[Swan] What's a "usable" IP?
Paul Wouters
paul at nohats.ca
Mon Sep 11 22:47:26 UTC 2017
On Tue, 12 Sep 2017, Duncan Stokes wrote:
> > I've added the elastic IP to lo on the AWS instance.
>
> To confirm this: you have bound the (public) elastic IP to the lo interface of the AWS instance? I have never heard of this requirement it is certainly not required -
> and in fact might well be a contributing factor to the problem.
How else are you going to send packets with that source IP?
the alternative is to use the pre-NAT IP, but the remote end
might not like it, have conflicts, etc etc. By doing the
elastic IP on loopback, the NAT is really just a NAT between
the machines, and no pre-NAT IPs are visible anywhere.
> One of our AWS end configs (sanitised) below:
> conn ipsec-tunnel-00
> type=tunnel
> authby=secret
> left=%defaultroute
> leftid=<elastic IP of instance NOT bound anywhere on instance>
> leftnexthop=%defaultroute
> leftsubnet=<instance subnet>
> leftsourceip=<instance eth0 ipv4 addr>
> right=<remote target public IP addr>
> rightsubnets=<target subnet>
> ....
Ahh you are building a site-to-site tunnel that does not involve the
elastic IP itself. Yes binding the elastic IP is only needed if you
build a tunnel from outside of AWS with destination ONLY the elastic IP.
Paul
More information about the Swan
mailing list