[Swan] Setting up Libreswan with AWS server

Mattias Mattsson ratatosk71 at yahoo.com
Tue Mar 24 21:05:10 UTC 2020 

I had not signed up to the list before emailing it so I couldn't figure out a way to respond to my thread. My apologies if this starts a new thread.

Thanks to Nick for your response, I had missed that part of the libreswan wiki. I have been reading through the Amazon EIP section
https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
and tried to follow the instructions there but I'm not able to make this work. It is not clear to me from the wiki configuration examples how to map the public and private addresses for the client PC and the AWS instance to IPsec configuration.

I added the EIP to my AWS instance's lo interface using the provided command;
ip addr add a.b.c.d/32 dev lo:elastic
and added the EIP to the subnet but I think I dont have the correct ipsec.conf setup.

If my addresses are;
Client private address = 10.0.2.15
Client public address  = 1.1.1.100
Server public address  = 2.2.2.100
Server private address = 172.31.16.205
And I use left for client and right for server I have the following configuration files

Client

0.0.0.0 %any : PSK "abcdefghijklmnopqrstuvwxyz0123456789"

config setup
  protostack=netkey

conn ipsec_aws
  authby=secret
  encapsulation=yes
  right=2.2.2.100
  left=10.0.2.15
  ikev2=no

Server

0.0.0.0 %any : PSK "abcdefghijklmnopqrstuvwxyz0123456789"

config setup
  protostack=netkey

conn ipsec_aws
  authby=secret
  encapsulation=yes
  right=%defaultroute
  rightid=2.2.2.100
  rightsubnet=2.2.2.100/32
  left=1.1.1.100
  leftid=10.0.2.15
  ikev2=no

This allows the connection to establish and I can ssh from client to server and see the TCP SYN arrive to the servers public IP (2.2.2.100). I also have this IP on the local loopback interface as per the Libreswan wiki but there is no response. 
20:48:31.395514 IP 10.0.2.15.47876 > 2.2.2.100.22: Flags [S], seq 2963556783, win 64240, options [mss 1460,sackOK,TS val 2294014743 ecr 0,nop,wscale 7], length 0

My question is whether these ipsec.secret and ipsec.conf files are correct for this setup? Is there something else that has to be configured on the AWS instance?

Any help is appreciated.

Thanks / Mattias

More information about the Swan mailing list