
<div dir="ltr">Hello Nick, <div>Thanks so much for the response.</div><div><br></div><div>I looked at the setting "forceencaps", and yes, I had that wrong. I removed it.</div><div><br></div><div>I set left/rightsource IP to be the LAN IP of my VPN gateway and I think that's what fixed it.</div><div>I can now ping the private 10.40 address of the VPN gateway on the other end of the tunnel.</div><div><br></div><div>Here is my ipsec.conf that enabled me to do that:</div><div><br></div><div><div>config setup</div><div>  klipsdebug=all</div><div>  plutodebug=none</div><div>  plutostderrlog=/var/log/pluto.log</div><div>  protostack=netkey</div><div>  nat_traversal=yes</div><div>  virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16</a></div><div><br></div><div>conn tunnel169</div><div>  ike=aes128-sha1;modp1024</div><div>  authby=secret</div><div>  auto=start</div><div>  pfs=no</div><div>  phase2=esp</div><div>  phase2alg=aes128-sha1;modp1024</div><div>  left=%defaultroute</div><div>  leftid=52.0.200.232</div><div>  leftsourceip=10.33.254.107</div><div>  right=52.20.89.24</div><div>  rightsubnet=<a href="http://10.40.0.0/16">10.40.0.0/16</a></div></div><div><br></div><div><br></div><div>Thanks a bunch for your help!</div><div>-Cooper</div><div><br></div><div><br></div><div><br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 5, 2015 at 3:10 AM, Nick Howitt <span dir="ltr"><<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi Cooper,<br>

<br>

Firstly let me say I am not sure of the effect of these being EC2 instances as these often require a different set up, but:<br>

<br>

1 - why have you set "forceencaps=yes" as this is public IP <-> public IP or are you natted somewhere?<br>

2 - Please remove all blank lines inside a conn as a blank line normally means the end of a conn definition.<br>

3 - left/rightsource IP is normally set to be the LAN IP of your VPN gateway and not public IP but I am not sure of the requirements of EC2.<br>

4 - when you say you have no iptables rules in place do you mean specific to IPsec or are you running without a firewall completely.<br>

5 - Can you post your connection log (but cut all the stuff when ipsec starts)<br>

<br>

Nick<span class=""><br>

<br>

On 2015-10-05 08:52, Cooper Simmons wrote:<br>

</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">

Hello openswan users,<br>

<br>

I was able to set up a tunnel successfully and I am seeing ping and<br>

ssh getting sent over the tunnel, but I'm not getting responses from<br>

the other side.<br>

<br></span>

The goal is for servers in subnet <a href="http://10.33.0.0/16" rel="noreferrer" target="_blank">10.33.0.0/16</a> [1] to be able to ssh<br>

to the servers in subnet <a href="http://10.40.0.0/16" rel="noreferrer" target="_blank">10.40.0.0/16</a> [2].<span class=""><br>

<br>

Local/left:<br>

Public endpoint: 52.1.197.54<br>

private IP: 10.33.254.184<br>

<br>

Remote/right:<br>

<br>

Public endpoint: 52.20.89.24<br>

private IP: 10.40.56.13<br>

<br>

ipsec.conf, left side:<br>

<br>

config setup<br>

<br>

  klipsdebug=all<br>

  plutodebug=control<br>

  plutostderrlog=/var/log/pluto.log<br>

  protostack=netkey<br>

  nat_traversal=yes<br>

<br>

virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16" rel="noreferrer" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16</a><br></span>

[3]<span class=""><br>

<br>

conn sr-tunnel<br>

  authby=secret<br>

  auto=start<br>

  forceencaps=yes<br>

<br>

  left=%defaultroute<br>

  leftid=52.1.197.54<br>

  leftsourceip=52.1.197.54<br>

<br>

  right=52.20.89.24<br></span>

  rightsubnet=<a href="http://10.40.0.0/16" rel="noreferrer" target="_blank">10.40.0.0/16</a> [2]<span class=""><br>

<br>

ipsec.conf, right side:<br>

<br>

config setup<br>

<br>

  klipsdebug=all<br>

  plutodebug=control<br>

  plutostderrlog=/var/log/pluto.log<br>

  protostack=netkey<br>

  nat_traversal=yes<br>

<br>

virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16" rel="noreferrer" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16</a><br></span>

