<div dir="ltr"><div>Hi folks,</div><div><br></div><div>I'm very noob about openswan and I was tried to configure a site-to-site IPSec VPN between Amazon VPC (<a href="http://172.20.10.0/24">172.20.10.0/24</a>) and my branch office network (<a href="http://172.20.2.0/24">172.20.2.0/24</a>).</div>
<div><br></div><div>I was guiding me with this tutorial: <a href="http://gist.github.com/2871257">gist.github.com/2871257</a> but I can get connection.</div><div><br></div><div>Here is my configuration:</div><div><br></div>
<div><i>Amazon VPC:</i></div><div><br></div><div>Ubuntu 12.04 x64</div><div>Openswan 2.6.37</div><div>Network: <a href="http://172.20.10.0/24">172.20.10.0/24</a></div><div>Ubuntu local IP: 172.20.10.221</div><div>Public IP: 107.23.111.XXX</div>
<div><br></div><div>ipsec.conf:</div><div><br></div><div># /etc/ipsec.conf - Openswan IPsec configuration file</div><div><br></div><div># This file: /usr/share/doc/openswan/ipsec.conf-sample</div><div>#</div><div># Manual: ipsec.conf.5</div>
<div><br></div><div><br></div><div>version 2.0 # conforms to second version of ipsec.conf specification</div><div><br></div><div># basic configuration</div><div>config setup</div><div> # Do not set debug options to debug configuration issues!</div>
<div> # plutodebug / klipsdebug = "all", "none" or a combation from below:</div><div> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"</div><div> # eg:</div>
<div> # plutodebug="control parsing"</div><div> # Again: only enable plutodebug or klipsdebug when asked by a developer</div><div> #</div><div> # enable to get logs per-peer</div><div>
# plutoopts="--perpeerlog"</div><div> #</div><div> # Enable core dumps (might require system changes, like ulimit -C)</div><div> # This is required for abrtd to work properly</div><div>
# Note: incorrect SElinux policies might prevent pluto writing the core</div><div> dumpdir=/var/run/pluto/</div><div> #</div><div> # NAT-TRAVERSAL support, see README.NAT-Traversal</div><div>
nat_traversal=yes</div>
<div> # exclude networks used on server side by adding %v4:!a.b.c.0/24</div><div> # It seems that T-Mobile in the US and Rogers/Fido in Canada are</div><div> # using 25/8 as "private" address space on their 3G network.</div>
<div> # This range has not been announced via BGP (at least upto 2010-12-21)</div><div> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.20.2.0./24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.20.2.0./24</a></div>
<div> # OE is now off by default. Uncomment and change to on, to enable.</div><div> oe=off</div><div> # which IPsec stack to use. auto will try netkey, then klips then mast</div><div> protostack=auto</div>
<div> # Use this to log to a file, or disable logging on embedded systems (like openwrt)</div><div> #plutostderrlog=/dev/null</div><div><br></div><div># Add connections here</div><div><br></div><div># sample VPN connection</div>
<div># for more examples, see /etc/ipsec.d/examples/</div><div>#conn sample</div><div># # Left security gateway, subnet behind it, nexthop toward right.</div><div># left=10.0.0.1</div><div># leftsubnet=<a href="http://172.16.0.0/24">172.16.0.0/24</a></div>
<div># leftnexthop=10.22.33.44</div><div># # Right security gateway, subnet behind it, nexthop toward left.</div><div># right=10.12.12.1</div><div># rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a></div>
<div># rightnexthop=10.101.102.103</div><div># # To authorize this connection, but not actually start it,</div><div># # at startup, uncomment this.</div><div># #auto=add</div>
<div><br></div><div>include /etc/ipsec.d/*.conf</div><div><br></div><div><br></div><div><br></div><div><br></div><div>/etc/ipsec.d/vimex.conf:</div><div><br></div><div>conn vimex</div><div> authby=secret</div><div>
forceencaps=yes</div><div> auto=start</div><div> left=%defaultroute</div><div> leftid=107.23.111.XXX</div><div> leftsourceip=107.23.111.XXX</div><div> right=201.122.32.XXX</div>
<div>
rightid=201.122.32.XXX</div><div> rightsubnet=<a href="http://172.20.2.0/24">172.20.2.0/24</a></div><div><br></div><div><br></div><div><br></div><div>vimex.secrets:</div><div><br></div><div>201.122.32.XXX <a href="http://0.0.0.0">0.0.0.0</a>: PSK "12345"</div>
