Not sure what your config is, but in our AWS deployments of Strongswan, we set
left = the IP address of the instance within the VPC (the address assigned to the interface) leftid = the Elastic IP Make sure your Security Groups reflect UDP 500 and 4500 from the remote IP as it will try and use NAT-T (or should). Works like a champ. EKG > On Sep 22, 2017, at 10:03 AM, Whit Blauvelt <w...@transpect.com> wrote: > > On Thu, Sep 21, 2017 at 11:50:43PM +0200, Noel Kuntze wrote: >> 1. Always provide all the information that is listed on the HelpRequests[1] >> page when you want something solved > > Thanks for the reference. Hadn't see that page. > >> 2. Read your damn logs, they tell you what's wrong. > > Did, and they don't. Perhaps I have to set a log level higher somewhere? > >> 3. >>> Listening IP addresses: >>> 172.18.30.93 >>> 172.18.14.157 >>> 10.60.30.1 >>> Connections: >>> ny2or: ela.sti.cip.245...pub.lic.ip.108 IKEv2 >> [...] >>> Security Associations (0 up, 1 connecting): >>> ny2or[1]: CONNECTING, ela.sti.cip.245[%any]...pub.lic.ip.108[%any] >> >> No ela.sti.cip.245 IP on this host, so you obviously can't send any >> packets from that IP address. charon likely logs error -22 when trying to >> send the packets. Do not set left. charon can figure out the right IP by >> itself. > > First I tried setting that to the LAN IP which connects to the elastic IP, > but that didn't work either; failed in just the same way. Also, the elastic > IP set does exist on the VM, as it's been assigned as an alias to lo (a > trick the libreswan people recommend). > >> In any case, do not use tutorials from other sites. Always use the ones on >> the wiki. They are actually maintained, "good" and you have someone to >> complain about the quality and errors. You can even fix them yourself, if >> you have a wiki account (or register for one). > > That's just wrong. The wiki was the first place I looked. See > https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc > <https://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc>, which says "DO > NOT USE - ANCIENT ARTICLE." Since this is the first thing found by Google on > putting in pertinent terms, if there's another article on the site which is > current, please point me towards it, and I'll add a cross-reference on that > wiki page. > > Best, > Whit
smime.p7s
Description: S/MIME cryptographic signature