<HTML >
<HEAD>
<META http-equiv="Content-Type" content="text/html; charset=iso-8859-7">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.5.7654.12">
<TITLE>RE: [Openswan Users] Net to Net in the Amazon Cloud</TITLE>
</HEAD>
<BODY >
<DIV>
<!-- Converted from text/rtf format -->
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Thanks again Paul.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Tried ping & ssh - no luck yet</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> ;-(</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">----------------------------------</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">[root@ip-10-169-1-14 ~]#</FONT></SPAN><SPAN LANG="en-us"> <FONT COLOR="#FF0000" SIZE=2 FACE="Courier New">/usr/local/sbin/ipsec verify</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Checking your system to see if IPsec got installed and started correctly:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Version check and ipsec on-path [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Linux Openswan U2.6.35/K2.6.21.7-2.fc8xen (netkey)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Checking for IPsec support in kernel [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> SAref kernel support [N/A]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> NETKEY: Testing XFRM related proc values [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> [</FONT></SPAN><SPAN LANG="en-us"><B><FONT COLOR="#FF0000" SIZE=2 FACE="Courier New">FAILED</FONT></B></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> Please enable /proc/sys/net/core/xfrm_larval_drop</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> or NETKEY will cause non-POSIX compliant long time-outs</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Testing against enforced SElinux mode [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Checking that pluto is running [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> Pluto listening for IKE on udp 500 [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> Pluto listening for NAT-T on udp 4500 [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Checking for 'ip' command [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Checking /bin/sh is not /bin/dash [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Checking for 'iptables' command [OK]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Opportunistic Encryption Support [DISABLED]</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">----------------------------------</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN><SPAN LANG="fr"><FONT SIZE=2 FACE="Courier New">[root@ip-10-169-1-14 ~]# cd /proc/sys/net/core/</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="fr"><FONT SIZE=2 FACE="Courier New">[root@ip-10-169-1-14 core]# ls xf*</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">xfrm_aevent_etime xfrm_aevent_rseqth</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> -- I</FONT></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">don</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">’</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">t</FONT></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">have</FONT></SPAN><SPAN LANG="en-us"><B> <FONT COLOR="#FF0000" SIZE=2 FACE="Courier New">xfrm_larval_drop</FONT></B></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">----------------------------------</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">[root@ip-10-169-1-14 ~]#</FONT></SPAN><SPAN LANG="en-us"> <FONT COLOR="#FF0000" SIZE=2 FACE="Courier New">uname -a</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Linux ip-10-169-1-14 2.6.21.7-2.fc8xen #1 SMP Fri Feb 15 12:34:28 EST 2008 x86_64 x86_64 x86_64 GNU/Linux</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">----------------------------------</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">[root@ip-10-169-1-14 ~]#</FONT></SPAN><SPAN LANG="en-us"> <FONT COLOR="#FF0000" SIZE=2 FACE="Courier New">cat /etc/redhat-release</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><B><FONT COLOR="#FF0000" SIZE=2 FACE="Courier New">CentOS release 5.4</FONT></B></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> (Final)</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">----------------------------------</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">As re:</FONT></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">linux</FONT></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">firewalls:</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> (all machines)</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">[root@ip-10-169-1-14 ~]#</FONT></SPAN><SPAN LANG="en-us"> <FONT COLOR="#FF0000" SIZE=2 FACE="Courier New">iptables</FONT></SPAN><SPAN LANG="en-us"> <FONT COLOR="#FF0000" SIZE=2 FACE="Courier New">–</FONT></SPAN><SPAN LANG="en-us"><FONT COLOR="#FF0000" SIZE=2 FACE="Courier New">list</FONT></SPAN><SPAN LANG="en-us"><FONT COLOR="#FF0000" SIZE=2 FACE="Courier New"> </FONT></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">(</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">I</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> assume this lists the rules)</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Chain INPUT (policy ACCEPT)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">target prot opt source destination</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Chain FORWARD (policy ACCEPT)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">target prot opt source destination</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Chain OUTPUT (policy ACCEPT)</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">target prot opt source destination</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">[root@ip-10-169-1-14 ~]#</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">As re: Amazon VPC firewalls:</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">On the Amazon instances, I have used only Security Groups, No Network ACLS.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">ALL Security Groups are FULLY OPEN for</FONT></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">ALL</FONT></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">inbound and</FONT></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">outbound traffic.</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Does the ipsec verify look ok</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"></FONT></SPAN><SPAN LANG="en-us"> <FONT SIZE=2 FACE="Courier New">–</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New"> especially the FAILED message</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">?</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Do I need to specify any iptables rules?</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Thanks again for all the help.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Has anyone else done what I am attempting?</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Regards</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">S</FONT></SPAN><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">udarshan</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">-----Original Message-----<BR>
From: Paul Wouters [<A HREF="mailto:paul@xelerance.com">mailto:paul@xelerance.com</A>]<BR>
Sent: Thursday, August 25, 2011 10:03 AM<BR>
To: Murty, Sudarshan<BR>
Cc: users@openswan.org<BR>
Subject: RE: [Openswan Users] Net to Net in the Amazon Cloud</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">On Wed, 24 Aug 2011, Murty, Sudarshan wrote:</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">> I did all that you said below and also turned on nat_traversal=yes in the config section.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">> When I start up ipsec it looks like this. Does it look ok?</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">> 004 "cld-to-cld" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xa489360c <0x2edaf4dc xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=46.51.216.14:4500</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">> DPD=none}</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Yes. looks good.</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">> But I still canʼt tracert from a host in the left subnet to the right subnet</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">dont use traceroute, but ping. If that fails too, check firewall rules and</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">run "ipsec verify"</FONT></SPAN></P>
<P DIR=LTR><SPAN LANG="en-us"><FONT SIZE=2 FACE="Courier New">Paul</FONT></SPAN><SPAN LANG="en-us"></SPAN></P>
</DIV>
<DIV STYLE="FONT-SIZE: 9pt; FONT-FAMILY: Courier New">
<FONT FACE="Verdana" SIZE="1">
</FONT> </DIV>
<DIV STYLE="FONT-SIZE: 9pt; FONT-FAMILY: Courier New">
<FONT FACE="Verdana">
<HR>
</FONT>
</DIV>
<DIV STYLE="FONT-SIZE: 9pt; FONT-FAMILY: Courier New">
<FONT FACE="Verdana" SIZE="1">The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. The McGraw-Hill Companies, Inc. reserves the right, subject to applicable local law, to monitor, review and process the content of any electronic message or information sent to or from McGraw-Hill e-mail addresses without informing the sender or recipient of the message. By sending electronic message or information to McGraw-Hill e-mail addresses you, as the sender, are consenting to McGraw-Hill processing any of your personal data therein.</FONT>
</DIV>
<DIV STYLE="FONT-SIZE: 9pt; FONT-FAMILY: Courier New">
<FONT FACE="Verdana">
<HR>
</FONT>
</DIV></BODY></HTML>