On Tue, 24 Mar 2020, Mattias Mattsson wrote:
Thanks to Nick for your response, I had missed that part of the libreswan wiki.
I have been reading through the Amazon EIP section
https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
and tried to follow the instructions there but I'm not able to make this work.
It is not clear to me from the wiki configuration examples how to map the
public and private addresses for the client PC and the AWS instance to IPsec
configuration.
I added the EIP to my AWS instance's lo interface using the provided command;
ip addr add a.b.c.d/32 dev lo:elastic
and added the EIP to the subnet but I think I dont have the correct ipsec.conf
setup.
If my addresses are;
Client private address = 10.0.2.15
Client public address = 1.1.1.100
Server public address = 2.2.2.100
Server private address = 172.31.16.205
And I use left for client and right for server I have the following
configuration files
Note that it depends on what you _want_ to do. For example, usually the
client private address is dynamic if the host is behind NAT. Also, the
server private IP address could be dynamic-ish or static. The most
stable solution is to use the server public IP address and a staticly
assigned (by you) client private address. So in my example, I will
use 100.64.64.64/32 as the IP address we give the client, so we will
be building an IPsec tunnel from 100.64.64.64/32 to 2.2.2.100/32.
Client
0.0.0.0 %any : PSK "abcdefghijklmnopqrstuvwxyz0123456789"
config setup
protostack=netkey
conn ipsec_aws
authby=secret
encapsulation=yes
right=2.2.2.100
left=10.0.2.15
ikev2=no
I recommend ikev2=yes. Also encapsulation=auto should work fine as AWS
does NAT, so let the autodetect handle all of that.
Now for left you want to use left=%defaultroute, so whatever IP you are
assigned by DHCP will just work. leftsubnet becomes 100.64.64.64/32, so
you end up on the client with:
right=2.2.2.100
rightid=2.2.2.100
rightsubnet=2.2.2.100/32
left=%defaultroute
leftid=@client
leftsubnet=100.64.64.64/32
We use a leftid=@client to give it the IKE ID string of "client" to
prevent it from picking up the IP address as ID, since then it would
use the dynamic pre-NAT IP and you dont want to configure that on the
server.
Server
conn ipsec_aws
authby=secret
encapsulation=yes
right=%defaultroute
rightid=2.2.2.100
rightsubnet=2.2.2.100/32
left=1.1.1.100
leftid=10.0.2.15
ikev2=no
The same for the ikev2/encapsulation options as on the client.
You are using right for the local server part, so your settings
there are correct. For the server you end up with:
right=%defaultroute
rightid=2.2.2.100
rightsubnet=2.2.2.100/32
left=%any
leftid=@client
leftsubnet=100.64.64.64/32
Then on the client you would also configure 100.64.64.64 on the
loopback. just like on the server you configure 2.2.2.100 on the
loopback.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
