Me again. Paul, I appreciate your assistance greatly up to this point. I've simplified my original configuration, but still can't see any traffic after the Ipsec SA established tunnel mode is enabled. I try pinging or hitting servers on the client side from my Amazon EC2 server and get silence. The client side says they can't even see any traffic hitting their firewall, much less passing through it. <div>
<div><br></div><div>1) Assume we have a fresh installation. From the Amazon end, upon the creation of the server, besides disabling ICMP send and accept redirects and enabling ip forwarding, is there anything else that has to be done on the instance? (ifconfig, port opening, iptables, etc...) This is where my knowledge is weakest, and therefore where I'm most concerned I'm missing something obvious or stupid that any network engineer would know.</div>
<div><br></div><div>2) After establishing the SA tunnel, what is the best way to test whether or not I can send traffic to the client, and how can I tell if its being NAT'ed/going through the correct ports (UDP 500/4500)? Right now, I've been just trying to ping the client gateway or using elinks to see if I can reach the client WSDL addresses for download. </div>
<div><br></div><div>My .conf:</div><div><br></div><div><div>config setup</div><div> nat_traversal=yes</div><div> # exclude networks used on server side by adding %v4:!a.b.c.0/24</div><div> virtual_private=%4:<a href="http://168.94.151.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16">168.94.151.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16</a></div>
<div> oe=off</div><div> # which IPsec stack to use. netkey,klips,mast,auto or none</div></div><div><div> protostack=netkey</div><div> #testing</div><div> interfaces=%defaultroute</div><div>
<br></div><div>conn ec2check</div><div> connaddrfamily=ipv4</div><div> type=tunnel</div><div> authby=secret</div><div> ike=3des-md5</div><div> ikelifetime=86400s</div><div> phase2=esp</div>
<div> phase2alg=3des-md5</div><div> lifetime=28800s</div><div> forceencaps=yes</div><div> pfs=no</div><div> left=<AMAZON LOCAL IP></div><div> leftid=<AMAZON ELASTIC IP></div>
<div> leftnexthop=%defaultroute</div><div> leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div> right=<CLIENT CHECKPOINT GATEWAY></div><div> rightid=<CLIENT CHECKPOINT GATEWAY></div>
<div> rightsubnet=<CLIENT INTERNAL NETWORK></div><div> auto=add</div></div><div><br></div><div>* * *</div><div><br></div><div>The route I'm trying for is </div><div>Amazon Local---------------Amazon Elastic===Internet===Client Checkpoint----------Client Internal</div>
<div>10.XX.XX.XX 184.XX.XX.XX 198.XX.XX.XX 168.XX.XX.XX/XX</div><div><br></div>-- James<br>
</div>