Paul, Thank you very much for the detailed information. This worked like a charm, I would not have gotten over this hurdle without your input.
Regards / Mattias On Tuesday, March 24, 2020, 07:47:36 PM PDT, Paul Wouters <[email protected]> wrote: On Tue, 24 Mar 2020, Mattias Mattsson wrote: > Thanks to Nick for your response, I had missed that part of the libreswan > wiki. I have been reading through the Amazon EIP section > https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address > and tried to follow the instructions there but I'm not able to make this > work. It is not clear to me from the wiki configuration examples how to map > the public and private addresses for the client PC and the AWS instance to > IPsec configuration. > > I added the EIP to my AWS instance's lo interface using the provided command; > ip addr add a.b.c.d/32 dev lo:elastic > and added the EIP to the subnet but I think I dont have the correct > ipsec.conf setup. > > If my addresses are; > Client private address = 10.0.2.15 > Client public address = 1.1.1.100 > Server public address = 2.2.2.100 > Server private address = 172.31.16.205 > And I use left for client and right for server I have the following > configuration files Note that it depends on what you _want_ to do. For example, usually the client private address is dynamic if the host is behind NAT. Also, the server private IP address could be dynamic-ish or static. The most stable solution is to use the server public IP address and a staticly assigned (by you) client private address. So in my example, I will use 100.64.64.64/32 as the IP address we give the client, so we will be building an IPsec tunnel from 100.64.64.64/32 to 2.2.2.100/32. > Client > > 0.0.0.0 %any : PSK "abcdefghijklmnopqrstuvwxyz0123456789" > > config setup > protostack=netkey > > conn ipsec_aws > authby=secret > encapsulation=yes > right=2.2.2.100 > left=10.0.2.15 > ikev2=no I recommend ikev2=yes. Also encapsulation=auto should work fine as AWS does NAT, so let the autodetect handle all of that. Now for left you want to use left=%defaultroute, so whatever IP you are assigned by DHCP will just work. leftsubnet becomes 100.64.64.64/32, so you end up on the client with: right=2.2.2.100 rightid=2.2.2.100 rightsubnet=2.2.2.100/32 left=%defaultroute leftid=@client leftsubnet=100.64.64.64/32 We use a leftid=@client to give it the IKE ID string of "client" to prevent it from picking up the IP address as ID, since then it would use the dynamic pre-NAT IP and you dont want to configure that on the server. > Server > conn ipsec_aws > authby=secret > encapsulation=yes > right=%defaultroute > rightid=2.2.2.100 > rightsubnet=2.2.2.100/32 > left=1.1.1.100 > leftid=10.0.2.15 > ikev2=no The same for the ikev2/encapsulation options as on the client. You are using right for the local server part, so your settings there are correct. For the server you end up with: right=%defaultroute rightid=2.2.2.100 rightsubnet=2.2.2.100/32 left=%any leftid=@client leftsubnet=100.64.64.64/32 Then on the client you would also configure 100.64.64.64 on the loopback. just like on the server you configure 2.2.2.100 on the loopback. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
