<div dir="ltr">Wanted to also add xfrm policy from each VPN server.<div><br></div><div><div>[root@left ~]# ip xfrm policy</div><div>src <a href="http://52.1.197.54/32">52.1.197.54/32</a> dst <a href="http://10.40.0.0/16">10.40.0.0/16</a></div><div><span class="" style="white-space:pre"> </span>dir out priority 2096 ptype main</div><div><span class="" style="white-space:pre"> </span>tmpl src 10.33.254.184 dst 52.20.89.24</div><div><span class="" style="white-space:pre"> </span>proto esp reqid 16385 mode tunnel</div><div>src <a href="http://10.40.0.0/16">10.40.0.0/16</a> dst <a href="http://52.1.197.54/32">52.1.197.54/32</a></div><div><span class="" style="white-space:pre"> </span>dir fwd priority 2096 ptype main</div><div><span class="" style="white-space:pre"> </span>tmpl src 52.20.89.24 dst 10.33.254.184</div><div><span class="" style="white-space:pre"> </span>proto esp reqid 16385 mode tunnel</div><div>src <a href="http://10.40.0.0/16">10.40.0.0/16</a> dst <a href="http://52.1.197.54/32">52.1.197.54/32</a></div><div><span class="" style="white-space:pre"> </span>dir in priority 2096 ptype main</div><div><span class="" style="white-space:pre"> </span>tmpl src 52.20.89.24 dst 10.33.254.184</div><div><span class="" style="white-space:pre"> </span>proto esp reqid 16385 mode tunnel</div><div>src ::/0 dst ::/0</div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src ::/0 dst ::/0</div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div></div><div><br></div><div><br></div><div><div>[root@right ~]# ip xfrm policy</div><div>src <a href="http://52.20.89.24/32">52.20.89.24/32</a> dst <a href="http://10.33.0.0/16">10.33.0.0/16</a></div><div><span class="" style="white-space:pre"> </span>dir out priority 2096 ptype main</div><div><span class="" style="white-space:pre"> </span>tmpl src 10.40.56.13 dst 52.1.197.54</div><div><span class="" style="white-space:pre"> </span>proto esp reqid 16385 mode tunnel</div><div>src <a href="http://10.33.0.0/16">10.33.0.0/16</a> dst <a href="http://52.20.89.24/32">52.20.89.24/32</a></div><div><span class="" style="white-space:pre"> </span>dir fwd priority 2096 ptype main</div><div><span class="" style="white-space:pre"> </span>tmpl src 52.1.197.54 dst 10.40.56.13</div><div><span class="" style="white-space:pre"> </span>proto esp reqid 16385 mode tunnel</div><div>src <a href="http://10.33.0.0/16">10.33.0.0/16</a> dst <a href="http://52.20.89.24/32">52.20.89.24/32</a></div><div><span class="" style="white-space:pre"> </span>dir in priority 2096 ptype main</div><div><span class="" style="white-space:pre"> </span>tmpl src 52.1.197.54 dst 10.40.56.13</div><div><span class="" style="white-space:pre"> </span>proto esp reqid 16385 mode tunnel</div><div>src ::/0 dst ::/0</div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src ::/0 dst ::/0</div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket out priority 0 ptype main</div><div>src <a href="http://0.0.0.0/0">0.0.0.0/0</a> dst <a href="http://0.0.0.0/0">0.0.0.0/0</a></div><div><span class="" style="white-space:pre"> </span>socket in priority 0 ptype main</div></div><div><br></div><div><br></div><div>Thanks,</div><div>Cooper</div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 5, 2015 at 2:52 AM, Cooper Simmons <span dir="ltr"><<a href="mailto:csimmons@square-root.com" target="_blank">csimmons@square-root.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><font face="arial, helvetica, sans-serif">Hello openswan users,</font><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">I was able to set up a tunnel successfully and I am seeing ping and ssh getting sent over the tunnel, but I'm not getting responses from the other side.</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><span style="font-family:arial,helvetica,sans-serif">The goal is for servers in subnet <a href="http://10.33.0.0/16" target="_blank">10.33.0.0/16</a> to be able to ssh to the servers in subnet <a href="http://10.40.0.0/16" target="_blank">10.40.0.0/16</a>.</span><br></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Local/left:</font></div><div><font face="arial, helvetica, sans-serif">Public endpoint: 52.1.197.54</font></div><div><font face="arial, helvetica, sans-serif">private IP: 10.33.254.184</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">Remote/right:</font></div><div><div><font face="arial, helvetica, sans-serif">Public endpoint: 52.20.89.24</font></div><div><font face="arial, helvetica, sans-serif">private IP: 10.40.56.13</font></div></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">ipsec.conf, left side:</font></div><div><div><span style="font-family:monospace,monospace">config setup</span><br></div><div><font face="monospace, monospace"> klipsdebug=all</font></div><div><font