[Swan] Setting up Libreswan with AWS server

Mattias Mattsson ratatosk71 at yahoo.com
Thu Mar 26 20:32:01 UTC 2020


Thank you very much for the detailed information. This worked like a charm, I would not have gotten over this hurdle without your input.

Regards / Mattias

On Tuesday, March 24, 2020, 07:47:36 PM PDT, Paul Wouters <paul at nohats.ca> wrote: 

On Tue, 24 Mar 2020, Mattias Mattsson wrote:

> Thanks to Nick for your response, I had missed that part of the libreswan wiki. I have been reading through the Amazon EIP section
> https://libreswan.org/wiki/Interoperability#The_elastic_IP_and_the_RFC1918_native_IP_address
> and tried to follow the instructions there but I'm not able to make this work. It is not clear to me from the wiki configuration examples how to map the public and private addresses for the client PC and the AWS instance to IPsec configuration.
> I added the EIP to my AWS instance's lo interface using the provided command;
> ip addr add a.b.c.d/32 dev lo:elastic
> and added the EIP to the subnet but I think I dont have the correct ipsec.conf setup.
> If my addresses are;
> Client private address =
> Client public address  =
> Server public address  =
> Server private address =
> And I use left for client and right for server I have the following configuration files

Note that it depends on what you _want_ to do. For example, usually the
client private address is dynamic if the host is behind NAT. Also, the
server private IP address could be dynamic-ish or static. The most
stable solution is to use the server public IP address and a staticly
assigned (by you) client private address. So in my example, I will
use as the IP address we give the client, so we will
be building an IPsec tunnel from to

> Client
> %any : PSK "abcdefghijklmnopqrstuvwxyz0123456789"
> config setup
>   protostack=netkey
> conn ipsec_aws
>   authby=secret
>   encapsulation=yes
>   right=
>   left=
>   ikev2=no

I recommend ikev2=yes. Also encapsulation=auto should work fine as AWS
does NAT, so let the autodetect handle all of that.

Now for left you want to use left=%defaultroute, so whatever IP you are
assigned by DHCP will just work. leftsubnet becomes, so
you end up on the client with:


We use a leftid=@client to give it the IKE ID string of "client" to
prevent it from picking up the IP address as ID, since then it would
use the dynamic pre-NAT IP and you dont want to configure that on the

> Server

> conn ipsec_aws
>   authby=secret
>   encapsulation=yes
>   right=%defaultroute
>   rightid=
>   rightsubnet=
>   left=
>   leftid=
>   ikev2=no

The same for the ikev2/encapsulation options as on the client.
You are using right for the local server part, so your settings
there are correct. For the server you end up with:


Then on the client you would also configure on the
loopback. just like on the server you configure on the



More information about the Swan mailing list