Sorry Matthew, typo. I meant natting host. https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal
http://serverfault.com/questions/575815/strongswan-setup-where-both-sides-are-behind-nat I think from these you can extrapolate On 11/16/2016 09:48 AM, Mathew Marulla wrote: > Bruce - > > Not sure what you mean by “netting host”. Can you be more specific or point > me to a link? > > - Matt > > >> On Nov 16, 2016, at 12:34 AM, Bruce Ferrell <[email protected]> wrote: >> >> >> Try setting it up as if the AWS instance is a netting host >> >> On 11/15/2016 09:27 PM, Mathew Marulla wrote: >>> First some background… >>> >>> Our current installation is using ipsec-tools/racoon running on a CentOS >>> server at Rackspace to establish two VPN tunnels to hardware routers at >>> remote installations. 146.x.x.x >>> is a Cisco 2500 and 2.x.x.x is a Comtrend VG-8050. Both remote locations >>> have several servers in subnets that talk over the VPN (10.2.2.x in one >>> location and 10.2.3.x in the >>> other), but they only need to talk to the local server that is running the >>> VPN, so no local subnet, just one server (184.x.x.x). We’ve been running >>> this successfully for several >>> years. >>> >>> We are now moving the local installation to AWS and updating lots of >>> infrastructure. The local server is now running Ubunutu 14.04 and >>> StrongSwan 5.5.1. It is behind an elastic >>> IP (52.x.x.x). The remote installations and hardware have not changed, >>> other than adding the new VPNs to the 52.x.x.x server. We still don’t need >>> to have a local subnet, but >>> you will see one in the config below - i’ve tried almost everything. >>> >>> Although I have read just about every tutorial and similar posting I can >>> find about running StrongSwan on an EC2 instance, I still can not seem to >>> get it to work. >>> >>> Here’s the config files (private info and public IPs edited out): >>> >>> strongswan.conf >>> >>>> charon { >>>> load_modular = yes >>>> plugins { >>>> include strongswan.d/charon/*.conf >>>> } >>>> } >>>> >>>> include strongswan.d/*.conf >>> ipsec.conf >>> >>>> config setup >>>> strictcrlpolicy=no >>>> charondebug=all >>>> >>>> conn %default >>>> ikelifetime=1h >>>> lifetime=1h >>>> authby=psk >>>> auto=start >>>> >>>> conn xxxxx >>>> left=172.30.0.9 >>>> leftid=52.x.x.x >>>> leftsubnet=172.30.0.0/16 >>>> leftauth=psk >>>> right=2.x.x.x >>>> rightsubnet=10.2.2.0/24 >>>> rightauth=psk >>>> ike=aes128-sha1-modp1024! >>>> esp=aes128-sha1-modp1024! >>>> aggressive=no >>> When I try to run ipsec, I get this: >>> >>>> Starting strongSwan 5.5.1 IPsec [starter]... >>>> 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux >>>> 3.13.0-74-generic, x86_64) >>>> 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' >>>> 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' >>>> 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' >>>> 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' >>>> 00[CFG] loading crls from '/etc/ipsec.d/crls' >>>> 00[CFG] loading secrets from '/etc/ipsec.secrets' >>>> 00[CFG] loaded IKE secret for 2.x.x.x >>>> 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 >>>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey >>>> pem fips-prf gmp xcbc cmac >>>> hmac attr kernel-netlink resolve socket-default stroke vici updown >>>> xauth-generic >>>> 00[JOB] spawning 16 worker threads >>>> charon (4321) started after 20 ms >>>> 08[CFG] received stroke: add connection ‘xxxxx’ >>>> 08[CFG] added configuration ‘xxxxx’ >>>> 11[CFG] received stroke: initiate ‘xxxxx’ >>>> 11[IKE] initiating IKE_SA xxxxx[1] to 2.x.x.x >>>> 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) >>>> N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] >>>> 11[NET] sending packet: from 172.30.0.9[500] to 2.x.x.x[500] (336 bytes) >>>> 15[IKE] retransmit 1 of request with message ID 0 >>>> 15[NET] sending packet: from 172.30.0.9[500] to 2.x.x.x[500] (336 bytes) >>>> 15[IKE] retransmit 2 of request with message ID 0 >>>> etc… >>> I believe it is not connecting because the remote router is seeing a >>> non-routable IP, that is, the private IP of the local server (172.30.0.9). >>> I was under the impression that >>> the lefdid parameter would be sent so the remote router would see the >>> elastic IP. That does not seem to be happening. >>> >>> Of course, if I put the elastic IP in the left parameter, I get nothing but >>> socket errors since the EC2 instance doesn’t know about it. I even put the >>> elastic IP in at localhost >>> in it’s /etc/hosts file, but no difference. >>> >>> Other info: >>> >>> Ports 500 and 4500 are open to the remote routers in the EC2 security group. >>> net.ipv4.ip_forward is set on. >>> IPTables is not running. >>> Source/Dest check for this instance is set off in AWS. >>> >>> Any ideas? ‘Cause I’m almost out! >>> >>> - Matt >>> >>> >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> https://lists.strongswan.org/mailman/listinfo/users >> >> _______________________________________________ >> Users mailing list >> [email protected] >> https://lists.strongswan.org/mailman/listinfo/users > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users > _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
