[Swan] What's a "usable" IP?

Duncan Stokes duncan.stokes at eyemagnet.com
Mon Sep 11 20:49:29 UTC 2017 

> Hi,
>
> Trying to connect an AWS instance (and its VPC) to a Linux firewall in our
> office, I'm sure I'm missing something obvious. But I can't find it
> documented anywhere obvious. I've used various *swans for years, from
Linux
> to Ciscos. Now I'm trying to use Libreswan on both ends between an
instance
> on a VPC on AWS and an Ubuntu box serving as a firewall in our office.

We're running an AWS instance to Cisco IPSec tunnel without issues.

> My config's based on the one here:
> https://libreswan.org/wiki/Interoperability.
>
> I've got UDP ports 4500 and 500 open on each end to the other's IP (by
Group
> Policy on AWS, by FireHOL/iptables on the office box). Also added the
> office-side subnets to the Group Policy for AWS.
>
> I've got "ipsec verify" giving [OK] on everything on both ends.
>
> I've added the elastic IP to lo on the AWS instance.

To confirm this: you have bound the (public) elastic IP to the lo interface
of the AWS instance?  I have never heard of this requirement it is
certainly not required - and in fact might well be a contributing factor to
the problem.

> I've disabled the Source/Destination check on the AWS instance.>
> Now I see with ipsec barf:
>
> First pluto complaining multiply:
>
>   We cannot identify ourselves with either end of this connection.
 172.17.10.3 or xx.yy.zz.108 are not usable
>
> This is with xx.yy.zz.108 plainly available as an IP on a WAN interface.
The
> other IP, on another interface, has no reference in the config.
>
> Then pluto advises:
>
>   packet from aa.bb.cc.245:500: initial Main Mode message received on
xx.yy.zz.108:500 but no connection has been authorized with policy
PSK+IKEV1_ALLOW
>
> Note that's saying the message has been recieved on the IP which is "not
> usable." I assume the connection has not been "authorized" because it was
> previously rejected as "unusable"?
>
> What are the criteria for "usable"?
>
> Thanks,
> Whit

One of our AWS end configs (sanitised) below:
conn ipsec-tunnel-00
    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=<elastic IP of instance NOT bound anywhere on instance>
    leftnexthop=%defaultroute
    leftsubnet=<instance subnet>
    leftsourceip=<instance eth0 ipv4 addr>
    right=<remote target public IP addr>
    rightsubnets=<target subnet>
    ....

Good luck.

Regards,
Duncan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170912/039790aa/attachment-0001.html>

More information about the Swan mailing list