[Swan] libreswan on amazon web services to remote libreswan installation

Paul Wouters paul at nohats.ca
Thu Mar 5 20:12:58 EET 2015

On Thu, 5 Mar 2015, Aaron wrote:

> Hi, I'm looking to install libreswan on amazon web services and connect it to a remote installation of libreswan.  I have it working in a subnet on
> amazon web services between two instances, but not to a remote location.  I'm using NSS x509 keys not PSK.  I'm using a single network interface for
> my connections.  Anyone know of a working solution or have tips?  A few questions.  If I have a left=remoteip and right=awsip do I need a leftid and
> rightid defined as leftid at remoteip and right=@awsip ?  
> I see this guide here https://libreswan.org/wiki/Interoperability  but it doesn't use NSS certs.

If using two libreswan installs, just set the ids using
leftid=@something and rightid=@somethingelse

That avoids using or defaulting to IPs being used as IDs, which is trick
when NAT is involved (or when a remote endpoint is on dynamic IP)

Don't use leftid=@ipaddress, but use leftid=@somestring.

the left= and right= should be set by actual IPs used on the system
itself. So on the AWS node, use (if it is left) left=%defaultroute
so it works when you reboot the VM and get a new internal IP.
Use right=remotestaticip (or right=dns.name) on the AWS instance

On the side outside of AWS, use (again assuming aws was left)
right=remotestaticip and left=elasticip and the same leftid/rightid
as configured on amazon.


> Thanks, Aaron

More information about the Swan mailing list