face="monospace, monospace"> plutodebug=control</font></div><div><font face="monospace, monospace"> plutostderrlog=/var/log/pluto.log</font></div><div><font face="monospace, monospace"> protostack=netkey</font></div><div><font face="monospace, monospace"> nat_traversal=yes</font></div><div><font face="monospace, monospace"> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16</a></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">conn sr-tunnel</font></div><div><font face="monospace, monospace"> authby=secret</font></div><div><font face="monospace, monospace"> auto=start</font></div><div><font face="monospace, monospace"> forceencaps=yes</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> left=%defaultroute</font></div><div><font face="monospace, monospace"> leftid=52.1.197.54</font></div><div><font face="monospace, monospace"> leftsourceip=52.1.197.54</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> right=52.20.89.24</font></div><div><font face="monospace, monospace"> rightsubnet=<a href="http://10.40.0.0/16" target="_blank">10.40.0.0/16</a></font></div><div><br></div></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><span style="font-family:arial,helvetica,sans-serif">ipsec.conf, right side:</span><font face="arial, helvetica, sans-serif"><br></font></div><div><div><font face="monospace, monospace">config setup<br></font></div><div><font face="monospace, monospace"> klipsdebug=all</font></div><div><font face="monospace, monospace"> plutodebug=control</font></div><div><font face="monospace, monospace"> plutostderrlog=/var/log/pluto.log</font></div><div><font face="monospace, monospace"> protostack=netkey</font></div><div><font face="monospace, monospace"> nat_traversal=yes</font></div><div><font face="monospace, monospace"> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16</a></font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">conn sr-tunnel</font></div><div><font face="monospace, monospace"> authby=secret</font></div><div><font face="monospace, monospace"> auto=start</font></div><div><font face="monospace, monospace"> forceencaps=yes</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> left=%defaultroute</font></div><div><font face="monospace, monospace"> leftid=52.20.89.24</font></div><div><font face="monospace, monospace"> leftsourceip=52.20.89.24</font></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace"> right=52.1.197.54</font></div><div><font face="monospace, monospace"> rightsubnet=<a href="http://10.33.0.0/16" target="_blank">10.33.0.0/16</a></font></div></div><div><span style="font-family:arial,helvetica,sans-serif"><br></span></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">status:</font></div><div><div><div><font face="monospace, monospace"># service ipsec status</font></div><div><font face="monospace, monospace">IPsec running - pluto pid: 17024</font></div><div><font face="monospace, monospace">pluto pid 17024</font></div><div><font face="monospace, monospace">1 tunnels up</font></div><div><font face="monospace, monospace">some eroutes exist</font></div></div></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">This is my first time setting up openswan...so be gentle. ;-)</font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">When I ping from Local/left and run tcpdump on Remote/right I see:</font></div><div><font face="arial, helvetica, sans-serif"><div><br></div><div>[root@left ~]# ping 10.40.56.13</div><div>PING 10.40.56.13 (10.40.56.13) 56(84) bytes of data.</div><div><br></div><div><div>[root@right ~]# tcpdump -nn icmp</div><div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div><div>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes</div><div>07:40:47.303742 IP 52.1.197.54 > <a href="http://10.40.56.13" target="_blank">10.40.56.13</a>: ICMP echo request, id 47689, seq 1, length 64<br></div><div>07:40:48.310951 IP 52.1.197.54 > <a href="http://10.40.56.13" target="_blank">10.40.56.13</a>: ICMP echo request, id 47689, seq 2, length 64</div><div>07:40:49.318979 IP 52.1.197.54 > <a href="http://10.40.56.13" target="_blank">10.40.56.13</a>: ICMP echo request, id 47689, seq 3, length 64</div></div></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">So it looks to me like packets get to </font><span style="font-family:arial,helvetica,sans-serif">10.40.56.13 but there is not route to get the reply back?</span></div><div><span style="font-family:arial,helvetica,sans-serif">But there is a route in place.