<div>Hi,</div><div><br></div><div>I wonder if anybody can give me any pointers with the following setup? I'm attempting to create an IPSec tunnel between a local subnet <a href="http://192.168.2.0/24">192.168.2.0/24</a> behind ISA Server 2006 and an OpenSwan machine in an Amazon Virtual Private Cloud (VPC) subnet <a href="http://10.0.0.0/24">10.0.0.0/24</a>, e.g.</div>
<div><br></div><div>Host A (192.168.2.2) --> (192.168.2.3) ISA Server (a.b.c.d) --> Internet <-- (e.f.g.h) OpenSwan Host (10.0.0.206) <-- Host B (10.0.0.210)</div><div><br></div><div>The OpenSwan host has a public AWS Elastic IP of (e.f.g.h) and the default gateway for the VPC is 10.0.0.1.</div>
<div><br></div><div>When I start the IPSec service, the tunnel comes up successfully. The problem is that when I ping OpenSwan Host from Host A I get no response. I can see ICMP echo requests coming through the tunnel by using tcpdump on the OpenSwan machine, but nothing is coming back. e.g.</div>
<div><br></div><div>tcpdump -i eth0 -n -p ip host 10.0.0.206 and not port 22</div><div>14:03:04.995393 IP a.b.c.d.ipsec-nat-t > 10.0.0.206.ipsec-nat-t: UDP-encap: ESP(spi=0x3b525e3a,seq=0x1), length 92</div><div>14:03:04.995393 IP 192.168.2.2 > <a href="http://10.0.0.206">10.0.0.206</a>: ICMP echo request, id 1, seq 5, length 40</div>
<div><br></div><div>Also when pinging Host A from the OpenSwan machine I get 100% packet loss.</div><div><br></div><div>Any pointers gratefully received. My configuration is detailed below.</div><div><br></div><div>Regards,</div>
<div>Pete</div><div><br></div><div><br></div><div><br></div><div>My ipsec configuration on the OpenSwan machine:</div><div><br></div><div>config setup</div><div> # Debug-logging controls: "none" for (almost) none, "all" for lots.</div>
<div> # plutodebug="control parsing"</div><div> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div> protostack=netkey</div><div> nat_traversal=yes</div><div>
virtual_private=%v4:<a href="http://192.168.0.0/8,%v4:172.16.0.0/12,%v4:10.0.0.0/8,%v4:!192.168.2.0/24">192.168.0.0/8,%v4:172.16.0.0/12,%v4:10.0.0.0/8,%v4:!192.168.2.0/24</a></div><div> oe=off</div><div> # Enable this if you see "failed to find any available worker"</div>
<div> nhelpers=0</div><div> interfaces=%defaultroute</div><div><br></div><div>conn home</div><div> type=tunnel</div><div> left=10.0.0.206 (OpenSwan machine VPC internal address)</div><div> leftid=e.f.g.h (OpenSwan AWS elastic ip)</div>
<div> leftsourceip=e.f.g.h (OpenSwan elastic ip)</div><div> leftsubnet=<a href="http://10.0.0.0/24">10.0.0.0/24</a> (AWS VPC subnet)</div><div> leftnexthop=%defaultroute</div><div> right=a.b.c.d (ISA Server public IP)</div>
<div> rightid=@MACHINE.DOMAIN.local (ISA Server ID)</div><div> rightsubnet=<a href="http://192.168.2.0/24">192.168.2.0/24</a> (Internal local subnet)</div><div> esp=3des-md5-1024</div><div> ike=3des-md5-1024</div><div>
authby=secret</div><div> forceencaps=yes</div><div> pfs=yes</div><div> auto=start</div><div> </div><div><br></div><div>Output from iptables -L</div><div>Chain INPUT (policy ACCEPT)</div><div>target prot opt source destination</div>
<div><br></div><div>Chain FORWARD (policy ACCEPT)</div><div>target prot opt source destination</div><div><br></div><div>Chain OUTPUT (policy ACCEPT)</div><div>target prot opt source destination</div>
<div><br></div><div>Output from route</div><div>Kernel IP routing table</div><div>Destination Gateway Genmask Flags Metric Ref Use Iface</div><div>10.0.0.0 * 255.255.255.0 U 0 0 0 eth0</div>
<div>192.168.2.0 10.0.0.1 255.255.255.0 UG 0 0 0 eth0</div><div>default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0</div><div><br></div><div>Output from ipsec verify</div>
<div>Version check and ipsec on-path [OK]</div><div>Linux Openswan U2.6.32/K2.6.35.11-83.9.amzn1.i686 (netkey)</div><div>Checking for IPsec support in kernel [OK]</div>
<div> SAref kernel support [N/A]</div><div> NETKEY: Testing for disabled ICMP send_redirects [OK]</div><div>NETKEY detected, testing for disabled ICMP accept_redirects [OK]</div>
<div>Checking that pluto is running [OK]</div><div> Pluto listening for IKE on udp 500 [OK]</div><div> Pluto listening for NAT-T on udp 4500 [OK]</div>
<div>Checking for 'ip' command [OK]</div><div>Checking /bin/sh is not /bin/dash [OK]</div><div>Checking for 'iptables' command [OK]</div>
<div>Opportunistic Encryption Support [DISABLED]</div><div><br></div><div>I have also set net.ipv4.ip_forward = 1 in /etc/sysctl.conf and ensured that the AWS security groups allow ICMP traffic.</div>
<div><br></div>