Sorry, I misremembered the issue. Looking at my notes the issue is they don't allow disabling their NAT-T implementation, which detects NAT scenarios and automatically forces encapsulation on port 4500/udp. The issue is that every public IP on an EC2 instance is a 1:1 NAT IP. Every packet sent to the public IP is forwarded to the private IP -- including ESP -- but it is technically NAT and looks like NAT to strongSwan.There's an issue open for years; it will probably never be fixed:
https://wiki.strongswan.org/issues/1265
eqvinox|1 year ago
FWIW, using IPv6 might be an option here?