<HTML >
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="country-region"/>
<o:SmartTagType namespaceuri="urn:schemas-microsoft-com:office:smarttags"
name="place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:#606420;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</HEAD>
<BODY lang=EN-US link=blue vlink="#606420">
<DIV>
<div class=Section1>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Hi All,<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I am a noob with OpenSwan. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I am trying to set up a VPN tunnel between a subnet in Amazon
VPC (EU) and a subnet in Amazon VPC (<st1:country-region w:st="on"><st1:place
w:st="on">Singapore</st1:place></st1:country-region>). So basically a peer to
peer, OpenSwan to OpenSwan VPN connection. <span style='background:yellow'>No
Hardware VPNs involved</span>.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>The VPN tunnel gets set up ok but there seems to be a
routing problem.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I cant <font color=red><span style='color:red'>tracert</span></font>
from a host on the subnet on the left to a host on the subnet on the right.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>It is unable to get out of the host on the left ;-(<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>I built the 2.6.35 from src and followed the instructions on
the OpenSwan web site.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial;background:yellow'>The tunnel comes up fine</span></font><font
size=2 face=Arial><span style='font-size:10.0pt;font-family:Arial'> as follows:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>--------------------------------------------<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>[root@ip-10-169-1-14 default]# service ipsec restart<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>ipsec_setup: Stopping Openswan IPsec...<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>ipsec_setup: Starting Openswan IPsec <b><font color=red><span
style='color:red;font-weight:bold'>U2.6.35</span></font></b>/K2.6.21.7-2.fc8xen...<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>--------------------------------------------<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>[root@ip-10-169-1-14 default]# ipsec auto --up cld-to-cld<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>104 "cld-to-cld" #1: STATE_MAIN_I1: initiate<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>003 "cld-to-cld" #1: received Vendor ID payload
[Openswan (this version) 2.6.35 ]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>003 "cld-to-cld" #1: received Vendor ID payload
[Dead Peer Detection]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>106 "cld-to-cld" #1: STATE_MAIN_I2: sent MI2,
expecting MR2<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>108 "cld-to-cld" #1: STATE_MAIN_I3: sent MI3,
expecting MR3<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>003 "cld-to-cld" #1: received Vendor ID payload
[CAN-IKEv2]<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>004 "cld-to-cld" #1: STATE_MAIN_I4: ISAKMP SA
established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>117 "cld-to-cld" #2: STATE_QUICK_I1: initiate<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>004 "cld-to-cld" #2: STATE_QUICK_I2: sent QI2, <b><font
color=red><span style='color:red;font-weight:bold'>IPsec SA established tunnel
mode</span></font></b> {ESP=>0xdfd9ad7e <0x9a8c9720
xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=none}<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>--------------------------------------------<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>My /etc/ipsec.conf:<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>config setup<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'> (Same as that came with the install except I set
<font color=red><span style='color:red'>protostack=netkey. nat_traversal=no</span></font>)<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>My left side VPN Server:<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>conn cld-to-cld<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> left=10.169.1.14
-- VPC private IP but this host also has an Elastic IP<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> leftsubnet=10.169.1.16/28<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> leftid=@eu.mhf.com<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> leftrsasigkey=my-left-secret-key<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> leftnexthop=%defaultroute<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> right=46.51.216.14
-- Elastic IP of the right VPN Server<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> rightsubnet=10.169.2.16/28<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> rightid=@sgp.mhf.com<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> rightrsasigkey=my-right-secret-key<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> rightnexthop=%defaultroute<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> auto=add<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>--------------------------------------------<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>My right side Server:<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'>conn cld-to-cld<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> left=46.51.196.62<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> leftsubnet=10.169.1.16/28<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> leftid=@eu.mhf.com<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> leftrsasigkey=my-left-secret-key<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> leftnexthop=%defaultroute<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> right=10.169.2.14<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> rightsubnet=10.169.2.16/28<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> rightid=@sgp.mhf.com<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> rightrsasigkey=my-right-secret-key<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> rightnexthop=%defaultroute<o:p></o:p></span></font></p>
<p class=MsoNormal style='margin-left:.5in'><font size=2 face=Arial><span
style='font-size:10.0pt;font-family:Arial'> auto=add<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>--------------------------------------------<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Any guidance is really appreciated.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>
<p class=MsoNormal><em><i><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>regards</span></font></i></em><font color=green><span
style='color:green'><o:p></o:p></span></font></p>
<div>
<p class=MsoNormal><em><i><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>- sudarshan</span></font></i></em><font color=green><span
style='color:green'><o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 color=green face="Times New Roman"><span
style='font-size:12.0pt;color:green'> <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><em><i><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>MHF Architecture</span></font></i></em><font color=green><span
style='color:green'><o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 color=green face="Times New Roman"><span
style='font-size:12.0pt;color:green'> <o:p></o:p></span></font></p>
</div>
<p class=MsoNormal><em><i><font size=2 color=green face=Arial><span
style='font-size:10.0pt;font-family:Arial;color:green'>There are only 10 types
of people in the world - Those who understand binary, and those who don't.</span></font></i></em><o:p></o:p></p>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</DIV>
<DIV STYLE="FONT-SIZE: 9pt; FONT-FAMILY: Courier New"> </DIV>
<DIV STYLE="FONT-SIZE: 9pt; FONT-FAMILY: Courier New">
<FONT FACE="Verdana" SIZE="1">
<HR>
</FONT>
</DIV>
<DIV STYLE="FONT-SIZE: 9pt; FONT-FAMILY: Courier New">
<FONT FACE="Verdana" SIZE="1">The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. The McGraw-Hill Companies, Inc. reserves the right, subject to applicable local law, to monitor, review and process the content of any electronic message or information sent to or from McGraw-Hill e-mail addresses without informing the sender or recipient of the message. By sending electronic message or information to McGraw-Hill e-mail addresses you, as the sender, are consenting to McGraw-Hill processing any of your personal data therein.</FONT>
</DIV>
<DIV STYLE="FONT-SIZE: 9pt; FONT-FAMILY: Courier New">
<FONT FACE="Verdana" SIZE="1">
<HR>
</FONT>
</DIV></BODY></HTML>