a CentOS server at Rackspace to establish two VPN tunnels to hardware routers at remote installations.  146.x.x.x
>>> is a Cisco 2500 and 2.x.x.x is a Comtrend VG-8050.  Both remote locations have several servers in subnets that talk over the VPN (10.2.2.x in one location and 10.2.3.x in the
>>> other), but they only need to talk to the local server that is running the VPN, so no local subnet, just one server (184.x.x.x).  We’ve been running this successfully for several
>>> years.
>>>
>>> We are now moving the local installation to AWS and updating lots of infrastructure.  The local server is now running Ubunutu 14.04 and StrongSwan 5.5.1.  It is behind an elastic
>>> IP (52.x.x.x).  The remote installations and hardware have not changed, other than adding the new VPNs to the 52.x.x.x server.  We still don’t need to have a local subnet, but
>>> you will see one in the config below - i’ve tried almost everything.
>>>
>>> Although I have read just about every tutorial and similar posting I can find about running StrongSwan on an EC2 instance, I still can not seem to get it to work.
>>>
>>> Here’s the config files (private info and public IPs edited out):
>>>
>>> strongswan.conf
>>>
>>>> charon {
>>>> load_modular = yes
>>>> plugins {
>>>> include strongswan.d/charon/*.conf
>>>> }
>>>> }
>>>>
>>>> include strongswan.d/*.conf
>>> ipsec.conf
>>>
>>>> config setup
>>>>  strictcrlpolicy=no
>>>>  charondebug=all
>>>>
>>>> conn %default
>>>>  ikelifetime=1h
>>>>  lifetime=1h
>>>>  authby=psk
>>>>  auto=start
>>>>
>>>> conn xxxxx
>>>>  left=172.30.0.9
>>>>  leftid=52.x.x.x
>>>>  leftsubnet=172.30.0.0/16
>>>>  leftauth=psk
>>>>  right=2.x.x.x
>>>>  rightsubnet=10.2.2.0/24
>>>>  rightauth=psk
>>>>  ike=aes128-sha1-modp1024!
>>>>  esp=aes128-sha1-modp1024!
>>>>  aggressive=no
>>> When I try to run ipsec, I get this:
>>>
>>>> Starting strongSwan 5.5.1 IPsec [starter]...
>>>> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 3.13.0-74-generic, x86_64)
>>>> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
>>>> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
>>>> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
>>>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
>>>> 00[CFG] loading crls from '/etc/ipsec.d/crls'
>>>> 00[CFG] loading secrets from '/etc/ipsec.secrets'
>>>> 00[CFG]   loaded IKE secret for 2.x.x.x
>>>> 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac
>>>> hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
>>>> 00[JOB] spawning 16 worker threads
>>>> charon (4321) started after 20 ms
>>>> 08[CFG] received stroke: add connection ‘xxxxx’
>>>> 08[CFG] added configuration ‘xxxxx’
>>>> 11[CFG] received stroke: initiate ‘xxxxx’
>>>> 11[IKE] initiating IKE_SA xxxxx[1] to 2.x.x.x
>>>> 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
>>>> 11[NET] sending packet: from 172.30.0.9[500] to 2.x.x.x[500] (336 bytes)
>>>> 15[IKE] retransmit 1 of request with message ID 0
>>>> 15[NET] sending packet: from 172.30.0.9[500] to 2.x.x.x[500] (336 bytes)
>>>> 15[IKE] retransmit 2 of request with message ID 0
>>>> etc…
>>> I believe it is not connecting because the remote router is seeing a non-routable IP, that is, the private IP of the local server (172.30.0.9).  I was under the impression that
>>> the lefdid parameter would be sent so the remote router would see the elastic IP.  That does not seem to be happening.
>>>
>>> Of course, if I put the elastic IP in the left parameter, I get nothing but socket errors since the EC2 instance doesn’t know about it.  I even put the elastic IP in at localhost
>>> in it’s /etc/hosts file, but no difference.
>>>
>>> Other info:
>>>
>>> Ports 500 and 4500 are open to the remote routers in the EC2 security group.
>>> net.ipv4.ip_forward is set on.
>>> IPTables is not running.
>>> Source/Dest check for this instance is set off in AWS.
>>>
>>> Any ideas? ‘Cause I’m almost out!
>>>
>>> - Matt
>>>
>>>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.strongswan.org
>>> https://lists.strongswan.org/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>



More information about the Users mailing list