[Swan] IKEv2 roaming setup
Paul Wouters
paul at nohats.ca
Fri Sep 22 01:02:20 UTC 2017
On Mon, 18 Sep 2017, Glenn Pierce wrote:
> So I am trying to implement
> https://libreswan.org/wiki/VPN_server_for_remote_clients_using_IKEv2
> I have an existing site to site vpn working fine and it looks like
>
> Site A -> Firewall With NAT -> Site B
>
> Now we want some roaming employees to access site A by having a vpn
> login to Site B.
>
> My first question is
>
> The instructions above say the config variable left is an actual ip.
> Is the the firewall address as our SiteB does not have a public address ?
It must be an actual IP on the machine. If you use %defaultroute as
value, it will pick up the IP address that is used for the default
route. If you do ID's based on IP, then you need to specify
leftid=PublicIP. But if you use certificates, you don't need that,
as the ID comes from the certificate.
> # The server's actual IP goes here - not elastic IPs
> left=1.2.3.4
>
> sorry not sure what elastic means here.
elastic IP is what Amazon calls the public IP they run as your "front
end". So it is "your public IP" but they NAT it to your private cloud
IP.
Paul
More information about the Swan
mailing list