<div dir="ltr"><div>Hi,</div><div><br></div><div>Thanks for your invaluable help, I am using Amazon EC2 to set up Openswan, but it is not working, can you give me a hint?</div><div>the client cannot connect to Openswan.</div>
<div> </div><div>$ cat /etc/ipsec.conf </div><div>config setup</div><div> protostack=netkey</div><div> interfaces=%defaultroute</div><div> nat_traversal=yes </div><div># this will force openswan to use IPSec over UDP - required for EC2</div>
<div> force_keepalive=yes</div><div> keep_alive=60</div><div> virtual_private=%v4:<a href="http://172.16.0.0/16">172.16.0.0/16</a></div><div># this Subnet must include range provided in the xl2tpd config file</div>
<div>
oe=no</div><div> nhelpers=0</div><div>conn RWConn # road warrior connection description</div><div> type=transport</div><div> authby=secret</div><div> pfs=no</div><div> rekey=no</div><div> ikelifetime=8h</div>
<div> keylife=1h</div><div> leftprotoport=17/1701</div><div> left=%defaultroute </div><div> leftid=myElasticIP</div><div> leftsourceip=myElasticIP</div><div> forceencaps=yes</div><div> rightprotoport=17/%any</div>
<div> right=%any</div><div> rightsubnet=vhost:%priv,%no,%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/16">10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/16</a></div><div> auto=add</div><div># Apple iOS doesn't send delete notify so we need dead peer detection</div>
<div> # to detect vanishing clients</div><div> dpddelay=30</div><div> dpdtimeout=120</div><div> dpdaction=clear</div><div><br></div><div>$ cat /etc/ipsec.secrets </div><div>cat: /etc/ipsec.secrets: Permission denied</div>
<div>ubuntu@ip-10-164-25-201:~$ sudo cat /etc/ipsec.secrets </div><div># This file holds shared secrets or RSA private keys for inter-Pluto</div><div># authentication. See ipsec_pluto(8) manpage, and HTML documentation.</div>
<div><br></div><div># RSA private key for this host, authenticating it to any other host</div><div># which knows the public part. Suitable public keys, for ipsec.conf, DNS,</div><div># or configuration of other implementations, can be extracted conveniently</div>
<div># with "ipsec showhostkey".</div><div><br></div><div># this file is managed with debconf and will contain the automatically created RSA keys</div><div>#include /var/lib/openswan/ipsec.secrets.inc</div><div>
myElasticIP <span class="" style="white-space:pre"> </span>0.0.0.0<span class="" style="white-space:pre"> </span>%any: PSK "123"</div><div><br></div><div>$ sudo cat /etc/xl2tpd/xl2tpd.conf </div><div>[global]</div>
<div>ipsec saref = yes</div><div>; this must be the private EC2 address allocated to eth0 </div><div>listen-addr = myElasticIP </div><div>[lns default]</div><div>; addresses to road road warriors will be allocated from this range</div>
<div>ip range = 172.16.100.1-172.16.100.254 </div><div>; GW virtual address (must be outside of the above range)</div><div>local ip = 172.16.0.150</div><div>refuse pap = yes</div><div>require authentication = yes</div>
<div>require chap = yes</div><div>ppp debug = yes</div><div>name = MyGW</div><div>; points to PPP config file (you can choose your own name)</div><div>pppoptfile = /etc/ppp/options.xl2tpd </div><div>length bit = yes</div>
<div><br></div><div>$ sudo cat /etc/ppp/options.xl2tpd </div><div>name MyGW # this must be identical to the name given in the xl2tpd file</div><div><br></div><div>ipcp-accept-local</div><div>ipcp-accept-remote</div><div>
noccp</div>
<div>auth</div><div>crtscts</div><div>idle 1800</div><div>mtu 1280</div><div>mru 1280</div><div>defaultroute</div><div>lock</div><div>proxyarp</div><div>connect-delay 5000</div><div>$ tail -n 70 /var/log/auth.log</div><div>
<br></div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: received Vendor ID payload [RFC 3947] method set to=109 </div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike] method set to=110 </div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: ignoring unknown Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: ignoring unknown Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: ignoring unknown Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: ignoring unknown Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: ignoring unknown Vendor ID payload [9909b64eed937c6573de52ace952fa6b]</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: ignoring Vendor ID payload [FRAGMENTATION 80000000]</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: packet from myClientIP:33690: received Vendor ID payload [Dead Peer Detection]</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3: responding to Main Mode from unknown peer myClientIP</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3: STATE_MAIN_R1: sent MR1, expecting MI2</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3: STATE_MAIN_R2: sent MR2, expecting MI3</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3: ignoring informational payload, type IPSEC_INITIAL_CONTACT msgid=00000000</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.43.179'</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[3] myClientIP #3: switched from "RWConn" to "RWConn"</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: deleting connection "RWConn" instance with peer myClientIP {isakmp=#0/ipsec=#0}</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: new NAT mapping for #3, was myClientIP:33690, now myClientIP:17370</div>
