"can't assign requested address" – opnSense on AWS

[flypenguin]

Hi all, I want to use opnSense to connect to open a site-2-site IPsec VPN with a partner. That does not work.

I configured a policy-based IPsec VPN using the "new" connection-based interface, and in the logs I get this error: "error writing to socket: Can't assign requested address". Naturally, it doesn't work.

As for the setup:

• I am using the AMI image from AWS, it boots and seems to be working just fine
• opnSense is deployed in a VPN, and naturally thinks it's own IP address is something out of a 10.x.x.x network (external elastic IPs can't be seen by EC2 hosts anyway, also we're using an elastic IP for continuity)
• I configured the VPN connection (see images below) according to the documentation: https://docs.opnsense.org/manual/vpnet.html#new-23-1-vpn-ipsec-connections
• Result: it does not work

(Update) notes on AWS

There is only one network interface attached: This instance should basically be a bridge between Road Warriors and the partner's network. (Our road warriors connect to opnSense using a to-be-set-up VPN connection, opnSense enables access to the partner's network via the site-2-site VPN). I am already failing at the site-2-site VPN now.

Could someone please help? Screenshots and log excerpts below. My initial idea is that opnSense has issues with the elastic IP, which is "invisible" to it, usually. But that's just a wild hunch and might be utterly and totally wrong.

Tunnel settings



Tunnel local auth config



Tunnel remote auth config



Tunnel child settings



PSK overview



PSK detail



Log file

Code: [Select]

2024-05-10T16:19:55 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> establishing IKE_SA failed, peer not responding
2024-05-10T16:19:55 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> giving up after 5 retransmits
2024-05-10T16:18:39 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:18:39 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:18:39 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 5 of request with message ID 0
2024-05-10T16:17:57 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:57 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:57 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 4 of request with message ID 0
2024-05-10T16:17:34 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:34 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:34 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 3 of request with message ID 0
2024-05-10T16:17:21 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:21 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:21 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 2 of request with message ID 0
2024-05-10T16:17:14 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:14 Informational   charon  09[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:14 Informational   charon  09[IKE] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> retransmit 1 of request with message ID 0
2024-05-10T16:17:10 Informational   charon  04[NET] error writing to socket: Can't assign requested address
2024-05-10T16:17:10 Informational   charon  15[NET] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> sending packet: from <IP1>[500] to <IP2>[500] (304 bytes)
2024-05-10T16:17:10 Informational   charon  15[ENC] <c48553ba-09f0-4dd1-8289-53884fbcbc42|4> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]


[drewhemm]

I am facing the exact same issue on AWS while trying to get IPsec working:

Code: [Select]

2024-10-24T00:09:04 Informational charon 04[NET1] error writing to socket: Can't assign requested address

Did you ever solve this?

The same IPsec configuration works fine on a hardware appliance in my office.

[drewhemm]

Oh, I solved it. The local IP in OPNsense needs to be the private IP address and not the public Elastic IP. This is because the EIP is natted onto the EC2 instance and is not directly associated with any of the attached network interfaces.

When the traffic goes out from OPNsense, the other end of the connection only sees the EIP address, so it all works as expected.