[Swan] Setting up Libreswan with AWS server

Paul Wouters paul at nohats.ca
Wed Mar 25 02:47:32 UTC 2020


On Tue, 24 Mar 2020, Mattias Mattsson wrote:

> Thanks to Nick for your response, I had missed that part of the libreswan wiki. I have been reading through the Amazon EIP section
> https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
> and tried to follow the instructions there but I'm not able to make this work. It is not clear to me from the wiki configuration examples how to map the public and private addresses for the client PC and the AWS instance to IPsec configuration.
>
> I added the EIP to my AWS instance's lo interface using the provided command;
> ip addr add a.b.c.d/32 dev lo:elastic
> and added the EIP to the subnet but I think I dont have the correct ipsec.conf setup.
>
> If my addresses are;
> Client private address = 10.0.2.15
> Client public address  = 1.1.1.100
> Server public address  = 2.2.2.100
> Server private address = 172.31.16.205
> And I use left for client and right for server I have the following configuration files

Note that it depends on what you _want_ to do. For example, usually the
client private address is dynamic if the host is behind NAT. Also, the
server private IP address could be dynamic-ish or static. The most
stable solution is to use the server public IP address and a staticly
assigned (by you) client private address. So in my example, I will
use 100.64.64.64/32 as the IP address we give the client, so we will
be building an IPsec tunnel from 100.64.64.64/32 to 2.2.2.100/32.

> Client
>
> 0.0.0.0 %any : PSK "abcdefghijklmnopqrstuvwxyz0123456789"
>
> config setup
>   protostack=netkey
>
> conn ipsec_aws
>   authby=secret
>   encapsulation=yes
>   right=2.2.2.100
>   left=10.0.2.15
>   ikev2=no

I recommend ikev2=yes. Also encapsulation=auto should work fine as AWS
does NAT, so let the autodetect handle all of that.

Now for left you want to use left=%defaultroute, so whatever IP you are
assigned by DHCP will just work. leftsubnet becomes 100.64.64.64/32, so
you end up on the client with:

 	right=2.2.2.100
 	rightid=2.2.2.100
 	rightsubnet=2.2.2.100/32
 	left=%defaultroute
 	leftid=@client
 	leftsubnet=100.64.64.64/32

We use a leftid=@client to give it the IKE ID string of "client" to
prevent it from picking up the IP address as ID, since then it would
use the dynamic pre-NAT IP and you dont want to configure that on the
server.

> Server

> conn ipsec_aws
>   authby=secret
>   encapsulation=yes
>   right=%defaultroute
>   rightid=2.2.2.100
>   rightsubnet=2.2.2.100/32
>   left=1.1.1.100
>   leftid=10.0.2.15
>   ikev2=no

The same for the ikev2/encapsulation options as on the client.
You are using right for the local server part, so your settings
there are correct. For the server you end up with:

 	right=%defaultroute
 	rightid=2.2.2.100
 	rightsubnet=2.2.2.100/32
 	left=%any
 	leftid=@client
 	leftsubnet=100.64.64.64/32

Then on the client you would also configure 100.64.64.64 on the
loopback. just like on the server you configure 2.2.2.100 on the
loopback.

Paul


More information about the Swan mailing list