<div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}</div><div>Nov 29 13:59:37 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: Dead Peer Detection (RFC 3706): enabled</div>
<div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: Applying workaround for Mac OS X NAT-OA bug, ignoring proposed subnet</div><div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: the peer proposed: myElasticIP/32:17/1701 -> myClientIP/32:17/0</div>
<div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4: responding to Quick Mode proposal {msgid:47e78293}</div><div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4: us: myElasticIP/32===10.164.25.201[myElasticIP,+S=C]:17/1701</div>
<div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4: them: myClientIP[192.168.43.179,+S=C]:17/54867</div><div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1</div>
<div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2</div><div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4: Dead Peer Detection (RFC 3706): enabled</div>
<div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2</div><div>Nov 29 13:59:38 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x02ceb265 <0xafbcefd3 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=myClientIP:17370 DPD=enabled}</div>
<div>Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: received Delete SA(0x02ceb265) payload: deleting IPSEC State #4</div><div>Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: received and ignored informational message</div>
<div>Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP #3: received Delete SA payload: deleting ISAKMP State #3</div><div>Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: "RWConn"[4] myClientIP: deleting connection "RWConn" instance with peer myClientIP {isakmp=#0/ipsec=#0}</div>
<div>Nov 29 13:59:58 ip-10-164-25-201 pluto[5667]: packet from myClientIP:17370: received and ignored informational message</div><div><br></div><div>$ sudo ipsec verify</div><div>Checking your system to see if IPsec got installed and started correctly:</div>
<div>Version check and ipsec on-path <span class="" style="white-space:pre"> </span>[OK]</div><div>Linux Openswan U2.6.37/K3.2.0-54-virtual (netkey)</div><div>Checking for IPsec support in kernel <span class="" style="white-space:pre"> </span>[OK]</div>
<div> SAref kernel support <span class="" style="white-space:pre"> </span>[N/A]</div><div> NETKEY: Testing XFRM related proc values <span class="" style="white-space:pre"> </span>[OK]</div>
<div><span class="" style="white-space:pre"> </span>[OK]</div><div><span class="" style="white-space:pre"> </span>[OK]</div><div>Checking that pluto is running <span class="" style="white-space:pre"> </span>[OK]</div>
<div> Pluto listening for IKE on udp 500 <span class="" style="white-space:pre"> </span>[OK]</div><div> Pluto listening for NAT-T on udp 4500 <span class="" style="white-space:pre"> </span>[OK]</div>
<div>Checking for 'ip' command <span class="" style="white-space:pre"> </span>[OK]</div><div>Checking /bin/sh is not /bin/dash <span class="" style="white-space:pre"> </span>[WARNING]</div>
<div>Checking for 'iptables' command <span class="" style="white-space:pre"> </span>[OK]</div><div>Opportunistic Encryption Support <span class="" style="white-space:pre"> </span>[DISABLED]</div>
<div><br></div><div>$ sudo cat /etc/ppp/chap-secrets </div><div># Secrets for authentication using CHAP</div><div># client<span class="" style="white-space:pre"> </span>server<span class="" style="white-space:pre"> </span>secret<span class="" style="white-space:pre"> </span>IP addresses</div>
<div>alice <span class="" style="white-space:pre"> </span>MyGW<span class="" style="white-space:pre"> </span>PASSWORD<span class="" style="white-space:pre"> </span>*</div><div>bob <span class="" style="white-space:pre"> </span>MyGW<span class="" style="white-space:pre"> </span>PASSWORD <span class="" style="white-space:pre"> </span>*</div>
<div><br></div><div>Thank you </div><div>Mohsen</div></div>