> Hi, > > Trying to connect an AWS instance (and its VPC) to a Linux firewall in our > office, I'm sure I'm missing something obvious. But I can't find it > documented anywhere obvious. I've used various *swans for years, from Linux > to Ciscos. Now I'm trying to use Libreswan on both ends between an instance > on a VPC on AWS and an Ubuntu box serving as a firewall in our office.
We're running an AWS instance to Cisco IPSec tunnel without issues. > My config's based on the one here: > https://libreswan.org/wiki/Interoperability. > > I've got UDP ports 4500 and 500 open on each end to the other's IP (by Group > Policy on AWS, by FireHOL/iptables on the office box). Also added the > office-side subnets to the Group Policy for AWS. > > I've got "ipsec verify" giving [OK] on everything on both ends. > > I've added the elastic IP to lo on the AWS instance. To confirm this: you have bound the (public) elastic IP to the lo interface of the AWS instance? I have never heard of this requirement it is certainly not required - and in fact might well be a contributing factor to the problem. > I've disabled the Source/Destination check on the AWS instance.> > Now I see with ipsec barf: > > First pluto complaining multiply: > > We cannot identify ourselves with either end of this connection. 172.17.10.3 or xx.yy.zz.108 are not usable > > This is with xx.yy.zz.108 plainly available as an IP on a WAN interface. The > other IP, on another interface, has no reference in the config. > > Then pluto advises: > > packet from aa.bb.cc.245:500: initial Main Mode message received on xx.yy.zz.108:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW > > Note that's saying the message has been recieved on the IP which is "not > usable." I assume the connection has not been "authorized" because it was > previously rejected as "unusable"? > > What are the criteria for "usable"? > > Thanks, > Whit One of our AWS end configs (sanitised) below: conn ipsec-tunnel-00 type=tunnel authby=secret left=%defaultroute leftid=<elastic IP of instance NOT bound anywhere on instance> leftnexthop=%defaultroute leftsubnet=<instance subnet> leftsourceip=<instance eth0 ipv4 addr> right=<remote target public IP addr> rightsubnets=<target subnet> .... Good luck. Regards, Duncan.
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