<div><br></div><div>Branch office (VIMEX):</div><div><br></div><div>Ubuntu 12.04 x32</div><div>Openswan 2.6.37</div><div>Network: <a href="http://172.20.2.0/24">172.20.2.0/24</a></div><div>Ubuntu local IP: 172.20.2.193</div>
<div>Public IP: 201.122.32.XXX</div><div>*This network is behind endian firewall and the Ubuntu server is NATed.</div><div><br></div><div><br></div><div><br></div><div>ipsec.conf:</div><div><br></div><div><br></div><div>
# /etc/ipsec.conf - Openswan IPsec configuration file</div>
<div><br></div><div># This file: /usr/share/doc/openswan/ipsec.conf-sample</div><div>#</div><div># Manual: ipsec.conf.5</div><div><br></div><div><br></div><div>version 2.0 # conforms to second version of ipsec.conf specification</div>
<div><br></div><div># basic configuration</div><div>config setup</div><div> # Do not set debug options to debug configuration issues!</div><div> # plutodebug / klipsdebug = "all", "none" or a combation from below:</div>
<div> # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"</div><div> # eg:</div><div> # plutodebug="control parsing"</div><div> # Again: only enable plutodebug or klipsdebug when asked by a developer</div>
<div> #</div><div> # enable to get logs per-peer</div><div> # plutoopts="--perpeerlog"</div><div> #</div><div> # Enable core dumps (might require system changes, like ulimit -C)</div>
<div> # This is required for abrtd to work properly</div><div> # Note: incorrect SElinux policies might prevent pluto writing the core</div><div> dumpdir=/var/run/pluto/</div><div> #</div><div>
# NAT-TRAVERSAL support, see README.NAT-Traversal</div><div> nat_traversal=yes</div><div> # exclude networks used on server side by adding %v4:!a.b.c.0/24</div><div> # It seems that T-Mobile in the US and Rogers/Fido in Canada are</div>
<div> # using 25/8 as "private" address space on their 3G network.</div><div> # This range has not been announced via BGP (at least upto 2010-12-21)</div><div> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,$/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,,%v4:!172.20.10.0/24">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,$/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,,%v4:!172.20.10.0/24</a></div>
<div> # OE is now off by default. Uncomment and change to on, to enable.</div><div> oe=off</div><div> # which IPsec stack to use. auto will try netkey, then klips then mast</div><div> protostack=netkey</div>
<div> # Use this to log to a file, or disable logging on embedded systems (like openwrt)</div><div> #plutostderrlog=/dev/null</div><div><br></div><div># Add connections here</div><div><br></div><div># sample VPN connection</div>
<div># for more examples, see /etc/ipsec.d/examples/</div><div>#conn sample</div><div># # Left security gateway, subnet behind it, nexthop toward right.</div><div># left=10.0.0.1</div><div># leftsubnet=<a href="http://172.16.0.0/24">172.16.0.0/24</a></div>
<div># leftnexthop=10.22.33.44</div><div># # Right security gateway, subnet behind it, nexthop toward left.</div><div># right=10.12.12.1</div><div># rightsubnet=<a href="http://192.168.0.0/24">192.168.0.0/24</a></div>
<div># rightnexthop=10.101.102.103</div><div># # To authorize this connection, but not actually start it,</div><div># # at startup, uncomment this.</div><div># #auto=add</div>
<div><br></div><div>include /etc/ipsec.d/*.conf</div><div><br></div><div><br></div><div><br></div><div>/etc/ipsec.d/vpc.conf:</div><div><br></div><div>conn vpc</div><div> authby=secret</div><div> forceencaps=yes</div>
<div> auto=start</div><div> left=%defaultroute</div><div> leftid=201.122.32.XX</div><div> leftsourceip=201.122.32.XX</div><div> right=107.23.111.XX</div><div> rightid=107.23.111.XX</div>
<div> rightsubnet=<a href="http://172.20.10.0/24">172.20.10.0/24</a></div><div><br></div><div><br></div><div><br></div><div>vpc.secrets:</div><div><br></div><div><br></div><div>107.23.111.XXX <a href="http://0.0.0.0">0.0.0.0</a>: PSK "12345"</div>
<div><br></div><div><br></div><div><br></div><div>When I start the openswan service and do ipsec auto --up vpc or ipsec auto --up vimex, I get this error:</div><div><br></div><div>022 "vpc": We cannot identify ourselves with either end of this connection.</div>
<div><br></div><div><br></div><div>Do you have any idea whats wrong?</div><div><br></div><div>Thanks for advice</div></div>