[Swan] What's a "usable" IP?
Whit Blauvelt
whit at transpect.com
Mon Sep 11 03:18:01 UTC 2017
Hi,
Trying to connect an AWS instance (and its VPC) to a Linux firewall in our
office, I'm sure I'm missing something obvious. But I can't find it
documented anywhere obvious. I've used various *swans for years, from Linux
to Ciscos. Now I'm trying to use Libreswan on both ends between an instance
on a VPC on AWS and an Ubuntu box serving as a firewall in our office.
My config's based on the one here:
https://libreswan.org/wiki/Interoperability.
I've got UDP ports 4500 and 500 open on each end to the other's IP (by Group
Policy on AWS, by FireHOL/iptables on the office box). Also added the
office-side subnets to the Group Policy for AWS.
I've got "ipsec verify" giving [OK] on everything on both ends.
I've added the elastic IP to lo on the AWS instance.
I've disabled the Source/Destination check on the AWS instance.
Now I see with ipsec barf:
First pluto complaining multiply:
We cannot identify ourselves with either end of this connection. 172.17.10.3 or xx.yy.zz.108 are not usable
This is with xx.yy.zz.108 plainly available as an IP on a WAN interface. The
other IP, on another interface, has no reference in the config.
Then pluto advises:
packet from aa.bb.cc.245:500: initial Main Mode message received on xx.yy.zz.108:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Note that's saying the message has been recieved on the IP which is "not
usable." I assume the connection has not been "authorized" because it was
previously rejected as "unusable"?
What are the criteria for "usable"?
Thanks,
Whit
More information about the Swan
mailing list