[Swan] What's a "usable" IP?

Whit Blauvelt whit at transpect.com
Mon Sep 11 13:30:17 UTC 2017 

Hi Roberto,

Thanks for the reply and report. I've simplified to nearly exactly what you
have:

# /etc/ipsec.conf on Amazon EC2 instance
version 2.0 

config setup
     virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8
     protostack=netkey

conn amazonwest
     authby=secret
     auto=start
     encapsulation=yes
     leftid=<amazon eid>
     left=%defaultroute
     right=<a public IP at office>

I've also tried adding "type=transport" per your example.

Yet I get:

  Sep 11 09:26:40 nyfw1 pluto[30308]: "amazonwest": We cannot identify ourselves with either end of this connection.  172.17.10.3 or <the public IP> are not usable

  Sep 11 09:26:41 nyfw1 pluto[30308]: packet from <EID>:500: initial Main Mode message received on <the public IP>:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW

There's an ambiguity in the error report. Does "or" mean they're both not
usable (that is, should it be "and"), or that just one of them is unusable?

This is with libreswan-3.21, built from tar, since Ubuntu has gone to
Strongswan, yet my past experience with Openswan was good.

This is a firewall with multiple public IPs per WAN interface. But so is an
older system here running Openswan and connecting to a Cisco just fine, with
the interface configuration quite similar. Makes me wonder if pluto's
conclusion that the public IP assigned for IPsec is not usable is correct,
or whether pluto's acquired a bug.

Best,
Whit


On Mon, Sep 11, 2017 at 09:40:08AM +0200, Roberto Suárez Soto wrote:
> El 11/09/17 a las 05:18, Whit Blauvelt escribió:
> 
>     Trying to connect an AWS instance (and its VPC) to a Linux firewall in our
>     office, I'm sure I'm missing something obvious. But I can't find it
>     documented anywhere obvious. I've used various *swans for years, from Linux
>     to Ciscos. Now I'm trying to use Libreswan on both ends between an instance
>     on a VPC on AWS and an Ubuntu box serving as a firewall in our office.
> 
> 
>     Just as my 2 cents, I'm using this configuration to establish a VPN between
> an Ubuntu AWS instance and a Linux firewall running Ubuntu too (sorry for the
> pun):
> 
> conn myvpn
>         rightid=Y.Y.Y.Y
>         right=%defaultroute
>         left=X.X.X.X
>         authby=secret
>         type=transport
>         auto=start
> 
>     Where "Y.Y.Y.Y" is the EIP associated to the instance, and "X.X.X.X" the
> remote peer address. I didn't have to add the EIP to lo, or anything fancy.
> This is the same case as in any VPN established from a NAT-ed device.
> 
>     This may not be the same case as yours: I'm using OpenSwan on both ends,
> and this is a transport connection, not a "lan to lan" one (i.e., no "subnet"
> in either end). But AFAIK, you don't need anything else but "right" and
> "rightid" (or "left" and "leftid") to make it work.
> 
>     Regards,
> 
> --
> Roberto Suárez Soto
> Allenta Consulting (+34 881 922 600)
> ISO 9001, ISO 14001, ISO 27001, EMAS
> Privacidad / Privacy

> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

More information about the Swan mailing list