I know the leftid parameter relates to certificates, which I am not using, but does it also relate to sending the right identity to the remote router? I assumed so based on this passage in the docs:
how the left|right participant should be identified for authentication; But after re-reading, it seems to just be for identifying the cert. If I am reading your reply correctly, it seems you are getting this to work by not using an elastic IP, but just the public IP of your instance. Then using a script to update it as needed. Maybe that’s the only way… I will try removing the elastic IP and seeing if the instance is aware of it’s own public IP, i.e.; by looking in ifconfig. Because the elastic IP certainly does not show up there. - Matt > On Nov 16, 2016, at 7:40 AM, Turbo Fredriksson <tu...@bayour.com> wrote: > > On 16 Nov 2016, at 05:27, Mathew Marulla <mat...@me.com> wrote: > >> Although I have read just about every tutorial and similar posting I can >> find about running StrongSwan on an EC2 instance, I still can not seem to >> get it to work. > > I’m doing the same thing, but I started “from scratch” (didn’t have any > existing > setup so this is the first setup). > > My ipsec.conf: > > —— s n i p —— > config setup > uniqueids=no > strictcrlpolicy=no > > # NOTE: The 'leftid' must be present as a "Subject Alternative Name" in the > cert!! > conn %default > left=%ETH0% > leftid=vpn.domain.tld > leftcert=hostname.pem > leftsubnet=<VPC_CIDR> > leftfirewall=yes > leftsendcert=always > leftdns=%DNS% > > rightdns=%DNS% > > keyexchange=ikev2 > dpdaction=clear > dpddelay=2400s > fragmentation=yes > forceencaps=yes > compress=yes > > ca domain > cacert=domain.tld.pem > auto=add > > conn client > leftsourceip=%ETH0% > > right=%any > rightid=%any > rightsourceip=<VPN_CIDR> > rightauth=eap-mschapv2 > > eap_identity=%identity > type=tunnel > auto=add > —— s n i p —— > > %ETH0% and %DNS% is changed by a script at boot (by first finding the IP of > ‘eth0’ and the ’nameserver’ entry in resolv.conf) because EC2 instances use > DHCP. > So I’m not coding any ‘external’ IP (EIP), just the ‘internal’ (DHCP/private) > one.. > > I’m not, currently, using any (ELB) load balancers in front of StrongSWAN, but > I might do that in the future. Maybe. > > > I can authenticate and setup the route etc - I can access the ‘internal’ IP > via the > VPN just fine. > > I have yet to get access to the other VPCs over the VPN. I can access them > if I first ssh into the VPN server and then ssh to a host in another VPC. > > This is done with VPC peering, but I had _assumed_ that that would work > for VPN as well. But it’s not.. > > I can’t access any other instance in the VPN VPC though. > > I’m pretty sure that have something to do with the routing table(s), but I > haven’t > had time to look into this. I’m pretty sure the StrongSWAN setup is working > correctly though, I’m using the exact same setup at home and there everything > work just fine.
_______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users