<div dir="ltr"><br></div><div class="gmail_extra"><br><div class="gmail_quote">2015-06-20 0:00 GMT+08:00 <span dir="ltr"><<a href="mailto:users-request@lists.openswan.org" target="_blank">users-request@lists.openswan.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send Users mailing list submissions to<br>
<a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:users-request@lists.openswan.org">users-request@lists.openswan.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:users-owner@lists.openswan.org">users-owner@lists.openswan.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of Users digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Help configuring server to server connection AWS VPC to<br>
Checkpoint Firewall (Tyler Field)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Thu, 18 Jun 2015 11:55:58 -0600<br>
From: Tyler Field <<a href="mailto:tyler@ospreyinformatics.com">tyler@ospreyinformatics.com</a>><br>
To: <a href="mailto:users@lists.openswan.org">users@lists.openswan.org</a><br>
Subject: [Openswan Users] Help configuring server to server connection<br>
AWS VPC to Checkpoint Firewall<br>
Message-ID:<br>
<<a href="mailto:CAH5cMhkjfZSkV40_20O9MNA3Asd0Z4mg6z_srq%2Bt%2B8024rUeMw@mail.gmail.com">CAH5cMhkjfZSkV40_20O9MNA3Asd0Z4mg6z_srq+t+8024rUeMw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hello,<br>
<br>
We are trying to set up IPSec with GRE from an Amazon EC2 instance in our<br>
VPC to a third party.<br>
<br>
Our machine is Ubuntu 14.04 running Openswan Version 2.6.38<br>
<br>
They have provided the following IPSec configuration information:<br>
<br>
Client IP: 74.xxx.xxx.xxx<br>
Client Encryption Domain: 74.xxx.xxx.yyy/32<br>
<br>
Our IP: 54.aaa.bbb.ccc<br>
Our Encryption Domain: <a href="http://10.160.255.181/30" rel="noreferrer" target="_blank">10.160.255.181/30</a><br>
<br>
Encryption parameters:<br>
Phase 1: Diffie-Hellman Group 2 algorithm: 3DES-MD5<br>
Phase 2: Diffie-Hellman Group 2 algorithm: 3DES-MD5<br>
Perfect Forward Secrey: No<br>
Lifetime (for renegotiation): 3600sec<br>
<br>
In order to match the client encryption domain we had to create a virtual<br>
ethernet device on eth0 by adding the following to our network interfaces<br>
file:<br>
<br>
auto eth0:1<br>
iface eth0:1 inet static<br>
address 10.160.255.181<br>
netmask 255.255.255.252<br>
<br>
<br>
I have added the following to my ipsec.conf file based off the blog post<br>
here(<a href="http://blog.jameskyle.org/2012/07/configuring-openswan-ipsec-server/" rel="noreferrer" target="_blank">http://blog.jameskyle.org/2012/07/configuring-openswan-ipsec-server/</a>).<br>
:<br>
<br>
config setup<br>
nat_traversal=yes<br>
oe=off<br>
protostack=netkey<br>
plutostderrlog=/var/log/pluto_err.log<br>
<br>
conn client_name<br>
authby=secret<br>
auto=start<br>
left=%defaultroute<br>
leftid=54.aaa.bbb.ccc<br>
leftsubnet=<a href="http://10.161.255.181/30" rel="noreferrer" target="_blank">10.161.255.181/30</a><br>
leftnexthop=%defaultroute<br>
right=74.xxx.xxx.xxx<br>
rightid=74.xxx.xxx.xxx<br>
rightsubnet=74.xxx.xxx.yyy/32<br>
rightnexthop=%defaultroute<br>
<br>
pfs=no<br>
type=tunnel<br>
aggrmode=no<br>
<br>
ike=3des-md5;modp1024!<br>
ikelifetime=1440m<br>
phase2alg=3des-md5;modp1024<br>
<br>
The secrets file looks like this:<br>
54.xxx.xxx.xxx 74.xxx.xxx.xxx : PSK "our_secret"<br>
<br>
Phase 1 seems to complete successfully but I get the following in the pluto<br>
logs:<br>
<br>
"client_name" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1<br>
"client_name" #3: STATE_MAIN_R1: sent MR1, expecting MI2<br>
"client_name" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2<br>
"client_name" #3: STATE_MAIN_R2: sent MR2, expecting MI3<br>
"client_name" #3: Main mode peer ID is ID_IPV4_ADDR: '74.198.28.1'<br>
"client_name" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3<br>
"client_name" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established<br>
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5<br>
group=modp1024}<br>
"client_name" #3: the peer proposed: <a href="http://10.160.255.181/32:0/0" rel="noreferrer" target="_blank">10.160.255.181/32:0/0</a> -><br>
<a href="http://74.198.28.244/32:0/0" rel="noreferrer" target="_blank">74.198.28.244/32:0/0</a><br>
"client_name" #3: cannot respond to IPsec SA request because no connection<br>
is known for<br>
<a href="http://10.160.251.181/32===10.50.35.105[54.aaa.bbb.ccc]...74.xxx.xxx.xxx" rel="noreferrer" target="_blank">10.160.251.181/32===10.50.35.105[54.aaa.bbb.ccc]...74.xxx.xxx.xxx</a><br>
<74.xxx.xxx.xxx>===74.xxx.xxx.yyy/32<br>
<br>
Any help or suggestions on what might be wrong with the config or where to<br>
go for more information would be greatly appreciated.<br>
<br>
Cheers,<br>
Tyler<br>
<br>
--<br>
Tyler Field<br>
DevOps Admin<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://lists.openswan.org/pipermail/users/attachments/20150618/f0283de8/attachment-0001.html" rel="noreferrer" target="_blank">http://lists.openswan.org/pipermail/users/attachments/20150618/f0283de8/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
<br>
<br>
End of Users Digest, Vol 134, Issue 5<br>
*************************************<br>
</blockquote></div><br></div>