We're running a UTM appliance in an Amazon (AWS) VPC and trying to establish an IPSec VPN tunnel with a remote site. Because of the way in which AWS manages public IP addresses, the UTM interface basically does not "know" the public IP and as a result, identifies itself using the private IP address.
With certain remote vpn/firewall products (apparently recent Juniper models for instance) this prevents phase 2 from completing because the peer IP (public) does not match what the UTM is sending as the VPN ID.
Effectively, I need to be able to go in and edit the strongswan config file to set Left=x.x.x.x where x.x.x.x is the PUBLIC IP for the UTM. The UTM gui however offers no way to do this.
See for example: feature.astaro.com/.../2506490-expand-ipsec-conf-control-to-webadmin (submitted back in 2012!)
Is there some way to override this behavior and "manually" modify the strongswan ipsec.conf file directly? If not, this limitation basically prevents us from using the UTM's IPSec capabilities when the other side is using recent firewall devices. The workaround in the past has been to ask the other side to enter our private IP as the VPN ID ... aside from being silly (the whole point of NAT is that the other party shouldn't HAVE to know or care what my private IP is), it also flat-out isn't possible in some scenarios.
thanks in advance for any ideas or hints!
This thread was automatically locked due to age.
