Hi all, I want to use opnSense to connect to open a site-2-site IPsec VPN with a partner. That does not work.
I configured a policy-based IPsec VPN using the "new" connection-based interface, and in the logs I get this error: "error writing to socket: Can't assign requested address". Naturally, it doesn't work.
As for the setup:
- I am using the AMI image from AWS, it boots and seems to be working just fine
- opnSense is deployed in a VPN, and naturally thinks it's own IP address is something out of a 10.x.x.x network (external elastic IPs can't be seen by EC2 hosts anyway, also we're using an elastic IP for continuity)
- I configured the VPN connection (see images below) according to the documentation: https://docs.opnsense.org/manual/vpnet.html#new-23-1-vpn-ipsec-connections (https://docs.opnsense.org/manual/vpnet.html#new-23-1-vpn-ipsec-connections)
- Result: it does not work
(Update) notes on AWSThere is only one network interface attached: This instance should basically be a bridge between Road Warriors and the partner's network. (Our road warriors connect to opnSense using a to-be-set-up VPN connection, opnSense enables access to the partner's network via the site-2-site VPN). I am already failing at the site-2-site VPN now.
Could someone please help? Screenshots and log excerpts below. My initial idea is that opnSense has issues with the elastic IP, which is "invisible" to it, usually. But that's just a wild hunch and might be utterly and totally wrong.
Tunnel settings
(https://i.ibb.co/NysdN4Y/0-tunnel-settings.png) (https://ibb.co/NysdN4Y)
Tunnel local auth config
(https://i.ibb.co/9tkz5sT/1-tunnel-authentication-local.png) (https://ibb.co/9tkz5sT)
Tunnel remote auth config
(https://i.ibb.co/Wgt6WgG/2-tunnel-authentication-remote.png) (https://ibb.co/Wgt6WgG)
Tunnel child settings
(https://i.ibb.co/LJYPtzX/3-tunnel-child-settings.png) (https://ibb.co/LJYPtzX)
PSK overview
(https://i.ibb.co/L6ZmBHj/4-psk-overview.png) (https://ibb.co/L6ZmBHj)
PSK detail
(https://i.ibb.co/HGvsmzS/5-psk-config.png) (https://ibb.co/HGvsmzS)
Log file
2024-05-10T16:19:55 Informational charon 09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> establishing IKE_SA failed, peer not responding
2024-05-10T16:19:55 Informational charon 09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> giving up after 5 retransmits
2024-05-10T16:18:39 Informational charon 04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:18:39 Informational charon 09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:18:39 Informational charon 09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 5 of request with message ID 0
2024-05-10T16:17:57 Informational charon 04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:57 Informational charon 09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:57 Informational charon 09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 4 of request with message ID 0
2024-05-10T16:17:34 Informational charon 04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:34 Informational charon 09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:34 Informational charon 09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 3 of request with message ID 0
2024-05-10T16:17:21 Informational charon 04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:21 Informational charon 09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:21 Informational charon 09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 2 of request with message ID 0
2024-05-10T16:17:14 Informational charon 04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:14 Informational charon 09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:14 Informational charon 09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 1 of request with message ID 0
2024-05-10T16:17:10 Informational charon 04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:10 Informational charon 15[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:10 Informational charon 15[ENC] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Oh, I solved it. The local IP in OPNsense needs to be the private IP address and not the public Elastic IP. This is because the EIP is natted onto the EC2 instance and is not directly associated with any of the attached network interfaces.
When the traffic goes out from OPNsense, the other end of the connection only sees the EIP address, so it all works as expected.