[strongSwan] Is there a complete recipe about for using an AWS instance as one end?
Whit Blauvelt
whit at transpect.com
Mon Sep 11 05:09:39 CEST 2017
Sorry! Got my swan lists mixed together. Sigh.
On Sun, Sep 10, 2017 at 04:13:12PM -0400, Whit Blauvelt wrote:
> Hi,
>
> I'm sure I'm missing something obvious. But I can't find it documented
> anywhere obvious. I've used various *swans for years, from Linux to Ciscos.
> Now I'm trying to use Libreswan on both ends between an instance on a VPC on
> AWS and an Ubuntu box serving as a firewall in our office.
>
> My config's based on the one here:
> https://libreswan.org/wiki/Interoperability.
>
> I've got UDP ports 4500 and 500 open on each end to the other's IP (by Group
> Policy on AWS, by FireHOL/iptables on the office box).
>
> I've got "ipsec verify" giving [OK] on everything on both ends.
>
> I've added the elastic IP to lo on the AWS instance.
>
> I've disabled the Source/Destination check on the AWS instance.
>
> On the aws side it gets as far as:
>
> 000
> 000 Total IPsec connections: loaded 2, active 0
> 000
> 000 State Information: DDoS cookies not required, Accepting new IKE connections
> 000 IKE SAs: total(1), half-open(1), open(0), authenticated(0), anonymous(0)
> 000 IPsec SAs: total(0), authenticated(0), anonymous(0)
> 000
> 000 #20: "amazonwest/0x2":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_v1_RETRANSMIT in 2s; nodpd; idle; import:admin initiate
> 20: pending Phase 2 for "amazonwest/0x1" replacing #0
> 20: pending Phase 2 for "amazonwest/0x2" replacing #0
> 000
> 000 Bare Shunt list:
> 000
>
> On the office side it gets as far as:
>
> 000 Total IPsec connections: loaded 4, active 0
> 000
> 000 State Information: DDoS cookies not required, Accepting new IKE connections
> 000 IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
> 000 IPsec SAs: total(0), authenticated(0), anonymous(0)
> 000
> 000 Bare Shunt list:
> 000
>
> I'm not seeing anything from from the AWS side log as dropped by iptables on
> the office side.
>
> I'm sure this is something people have set up many times. Has someone posted
> complete notes somewhere I should reference?
>
> Thanks,
> Whit
More information about the Users
mailing list