[4]<span class=""><br>

<br>

conn sr-tunnel<br>

  authby=secret<br>

  auto=start<br>

  forceencaps=yes<br>

<br>

  left=%defaultroute<br>

  leftid=52.20.89.24<br>

  leftsourceip=52.20.89.24<br>

<br>

  right=52.1.197.54<br></span>

  rightsubnet=<a href="http://10.33.0.0/16" rel="noreferrer" target="_blank">10.33.0.0/16</a> [1]<span class=""><br>

<br>

status:<br>

<br>

# service ipsec status<br>

IPsec running  - pluto pid: 17024<br>

pluto pid 17024<br>

1 tunnels up<br>

some eroutes exist<br>

<br>

This is my first time setting up openswan...so be gentle.  ;-)<br>

<br>

When I ping from Local/left and run tcpdump on Remote/right I see:<br>

<br>

[root@left ~]# ping 10.40.56.13<br>

PING 10.40.56.13 (10.40.56.13) 56(84) bytes of data.<br>

<br>

[root@right ~]# tcpdump -nn icmp<br>

tcpdump: verbose output suppressed, use -v or -vv for full protocol<br>

decode<br>

listening on eth0, link-type EN10MB (Ethernet), capture size 65535<br>

bytes<br></span>

07:40:47.303742 IP 52.1.197.54 > 10.40.56.13 [5]: ICMP echo request,<span class=""><br>

id 47689, seq 1, length 64<br>

<br></span>

07:40:48.310951 IP 52.1.197.54 > 10.40.56.13 [5]: ICMP echo request,<span class=""><br>

id 47689, seq 2, length 64<br></span>

07:40:49.318979 IP 52.1.197.54 > 10.40.56.13 [5]: ICMP echo request,<span class=""><br>

id 47689, seq 3, length 64<br>

<br>

So it looks to me like packets get to 10.40.56.13 but there is not<br>

route to get the reply back?<br>

But there is a route in place.<br>

<br>

[root@left ~]# ip a<br>

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN<br>

group default<br>

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br></span>

    inet <a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">127.0.0.1/8</a> [6] scope host lo<span class=""><br>

       valid_lft forever preferred_lft forever<br>

    inet6 ::1/128 scope host<br>

       valid_lft forever preferred_lft forever<br>

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast<br>

state UP group default qlen 1000<br>

    link/ether 12:a9:5e:40:e3:67 brd ff:ff:ff:ff:ff:ff<br></span>

    inet <a href="http://10.33.254.184/24" rel="noreferrer" target="_blank">10.33.254.184/24</a> [7] brd 10.33.254.255 scope global eth0<br>

       valid_lft forever preferred_lft forever<br>

    inet <a href="http://52.1.197.54/16" rel="noreferrer" target="_blank">52.1.197.54/16</a> [8] scope global eth0<span class=""><br>

       valid_lft forever preferred_lft forever<br>

    inet6 fe80::10a9:5eff:fe40:e367/64 scope link<br>

       valid_lft forever preferred_lft forever<br>

<br>

[root@left ~]# ip r<br>

default via 10.33.254.1 dev eth0<br>

</span><a href="http://10.33.254.0/24" rel="noreferrer" target="_blank">10.33.254.0/24</a> [9] dev eth0  proto kernel  scope link  src<br>

10.33.254.184<br>

<a href="http://10.40.0.0/16" rel="noreferrer" target="_blank">10.40.0.0/16</a> [2] dev eth0  scope link  src 52.1.197.54<br>

<a href="http://52.1.0.0/16" rel="noreferrer" target="_blank">52.1.0.0/16</a> [10] dev eth0  proto kernel  scope link  src 52.1.197.54<span class=""><br>

169.254.169.254 dev eth0<br>

<br>

[root@right ~]# ip a<br>

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN<br>

group default<br>

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br></span>

    inet <a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">127.0.0.1/8</a> [6] scope host lo<span class=""><br>

       valid_lft forever preferred_lft forever<br>

    inet6 ::1/128 scope host<br>

       valid_lft forever preferred_lft forever<br>

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast<br>

state UP group default qlen 1000<br>

    link/ether 12:18:04:de:81:1b brd ff:ff:ff:ff:ff:ff<br></span>

    inet <a href="http://10.40.56.13/16" rel="noreferrer" target="_blank">10.40.56.13/16</a> [11] brd 10.40.255.255 scope global eth0<br>

       valid_lft forever preferred_lft forever<br>

    inet <a href="http://52.20.89.24/16" rel="noreferrer" target="_blank">52.20.89.24/16</a> [12] scope global eth0<span class=""><br>

       valid_lft forever preferred_lft forever<br>

    inet6 fe80::1018:4ff:fede:811b/64 scope link<br>

       valid_lft forever preferred_lft forever<br>

<br>

[root@right ~]# ip r<br>

default via 10.40.0.1 dev eth0<br>

</span><a href="http://10.33.0.0/16" rel="noreferrer" target="_blank">10.33.0.0/16</a> [1] dev eth0  scope link  src 52.20.89.24<br>

