On Tue, 12 Sep 2017, Duncan Stokes wrote:
> I've added the elastic IP to lo on the AWS instance.
To confirm this: you have bound the (public) elastic IP to the lo interface of
the AWS instance? I have never heard of this requirement it is certainly not
required -
and in fact might well be a contributing factor to the problem.
How else are you going to send packets with that source IP?
the alternative is to use the pre-NAT IP, but the remote end
might not like it, have conflicts, etc etc. By doing the
elastic IP on loopback, the NAT is really just a NAT between
the machines, and no pre-NAT IPs are visible anywhere.
One of our AWS end configs (sanitised) below:
conn ipsec-tunnel-00
type=tunnel
authby=secret
left=%defaultroute
leftid=<elastic IP of instance NOT bound anywhere on instance>
leftnexthop=%defaultroute
leftsubnet=<instance subnet>
leftsourceip=<instance eth0 ipv4 addr>
right=<remote target public IP addr>
rightsubnets=<target subnet>
....
Ahh you are building a site-to-site tunnel that does not involve the
elastic IP itself. Yes binding the elastic IP is only needed if you
build a tunnel from outside of AWS with destination ONLY the elastic IP.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
