[strongSwan] Trying to work out why connection not being established from AWS

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Fri Sep 22 16:49:20 CEST 2017



On 22.09.2017 16:03, Whit Blauvelt wrote:
> On Thu, Sep 21, 2017 at 11:50:43PM +0200, Noel Kuntze wrote:
>> 1. Always provide all the information that is listed on the HelpRequests[1] page when you want something solved
> 
> Thanks for the reference. Hadn't see that page.
> 
>> 2. Read your damn logs, they tell you what's wrong.
> 
> Did, and they don't. Perhaps I have to set a log level higher somewhere?

The HelpRequests[1] article contains a good logger configuration you can use.

> 
>> 3.
>>> Listening IP addresses:
>>>   172.18.30.93
>>>   172.18.14.157
>>>   10.60.30.1
>>> Connections:
>>>        ny2or:  ela.sti.cip.245...pub.lic.ip.108  IKEv2
>> [...]
>>> Security Associations (0 up, 1 connecting):
>>>        ny2or[1]: CONNECTING, ela.sti.cip.245[%any]...pub.lic.ip.108[%any]
>>
>> No ela.sti.cip.245 IP on this host, so you obviously can't send any
>> packets from that IP address. charon likely logs error -22 when trying to
>> send the packets. Do not set left. charon can figure out the right IP by
>> itself.
> 
> First I tried setting that to the LAN IP which connects to the elastic IP,
> but that didn't work either; failed in just the same way. Also, the elastic
> IP set does exist on the VM, as it's been assigned as an alias to lo (a
> trick the libreswan people recommend).

Linux aliases are a deprecated concept. Bind the IP to any local interface. Preferably one that can not go down.
You can just add it. Anyway, charon needs to listen on the IP to be able to send packets from it.

> 
>> In any case, do not use tutorials from other sites. Always use the ones on
>> the wiki. They are actually maintained, "good" and you have someone to
>> complain about the quality and errors. You can even fix them yourself, if
>> you have a wiki account (or register for one).
> 
> That's just wrong. The wiki was the first place I looked. See
> https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc, which says "DO
> NOT USE - ANCIENT ARTICLE." Since this is the first thing found by Google on
> putting in pertinent terms, if there's another article on the site which is
> current, please point me towards it, and I'll add a cross-reference on that
> wiki page.

Good configurations are in this[2] article.

Kind regards

Noel

[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
[2] https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170922/830beace/attachment.sig>


More information about the Users mailing list