<a href="http://52.20.0.0/16" rel="noreferrer" target="_blank">52.20.0.0/16</a> [13] dev eth0  proto kernel  scope link  src 52.20.89.24<span class=""><br>

169.254.169.254 dev eth0<br>

<br>

These are EC2 instances and their security groups allow ICMP from<br>

everywhere.<br>

I also have no iptables rules (nat or otherwise) in place.<br>

<br>

Can anyone advise?<br>

Thanks,<br>

Cooper<br>

<br>

<br>

<br></span>

Links:<br>

------<br>

[1] <a href="http://10.33.0.0/16" rel="noreferrer" target="_blank">http://10.33.0.0/16</a><br>

[2] <a href="http://10.40.0.0/16" rel="noreferrer" target="_blank">http://10.40.0.0/16</a><br>

[3] <a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16" rel="noreferrer" target="_blank">http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16</a><br>

[4] <a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16" rel="noreferrer" target="_blank">http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16</a><br>

[5] <a href="http://10.40.56.13" rel="noreferrer" target="_blank">http://10.40.56.13</a><br>

[6] <a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">http://127.0.0.1/8</a><br>

[7] <a href="http://10.33.254.184/24" rel="noreferrer" target="_blank">http://10.33.254.184/24</a><br>

[8] <a href="http://52.1.197.54/16" rel="noreferrer" target="_blank">http://52.1.197.54/16</a><br>

[9] <a href="http://10.33.254.0/24" rel="noreferrer" target="_blank">http://10.33.254.0/24</a><br>

[10] <a href="http://52.1.0.0/16" rel="noreferrer" target="_blank">http://52.1.0.0/16</a><br>

[11] <a href="http://10.40.56.13/16" rel="noreferrer" target="_blank">http://10.40.56.13/16</a><br>

[12] <a href="http://52.20.89.24/16" rel="noreferrer" target="_blank">http://52.20.89.24/16</a><br>

[13] <a href="http://52.20.0.0/16" rel="noreferrer" target="_blank">http://52.20.0.0/16</a><br>

<br>

_______________________________________________<br>

<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>

<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>

Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>

Building and Integrating Virtual Private Networks with Openswan:<br>

<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>

</blockquote>

</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><span style="color:rgb(102,102,102)"><font face="arial,helvetica,sans-serif"><strong><span>Cooper</span> <span>Simmons</span></strong><br>Engineering</font></span><p style="color:rgb(136,136,136)"><span style="font-family:arial,helvetica,sans-serif"><b><span style="color:rgb(53,28,117)"><font face="arial,helvetica,sans-serif">Square Root, Inc.</font><a href="http://square-root.com/" style="color:rgb(17,85,204)" target="_blank"></a></span></b><a href="http://square-root.com/" style="color:rgb(17,85,204)" target="_blank"><br></a><font color="#1155cc" face="arial,helvetica,sans-serif" style="color:rgb(17,85,204)"><a href="http://square-root.com/" style="color:rgb(17,85,204)" target="_blank">Square-Root.com</a><br></font></span><b style="color:rgb(102,102,102);font-family:arial,helvetica,sans-serif">[m]</b><span style="color:rgb(102,102,102);font-family:arial,helvetica,sans-serif"> </span><a value="+15126508063" style="color:rgb(17,85,204);font-family:arial,helvetica,sans-serif">512.527.4910</a><span style="color:rgb(102,102,102);font-family:arial,helvetica,sans-serif"> </span><span style="font-family:arial,helvetica,sans-serif"><font color="#1155cc" face="arial,helvetica,sans-serif" style="color:rgb(17,85,204)"><br></font></span></p><p style="color:rgb(136,136,136)"><span style="font-family:arial,helvetica,sans-serif"><br></span></p></div></div>

</div></div>