<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; font-family: Calibri, sans-serif; color: rgb(0, 0, 0);"><div style="font-size: 14px;">Hi Simon. Both ends are set to allow ALL traffic from the other side.</div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;">I tried switching it to “transport” instead of “tunnel” and it didn’t seem to work, it all of a sudden said there was 30 open connections.</div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;">With that said, I have another openswan server for client VPN into our AWS environment (which uses transport) and everything works great through this.</div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;">Here’s the 2 different configuration files, maybe you can help me get them working similarly?</div><div style="font-size: 14px;"><br></div><div><b style="font-size: 18px;">Ipsec.conf for BOTH tunnel servers:</b></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"># basic configuration</div><div style="font-size: 14px;">config setup</div><div style="font-size: 14px;"> # Debug-logging controls: "none" for (almost) none, "all" for lots.</div><div style="font-size: 14px;"> # klipsdebug=none</div><div style="font-size: 14px;"> # plutodebug="control parsing"</div><div style="font-size: 14px;"> # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey</div><div style="font-size: 14px;"> protostack=netkey</div><div style="font-size: 14px;"> nat_traversal=yes</div><div style="font-size: 14px;"> virtual_private=</div><div style="font-size: 14px;"> oe=off</div><div style="font-size: 14px;"> # Enable this if you see "failed to find any available worker"</div><div style="font-size: 14px;"> # nhelpers=0</div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;">#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.</div><div style="font-size: 14px;">include /etc/ipsec.d/*.conf</div><div style="font-size: 14px;"><br></div><div><b><i style="font-size: 18px;">VPC1-to-colo tunnel conf</i></b></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><div>conn vpc1-to-DT</div><div> type=tunnel</div><div> authby=secret</div><div> left=%defaultroute</div><div> leftid=54.213.24.xxx</div><div> leftnexthop=%defaultroute</div><div> leftsubnet=10.1.4.0/24</div><div> right=72.26.103.xxx</div><div> rightsubnet=10.1.2.0/23</div><div> pfs=yes</div><div> auto=start</div><div><br></div></div><div style="font-size: 14px;"><br></div><div><b><i style="font-size: 18px;">Colo-to-VPC1 tunnel conf</i></b></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><div>conn DT-to-vpc1</div><div> type=tunnel</div><div> authby=secret</div><div> left=%defaultroute</div><div> leftid=72.26.103.xxx</div><div> leftnexthop=%defaultroute</div><div> leftsubnet=10.1.2.0/23</div><div> right=54.213.24.xxx</div><div> rightsubnet=10.1.4.0/24</div><div> pfs=yes</div><div> auto=start</div><div><br></div></div><div style="font-size: 14px;"><br></div><div><b><i style="font-size: 18px;">Client point VPN ipsec.conf</i></b></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><div># basic configuration</div><div><br></div></div><div style="font-size: 14px;"><div>config setup</div><div> interfaces=%defaultroute</div><div> klipsdebug=none</div><div> nat_traversal=yes</div><div> nhelpers=0</div><div> oe=off</div><div> plutodebug=none</div><div> plutostderrlog=/var/log/pluto.log</div><div> protostack=netkey</div><div> virtual_private=%v4:10.1.4.0/24</div><div><br></div><div>conn L2TP-PSK</div><div> authby=secret</div><div> pfs=no</div><div> auto=add</div><div> keyingtries=3</div><div> rekey=no</div><div> type=transport</div><div> forceencaps=yes</div><div> right=%any</div><div> rightsubnet=vhost:%any,%priv</div><div> rightprotoport=17/0</div><div> # Using the magic port of "0" means "any one single port". This is</div><div> # a work around required for Apple OSX clients that use a randomly</div><div> # high port, but propose "0" instead of their port.</div><div> left=%defaultroute</div><div> leftprotoport=17/1701</div><div> # Apple iOS doesn't send delete notify so we need dead peer detection</div><div> # to detect vanishing clients</div><div> dpddelay=10</div><div> dpdtimeout=90</div><div> dpdaction=clear</div><div><br></div></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;"><br></div><div style="font-size: 14px;">On 2/13/14, 5:45 AM, "Simon Deziel" <<a href="mailto:simon@xelerance.com">simon@xelerance.com</a>> wrote:</div><div style="font-size: 14px;"><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="font-size: 14px; border-left-color: rgb(181, 196, 223); border-left-width: 5px; border-left-style: solid; padding: 0px 0px 0px 5px; margin: 0px 0px 0px 5px;"><div>Hi Christopher,</div><div><br></div><div>I just re-read your first message and noticed you are on Amazon which is</div><div>notorious to block ICMP and ESP by default.</div><div><br></div><div>Recommendations of things to tweak:</div><div><br></div><div>* Allow ICMP in the Security Groups of both sides</div><div>* Allow ICMP on both VMs (if using firewall)</div><div>* If using host to host IPsec, use transport mode instead of tunnel</div><div>* If on a VPC (as opposed to EC2), allow ESP in the Security Groups</div><div><br></div><div>Once you have a path between the 2 VMs that is clear for ICMP, the</div><div>clamp-mss-to-pmtu will start working.