[strongSwan] Trying to work out why connection not being established from AWS

Eric Germann ekgermann at semperen.com
Fri Sep 22 17:08:02 CEST 2017


Not sure what your config is, but in our AWS deployments of Strongswan, we set

left = the IP address of the instance within the VPC (the address assigned to the interface)
leftid = the Elastic IP

Make sure your Security Groups reflect UDP 500 and 4500 from the remote IP as it will try and use NAT-T (or should).

Works like a champ.

EKG


> On Sep 22, 2017, at 10:03 AM, Whit Blauvelt <whit at transpect.com> wrote:
> 
> On Thu, Sep 21, 2017 at 11:50:43PM +0200, Noel Kuntze wrote:
>> 1. Always provide all the information that is listed on the HelpRequests[1] page when you want something solved
> 
> Thanks for the reference. Hadn't see that page.
> 
>> 2. Read your damn logs, they tell you what's wrong.
> 
> Did, and they don't. Perhaps I have to set a log level higher somewhere?
> 
>> 3.
>>> Listening IP addresses:
>>>  172.18.30.93
>>>  172.18.14.157
>>>  10.60.30.1
>>> Connections:
>>>       ny2or:  ela.sti.cip.245...pub.lic.ip.108  IKEv2
>> [...]
>>> Security Associations (0 up, 1 connecting):
>>>       ny2or[1]: CONNECTING, ela.sti.cip.245[%any]...pub.lic.ip.108[%any]
>> 
>> No ela.sti.cip.245 IP on this host, so you obviously can't send any
>> packets from that IP address. charon likely logs error -22 when trying to
>> send the packets. Do not set left. charon can figure out the right IP by
>> itself.
> 
> First I tried setting that to the LAN IP which connects to the elastic IP,
> but that didn't work either; failed in just the same way. Also, the elastic
> IP set does exist on the VM, as it's been assigned as an alias to lo (a
> trick the libreswan people recommend). 
> 
>> In any case, do not use tutorials from other sites. Always use the ones on
>> the wiki. They are actually maintained, "good" and you have someone to
>> complain about the quality and errors. You can even fix them yourself, if
>> you have a wiki account (or register for one).
> 
> That's just wrong. The wiki was the first place I looked. See
> https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc <https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc>, which says "DO
> NOT USE - ANCIENT ARTICLE." Since this is the first thing found by Google on
> putting in pertinent terms, if there's another article on the site which is
> current, please point me towards it, and I'll add a cross-reference on that
> wiki page.
> 
> Best,
> Whit

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170922/abac014e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3705 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170922/abac014e/attachment-0001.bin>


More information about the Users mailing list