[strongSwan] Trying to work out why connection not being established from AWS
Whit Blauvelt
whit at transpect.com
Fri Sep 22 16:03:03 CEST 2017
On Thu, Sep 21, 2017 at 11:50:43PM +0200, Noel Kuntze wrote:
> 1. Always provide all the information that is listed on the HelpRequests[1] page when you want something solved
Thanks for the reference. Hadn't see that page.
> 2. Read your damn logs, they tell you what's wrong.
Did, and they don't. Perhaps I have to set a log level higher somewhere?
> 3.
> > Listening IP addresses:
> > 172.18.30.93
> > 172.18.14.157
> > 10.60.30.1
> > Connections:
> > ny2or: ela.sti.cip.245...pub.lic.ip.108 IKEv2
> [...]
> > Security Associations (0 up, 1 connecting):
> > ny2or[1]: CONNECTING, ela.sti.cip.245[%any]...pub.lic.ip.108[%any]
>
> No ela.sti.cip.245 IP on this host, so you obviously can't send any
> packets from that IP address. charon likely logs error -22 when trying to
> send the packets. Do not set left. charon can figure out the right IP by
> itself.
First I tried setting that to the LAN IP which connects to the elastic IP,
but that didn't work either; failed in just the same way. Also, the elastic
IP set does exist on the VM, as it's been assigned as an alias to lo (a
trick the libreswan people recommend).
> In any case, do not use tutorials from other sites. Always use the ones on
> the wiki. They are actually maintained, "good" and you have someone to
> complain about the quality and errors. You can even fix them yourself, if
> you have a wiki account (or register for one).
That's just wrong. The wiki was the first place I looked. See
https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc, which says "DO
NOT USE - ANCIENT ARTICLE." Since this is the first thing found by Google on
putting in pertinent terms, if there's another article on the site which is
current, please point me towards it, and I'll add a cross-reference on that
wiki page.
Best,
Whit
More information about the Users
mailing list