</span></div><div><span style="font-family:arial,helvetica,sans-serif"><br></span></div><div><div><font face="arial, helvetica, sans-serif"><div>[root@left ~]# ip a</div><div>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default</div><div> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</div><div> inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> scope host lo</div><div> valid_lft forever preferred_lft forever</div><div> inet6 ::1/128 scope host</div><div> valid_lft forever preferred_lft forever</div><div>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000</div><div> link/ether 12:a9:5e:40:e3:67 brd ff:ff:ff:ff:ff:ff</div><div> inet <a href="http://10.33.254.184/24" target="_blank">10.33.254.184/24</a> brd 10.33.254.255 scope global eth0</div><div> valid_lft forever preferred_lft forever</div><div> inet <a href="http://52.1.197.54/16" target="_blank">52.1.197.54/16</a> scope global eth0</div><div> valid_lft forever preferred_lft forever</div><div> inet6 fe80::10a9:5eff:fe40:e367/64 scope link</div><div> valid_lft forever preferred_lft forever</div></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">[root@left ~]# ip r</font></div><div><font face="arial, helvetica, sans-serif">default via 10.33.254.1 dev eth0</font></div><div><font face="arial, helvetica, sans-serif"><a href="http://10.33.254.0/24" target="_blank">10.33.254.0/24</a> dev eth0 proto kernel scope link src 10.33.254.184</font></div><div><font face="arial, helvetica, sans-serif"><a href="http://10.40.0.0/16" target="_blank">10.40.0.0/16</a> dev eth0 scope link src 52.1.197.54</font></div><div><font face="arial, helvetica, sans-serif"><a href="http://52.1.0.0/16" target="_blank">52.1.0.0/16</a> dev eth0 proto kernel scope link src 52.1.197.54</font></div><div><font face="arial, helvetica, sans-serif">169.254.169.254 dev eth0</font></div></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><div><div>[root@right ~]# ip a</div><div>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default</div><div> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</div><div> inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> scope host lo</div><div> valid_lft forever preferred_lft forever</div><div> inet6 ::1/128 scope host</div><div> valid_lft forever preferred_lft forever</div><div>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000</div><div> link/ether 12:18:04:de:81:1b brd ff:ff:ff:ff:ff:ff</div><div> inet <a href="http://10.40.56.13/16" target="_blank">10.40.56.13/16</a> brd 10.40.255.255 scope global eth0</div><div> valid_lft forever preferred_lft forever</div><div> inet <a href="http://52.20.89.24/16" target="_blank">52.20.89.24/16</a> scope global eth0</div><div> valid_lft forever preferred_lft forever</div><div> inet6 fe80::1018:4ff:fede:811b/64 scope link</div><div> valid_lft forever preferred_lft forever</div></div><div><br></div><div>[root@right ~]# ip r</div><div>default via 10.40.0.1 dev eth0</div><div><a href="http://10.33.0.0/16" target="_blank">10.33.0.0/16</a> dev eth0 scope link src 52.20.89.24</div><div><a href="http://52.20.0.0/16" target="_blank">52.20.0.0/16</a> dev eth0 proto kernel scope link src 52.20.89.24</div><div>169.254.169.254 dev eth0</div><div><br></div><div>These are EC2 instances and their security groups allow ICMP from everywhere. </div><div>I also have no iptables rules (nat or otherwise) in place.</div><div><br></div><div><br></div><div>Can anyone advise?</div><div>Thanks,</div><div>Cooper</div><div><br></div><div><br></div><div><br></div></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif"><br></font></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><span style="color:rgb(102,102,102)"><font face="arial,helvetica,sans-serif"><strong><span>Cooper</span> <span>Simmons</span></strong><br>Engineering</font></span><p style="color:rgb(136,136,136)"><span style="font-family:arial,helvetica,sans-serif"><b><span style="color:rgb(53,28,117)"><font face="arial,helvetica,sans-serif">Square Root, Inc.</font><a href="http://square-root.com/" style="color:rgb(17,85,204)" target="_blank"></a></span></b><a href="http://square-root.com/" style="color:rgb(17,85,204)" target="_blank"><br></a><font color="#1155cc" face="arial,helvetica,sans-serif" style="color:rgb(17,85,204)"><a href="http://square-root.com/" style="color:rgb(17,85,204)" target="_blank">Square-Root.com</a><br></font></span><b style="color:rgb(102,102,102);font-family:arial,helvetica,sans-serif">[m]</b><span style="color:rgb(102,102,102);font-family:arial,helvetica,sans-serif"> </span><a value="+15126508063" style="color:rgb(17,85,204);font-family:arial,helvetica,sans-serif">512.527.4910</a><span style="color:rgb(102,102,102);font-family:arial,helvetica,sans-serif"> </span><span style="font-family:arial,helvetica,sans-serif"><font color="#1155cc" face="arial,helvetica,sans-serif" style="color:rgb(17,85,204)"><br></font></span></p><p style="color:rgb(136,136,136)"><span style="font-family:arial,helvetica,sans-serif"><br></span></p></div></div>
</div>