<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Rescued from the spam bucket.  Please remember to subscribe to the mailing list before posting to it.<br class=""><div><br class=""><div class=""><div class=""><span class="" style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; color: rgb(127, 127, 127);"><b class="">From: </b></span><span class="" style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif;">Daniel Cave <<a href="mailto:dan.cave@icloud.com" class="">dan.cave@icloud.com</a>></span></div><div class=""><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Subject: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class=""><b class="">Re: [Openswan Users] INVALID_ID_INFORMATION between OpenSwan and Checkpoint</b><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Date: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">July 29, 2015 at 3:14:17 PM EDT<br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">To: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">Simon Deziel <<a href="mailto:simon@xelerance.com" class="">simon@xelerance.com</a>><br class=""></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Cc: </b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" class="">"<a href="mailto:users@lists.openswan.org" class="">users@lists.openswan.org</a>" <<a href="mailto:users@lists.openswan.org" class="">users@lists.openswan.org</a>><br class=""></span></div><br class=""><br class="">Fwiw. This article below does. It cover the following gotchas and problems caused by a potential lack of understanding of how AWs ec2 instances and security policy <br class=""><br class="">1. To allow traffic to pass through your VPN server you must disable check source address checking which can be done by right clicking the instance in the EC2 manager and going to security settings. This allows traffic from another network outside of that used by your vpc/classic instance so your end to end routing works <br class=""><br class="">2. Disable iptables on linux <br class=""><br class="">3. Create a security group for your cons networks and add the subnets into that from all the networks which are going INTO the vpn instance and apply that security group to the EC2 instance where applicable <br class=""><br class="">#lotsOfLessonsLearnedFromExperience<br class=""><br class="">Hope that helps<br class=""><br class="">Sent from my iPhone<br class=""><br class=""><blockquote type="cite" class="">On 29 Jul 2015, at 16:31, Simon Deziel <<a href="mailto:simon@xelerance.com" class="">simon@xelerance.com</a>> wrote:<br class=""><br class="">Hi Daniel,<br class=""><br class="">You might find the following wiki page helpful:<br class=""><a href="https://github.com/xelerance/Openswan/wiki/Amazon-ec2-example" class="">https://github.com/xelerance/Openswan/wiki/Amazon-ec2-example</a><br class=""><br class="">Regards,<br class="">Simon<br class=""><br class=""><blockquote type="cite" class="">On 07/24/2015 02:51 AM, Daniel Carraro wrote:<br class="">Hi All,<br class=""><br class="">I'm running OpenSwan on an Amazon Linux EC2 Instance (inside a VPC) and<br class="">am trying to connect to a Checkpoint 4800 Series appliance (running R75.45).<br class=""><br class="">Phase 1 passes successfully, however I'm having issues with Phase 2.<br class="">Specifically, INVALID_ID_INFORMATION gets sent from my EC2 instance back<br class="">to the Client.<br class=""><br class="">I'll give a quick summary of the networks:<br class="">- Our VPC is 10.200.0.0/16 <http://10.200.0.0/16>; the OpenSwan instance<br class="">is 54.66.155.156 (10.200.0.171)<br class="">- Their Network is 192.168.187.0/24 <http://192.168.187.0/24>; Their<br class="">Public Endpoint is 203.39.70.3 (192.168.187.253)<br class=""><br class="">What's odd as well, I'm able to ping/telnet servers inside their network<br class="">(192.168.187.0/24 <http://192.168.187.0/24>), but they're unable to<br class="">ping/ssh inside my network (10.200.0.0/16 <http://10.200.0.0/16>)<br class=""><br class="">I've included relevant config/log files below, trying to condense when<br class="">possible:<br class=""><br class="">/etc/ipsec.conf:<br class="">version 2.0     # conforms to second version of ipsec.conf specification<br class=""># basic configuration<br class="">config setup<br class="">       # Debug-logging controls:  "none" for (almost) none, "all" for lots.<br class="">        klipsdebug=none<br class="">        plutodebug="control parsing"<br class="">       # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey<br class="">       protostack=netkey<br class="">       nat_traversal=yes<br class="">       virtual_private=<br class="">       oe=off<br class="">       # Enable this if you see "failed to find any available worker"<br class="">       # nhelpers=0<br class="">       # custom config options<br class="">       force_keepalive=yes<br class="">       keep_alive=10<br class="">#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and<br class="">uncomment this.<br class="">include /etc/ipsec.d/*.conf<br class=""><br class="">/etc/ipsec.d/wc-vpn.conf:<br class="">conn wc-vpn<br class="">       type=tunnel<br class="">       auth=esp<br class="">       authby=secret<br class=""><br class="">       left=10.200.0.171<br class="">       leftid=54.66.155.156<br class="">       leftnexthop=%defaultroute<br class="">       leftsubnet=10.200.0.0/16 <http://10.200.0.0/16><br class="">       leftprotoport=0/0<br class=""><br class="">       right=203.39.70.3<br class="">       rightid=203.39.70.3/32 <http://203.39.70.3/32><br class="">       rightsubnet=192.168.187.0/24 <http://192.168.187.0/24><br class="">       rightnexthop=192.168.187.253<br class="">       rightprotoport=0/0<br class=""><br class="">       keyexchange=ike<br class="">       ike=aes256-sha1;modp1024!<br class="">       ikelifetime=28800s<br class=""><br class="">       phase2alg=aes256-sha1<br class="">       keylife=3600s<br class=""><br class="">       dpddelay=3<br class="">       dpdtimeout=10<br class="">       dpdaction=clear<br class=""><br class="">       pfs=no<br class="">       auto=start<br class="">       forceencaps=yes<br class="">       compress=no<br class=""><br class="">/etc/ipsec.d/wc-vpn.secrets (with actual PSK changed):<br class="">54.66.155.156 203.39.70.3 <http://203.39.70.3>: PSK "1234567890"<br class=""><br class="">Finally, a snippet from /var/log/secure:<br class="">Jul 19 23:10:28 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: sending<br class="">encrypted notification INVALID_ID_INFORMATION to 203.39.70.3:500<br class=""><http://203.39.70.3:500><br class="">Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: the peer<br class="">proposed: 10.200.0.0/16:0/0 <http://10.200.0.0/16:0/0> -><br class="">203.39.70.3/32:0/0 <http://203.39.70.3/32:0/0><br class="">Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: cannot<br class="">respond to IPsec SA request because no connection is known for<br class="">10.200.0.0/16===10.200.0.171<br class=""><http://10.200.0.0/16===10.200.0.171><10.200.0.171>[54.66.155.156,+S=C]...203.39.70.3<203.39.70.3>[+S=C]<br class=""><br class="">Any help would be greatly appreciated.<br class=""><br class="">Thanks,<br class="">Daniel<br class=""><br class=""><br class="">_______________________________________________<br class="">Users@lists.openswan.org<br class="">https://lists.openswan.org/mailman/listinfo/users<br class="">Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br class="">Building and Integrating Virtual Private Networks with Openswan:<br class="">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br class=""></blockquote><br class="">_______________________________________________<br class="">Users@lists.openswan.org<br class="">https://lists.openswan.org/mailman/listinfo/users<br class="">Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br class="">Building and Integrating Virtual Private Networks with Openswan:<br class="">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br class=""></blockquote><br class=""><br class=""></div></div></div><br class=""></body></html>