</div><div><br></div><div>HTH,</div><div>Simon</div><div><br></div><div>On 14-02-12 10:47 PM, Simon Deziel wrote:</div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div> Oups, sorry, this one should not complain:</div><div> </div><div> iptables -t mangle -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j</div><div> TCPMSS --clamp-mss-to-pmtu</div><div> </div><div> On 14-02-12 06:56 PM, Christopher Slagel wrote:</div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div> Responds with the following:</div><div><br></div><div> [root@noxmail1 ~]# iptables -I OUTPUT -p tcp -j TCPMSS --clamp-mss-to-pmtu</div><div> iptables: Invalid argument. Run `dmesg' for more information.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div> On 2/12/14, 3:25 PM, "Simon Deziel" <<a href="mailto:simon@xelerance.com">simon@xelerance.com</a>> wrote:</div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div> You can try this:</div><div><br></div><div> iptables -I OUTPUT -p tcp -j TCPMSS --clamp-mss-to-pmtu</div><div><br></div><div><br></div><div><br></div><div><br></div><div> On 14-02-12 06:17 PM, Christopher Slagel wrote:</div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div> Simon, as an update, it looks like it’s BETTER but still having some</div><div> problems. Small queries are now working, but anything over 1 row still</div><div> seems to hang. I’ve tried lowering the MTU a bit more a couple times</div><div> and</div><div> still no luck.</div><div><br></div><div><br></div><div><br></div><div><br></div><div><br></div><div> On 2/12/14, 12:56 PM, "Simon Deziel" <<a href="mailto:simon@xelerance.com">simon@xelerance.com</a>> wrote:</div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div> You can first try with running "sudo ifconfig eth0 mtu 1400" directly</div><div> on</div><div> the console. This setting will not survive a reboot of course.</div><div><br></div><div> On 14-02-12 03:53 PM, Christopher Slagel wrote:</div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div> Thanks Simon. Through some research I found that that might be the</div><div> issue,</div><div> and I¹ve tried editing our /etc/sysconfig/network-scripts/ifcfg-eth0</div><div> files</div><div> and messing with the MTU (adding MTU=³xyz²), but don¹t seem to be</div><div> having</div><div> any success. Is there another way I should try messing with the MTU?</div><div><br></div><div><br></div><div><br></div><div> On 2/12/14, 12:50 PM, "Simon Deziel" <<a href="mailto:simon@xelerance.com">simon@xelerance.com</a>> wrote:</div><div><br></div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div> Hi Christopher,</div><div><br></div><div> The problem you describe could well be related to a MTU issue. I'd</div><div> try</div><div> setting a MTU of say 1400 and see if things start working.</div><div><br></div><div> HTH,</div><div> Simon</div><div><br></div><div> On 14-02-12 03:38 PM, Christopher Slagel wrote:</div><blockquote id="MAC_OUTLOOK_ATTRIBUTION_BLOCKQUOTE" style="BORDER-LEFT: #b5c4df 5 solid; PADDING:0 0 0 5; MARGIN:0 0 0 5;"><div> We have a VPN tunnel with Openswan between two AWS regions and our</div><div> colo</div><div> facility (Used AWS¹s</div><div> guide: <a href="http://aws.amazon.com/articles/5472675506466066">http://aws.amazon.com/articles/5472675506466066</a>). Regular</div><div> usage</div><div> works OK, but we are having some MySQL issues over the tunnel</div><div> between</div><div> all areas. Using mysql command line client on a linux server works,</div><div> but</div><div> trying to connect using the MySQL Connector J it basically stallsŠ</div><div> it</div><div> seems to open the connection, but then gets stuck. It doesn't get</div><div> denied or anything, just hangs there. Logging isn¹t picking up</div><div> anything</div><div> at all and usually very verbose about errors. Any input as to what</div><div> we</div><div> can do to fix this/improve the connections would be appreciated.</div><div> Thanks.</div><div><br></div><div><br></div><div><br></div><div> _______________________________________________</div><div> <a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a></div><div> <a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a></div><div> Micropayments:</div><div> <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></div><div> Building and Integrating Virtual Private Networks with Openswan:</div><div><br></div><div><br></div><div> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283</a></div><div> 15</div><div> 5</div><div><br></div></blockquote><div><br></div><div> _______________________________________________</div><div> <a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a></div><div> <a href="https://lists.openswan.org/mailman/listinfo/users">https://lists.openswan.org/mailman/listinfo/users</a></div><div> Micropayments:</div><div> <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a></div><div> Building and Integrating Virtual Private Networks with Openswan:</div><div><br></div><div><br></div><div> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=2831</a></div><div> 55</div></blockquote><div><br></div><div><br></div></blockquote><div><br></div></blockquote><div><br></div><div><br></div></blockquote><div><br></div></blockquote><div><br></div><div><br></div></blockquote><div> </div></blockquote><div><br></div></blockquote></body></html>