OPNsense Forum

English Forums => Virtual private networks => Topic started by: flypenguin on May 10, 2024, 07:14:01 PM

Title: "can't assign requested address" – opnSense on AWS
Post by: flypenguin on May 10, 2024, 07:14:01 PM
Hi all, I want to use opnSense to connect to open a site-2-site IPsec VPN with a partner. That does not work.

I configured a policy-based IPsec VPN using the "new" connection-based interface, and in the logs I get this error: "error writing to socket: Can't assign requested address". Naturally, it doesn't work.

As for the setup:


(Update) notes on AWS

There is only one network interface attached: This instance should basically be a bridge between Road Warriors and the partner's network. (Our road warriors connect to opnSense using a to-be-set-up VPN connection, opnSense enables access to the partner's network via the site-2-site VPN). I am already failing at the site-2-site VPN now.

Could someone please help? Screenshots and log excerpts below. My initial idea is that opnSense has issues with the elastic IP, which is "invisible" to it, usually. But that's just a wild hunch and might be utterly and totally wrong.

Tunnel settings

(https://i.ibb.co/NysdN4Y/0-tunnel-settings.png) (https://ibb.co/NysdN4Y)

Tunnel local auth config

(https://i.ibb.co/9tkz5sT/1-tunnel-authentication-local.png) (https://ibb.co/9tkz5sT)

Tunnel remote auth config

(https://i.ibb.co/Wgt6WgG/2-tunnel-authentication-remote.png) (https://ibb.co/Wgt6WgG)

Tunnel child settings

(https://i.ibb.co/LJYPtzX/3-tunnel-child-settings.png) (https://ibb.co/LJYPtzX)

PSK overview

(https://i.ibb.co/L6ZmBHj/4-psk-overview.png) (https://ibb.co/L6ZmBHj)

PSK detail

(https://i.ibb.co/HGvsmzS/5-psk-config.png) (https://ibb.co/HGvsmzS)

Log file


2024-05-10T16:19:55 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> establishing IKE_SA failed, peer not responding
2024-05-10T16:19:55 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> giving up after 5 retransmits
2024-05-10T16:18:39 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:18:39 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:18:39 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 5 of request with message ID 0
2024-05-10T16:17:57 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:57 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:57 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 4 of request with message ID 0
2024-05-10T16:17:34 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:34 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:34 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 3 of request with message ID 0
2024-05-10T16:17:21 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:21 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:21 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 2 of request with message ID 0
2024-05-10T16:17:14 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:14 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:14 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 1 of request with message ID 0
2024-05-10T16:17:10 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:10 Informational   charon  15[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:10 Informational   charon  15[ENC] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Title: Re: "can't assign requested address" – opnSense on AWS
Post by: drewhemm on October 24, 2024, 01:29:02 AM
I am facing the exact same issue on AWS while trying to get IPsec working:


2024-10-24T00:09:04 Informational charon 04[NET1] error writing to socket: Can't assign requested address


Did you ever solve this?

The same IPsec configuration works fine on a hardware appliance in my office.
Title: Re: "can't assign requested address" – opnSense on AWS
Post by: drewhemm on October 24, 2024, 01:56:37 AM
Oh, I solved it. The local IP in OPNsense needs to be the private IP address and not the public Elastic IP. This is because the EIP is natted onto the EC2 instance and is not directly associated with any of the attached network interfaces.

When the traffic goes out from OPNsense, the other end of the connection only sees the EIP address, so it all works as expected.