Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 27 replies
  • Subscribers 2 subscribers
  • Views 79305 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Issues with IPSec site-to-site to ASG behind/ in front of NAT

coewar
There is a problem with the AMI. When creating an IPsec site-to-site VPN connection, it's assuming to use the Internal NIC's private IP which is wrong. And hence the opposite router has errors like this:

 we require peer to have ID 'xx.xx.xx.xx', but
peer declares '10.243.45.92'

where 'xx.xx.xx.xx' is the public IP of the Astaro.

I have tested also by creating 2 Astaro EC2 instances and they can't VPN to each other.

So then I also tried adding my own IP alias to the Internal NIC, and I can't! It complains saying that it's write-protected.

I assume these things will be fixed?


This thread was automatically locked due to age.
Parents
  • 0
    So I managed to make the Astaro advertise the IP that I want (its public IP) in the VPN configuration by hacking a couple of files. But this is obviously not supported and I'm waiting for Astaro to support doing this, and very clunky and confusing.

    in this folder: /var/chroot-ipsec/etc
    I edited this file: ipsec.conf-defaults
    and added a leftid="******" into the defaults section.
    And I edit this file: ipsec.secrets-defaults
    and added a line for ****** yyyyyy : PSK zzzzz

    where the ****** is the public IP that I want the device to advertise with, and yyyy is the peer I'm trying to connect to, and zzzz is the encrypted value of the PSK password.

    This works, so we know it's possible with this thing, now we need the GUI to catch up.
    And maybe I'll find a file not in the /var/ folder that will keep getting overwritten.

    EDIT:
    I used leftid.  It actually seems StrongSWAN does not understand myid. In OpenSWAN I think what was happening is it was creating like a Macro called "myid" which I set the public IP. And then in the "leftid" configurations for each one of my VPN configurations, I'd have the value "%myid"  which referenced that other setting.
Reply
  • 0
    So I managed to make the Astaro advertise the IP that I want (its public IP) in the VPN configuration by hacking a couple of files. But this is obviously not supported and I'm waiting for Astaro to support doing this, and very clunky and confusing.

    in this folder: /var/chroot-ipsec/etc
    I edited this file: ipsec.conf-defaults
    and added a leftid="******" into the defaults section.
    And I edit this file: ipsec.secrets-defaults
    and added a line for ****** yyyyyy : PSK zzzzz

    where the ****** is the public IP that I want the device to advertise with, and yyyy is the peer I'm trying to connect to, and zzzz is the encrypted value of the PSK password.

    This works, so we know it's possible with this thing, now we need the GUI to catch up.
    And maybe I'll find a file not in the /var/ folder that will keep getting overwritten.

    EDIT:
    I used leftid.  It actually seems StrongSWAN does not understand myid. In OpenSWAN I think what was happening is it was creating like a Macro called "myid" which I set the public IP. And then in the "leftid" configurations for each one of my VPN configurations, I'd have the value "%myid"  which referenced that other setting.
Children
  • 0 in reply to coewar
    so I know this is an ancient thread... but the problem remains so... I wanted to ask, has anyone verified recently that this approach still works? After changing the ipsec.secrets-default file, I found that ALL my VPNS dropped (oops!!!) apparently because strongswan couldn't find matching secrets that corresponded to the new public IP I entered for leftid. I had to go and ALSO modify the left ip for every entry in ipsec.secrets and now it seems happy.... though even for the test site that I explictly wanted to change to the public IP, the SA details in the GUI still report the private IP.... so I'm not sure if anything has changed.

    I certainly hope this works though... so if anyone has done this recently, I'd love to hear about it.
    thanks
Unfiltered HTML