[Swan] What's a "usable" IP?

Duncan Stokes duncan.stokes at eyemagnet.com
Tue Sep 12 00:47:41 UTC 2017 

On 12 September 2017 at 10:47, Paul Wouters <paul at nohats.ca> wrote:

> On Tue, 12 Sep 2017, Duncan Stokes wrote:
>
> > I've added the elastic IP to lo on the AWS instance.
>>
>> To confirm this: you have bound the (public) elastic IP to the lo
>> interface of the AWS instance?  I have never heard of this requirement it
>> is certainly not required -
>> and in fact might well be a contributing factor to the problem.
>>
>
> How else are you going to send packets with that source IP?
>
> the alternative is to use the pre-NAT IP, but the remote end
> might not like it, have conflicts, etc etc. By doing the
> elastic IP on loopback, the NAT is really just a NAT between
> the machines, and no pre-NAT IPs are visible anywhere.
>
> One of our AWS end configs (sanitised) below:
>> conn ipsec-tunnel-00
>>     type=tunnel
>>     authby=secret
>>     left=%defaultroute
>>     leftid=<elastic IP of instance NOT bound anywhere on instance>
>>     leftnexthop=%defaultroute
>>     leftsubnet=<instance subnet>
>>     leftsourceip=<instance eth0 ipv4 addr>
>>     right=<remote target public IP addr>
>>     rightsubnets=<target subnet>
>>     ....
>>
>
> Ahh you are building a site-to-site tunnel that does not involve the
> elastic IP itself. Yes binding the elastic IP is only needed if you
> build a tunnel from outside of AWS with destination ONLY the elastic IP.
>
> Well, it does involve the EIP, but only as the right= IP in the config at
the other end, i.e.: the tunnel target address that then gets NAT'd into
the instance.

If you want to restrict traffic from only your instance, set your config
leftid as the EIP, set the leftsubnet as a /32, and the leftsourceip as the
ipv4 of the instance.

NB: I see at the end of my excerpt that I didn't tidy up the rightsubnets
properly... as the config I copied I had a comma-delimited list of right
subnets.  If there's only one, drop the pluralisation.

Regards,
Duncan.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170912/31977960/attachment.html>

More information about the Swan mailing list