<div dir="ltr">Hello Nick, <div>Thanks so much for the response.</div><div><br></div><div>I looked at the setting "forceencaps", and yes, I had that wrong. I removed it.</div><div><br></div><div>I set left/rightsource IP to be the LAN IP of my VPN gateway and I think that's what fixed it.</div><div>I can now ping the private 10.40 address of the VPN gateway on the other end of the tunnel.</div><div><br></div><div>Here is my ipsec.conf that enabled me to do that:</div><div><br></div><div><div>config setup</div><div>  klipsdebug=all</div><div>  plutodebug=none</div><div>  plutostderrlog=/var/log/pluto.log</div><div>  protostack=netkey</div><div>  nat_traversal=yes</div><div>  virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16</a></div><div><br></div><div>conn tunnel169</div><div>  ike=aes128-sha1;modp1024</div><div>  authby=secret</div><div>  auto=start</div><div>  pfs=no</div><div>  phase2=esp</div><div>  phase2alg=aes128-sha1;modp1024</div><div>  left=%defaultroute</div><div>  leftid=52.0.200.232</div><div>  leftsourceip=10.33.254.107</div><div>  right=52.20.89.24</div><div>  rightsubnet=<a href="http://10.40.0.0/16">10.40.0.0/16</a></div></div><div><br></div><div><br></div><div>Thanks a bunch for your help!</div><div>-Cooper</div><div><br></div><div><br></div><div><br></div><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 5, 2015 at 3:10 AM, Nick Howitt <span dir="ltr"><<a href="mailto:nick@howitts.co.uk" target="_blank">nick@howitts.co.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Hi Cooper,<br>
<br>
Firstly let me say I am not sure of the effect of these being EC2 instances as these often require a different set up, but:<br>
<br>
1 - why have you set "forceencaps=yes" as this is public IP <-> public IP or are you natted somewhere?<br>
2 - Please remove all blank lines inside a conn as a blank line normally means the end of a conn definition.<br>
3 - left/rightsource IP is normally set to be the LAN IP of your VPN gateway and not public IP but I am not sure of the requirements of EC2.<br>
4 - when you say you have no iptables rules in place do you mean specific to IPsec or are you running without a firewall completely.<br>
5 - Can you post your connection log (but cut all the stuff when ipsec starts)<br>
<br>
Nick<span class=""><br>
<br>
On 2015-10-05 08:52, Cooper Simmons wrote:<br>
</span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">
Hello openswan users,<br>
<br>
I was able to set up a tunnel successfully and I am seeing ping and<br>
ssh getting sent over the tunnel, but I'm not getting responses from<br>
the other side.<br>
<br></span>
The goal is for servers in subnet <a href="http://10.33.0.0/16" rel="noreferrer" target="_blank">10.33.0.0/16</a> [1] to be able to ssh<br>
to the servers in subnet <a href="http://10.40.0.0/16" rel="noreferrer" target="_blank">10.40.0.0/16</a> [2].<span class=""><br>
<br>
Local/left:<br>
Public endpoint: 52.1.197.54<br>
private IP: 10.33.254.184<br>
<br>
Remote/right:<br>
<br>
Public endpoint: 52.20.89.24<br>
private IP: 10.40.56.13<br>
<br>
ipsec.conf, left side:<br>
<br>
config setup<br>
<br>
  klipsdebug=all<br>
  plutodebug=control<br>
  plutostderrlog=/var/log/pluto.log<br>
  protostack=netkey<br>
  nat_traversal=yes<br>
<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16" rel="noreferrer" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16</a><br></span>
[3]<span class=""><br>
<br>
conn sr-tunnel<br>
  authby=secret<br>
  auto=start<br>
  forceencaps=yes<br>
<br>
  left=%defaultroute<br>
  leftid=52.1.197.54<br>
  leftsourceip=52.1.197.54<br>
<br>
  right=52.20.89.24<br></span>
  rightsubnet=<a href="http://10.40.0.0/16" rel="noreferrer" target="_blank">10.40.0.0/16</a> [2]<span class=""><br>
<br>
ipsec.conf, right side:<br>
<br>
config setup<br>
<br>
  klipsdebug=all<br>
  plutodebug=control<br>
  plutostderrlog=/var/log/pluto.log<br>
  protostack=netkey<br>
  nat_traversal=yes<br>
<br>
virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16" rel="noreferrer" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16</a><br></span>
[4]<span class=""><br>
<br>
conn sr-tunnel<br>
  authby=secret<br>
  auto=start<br>
  forceencaps=yes<br>
<br>
  left=%defaultroute<br>
  leftid=52.20.89.24<br>
  leftsourceip=52.20.89.24<br>
<br>
  right=52.1.197.54<br></span>
  rightsubnet=<a href="http://10.33.0.0/16" rel="noreferrer" target="_blank">10.33.0.0/16</a> [1]<span class=""><br>
<br>
status:<br>
<br>
# service ipsec status<br>
IPsec running  - pluto pid: 17024<br>
pluto pid 17024<br>
1 tunnels up<br>
some eroutes exist<br>
<br>
This is my first time setting up openswan...so be gentle.  ;-)<br>
<br>
When I ping from Local/left and run tcpdump on Remote/right I see:<br>
<br>
[root@left ~]# ping 10.40.56.13<br>
PING 10.40.56.13 (10.40.56.13) 56(84) bytes of data.<br>
<br>
[root@right ~]# tcpdump -nn icmp<br>
tcpdump: verbose output suppressed, use -v or -vv for full protocol<br>
decode<br>
listening on eth0, link-type EN10MB (Ethernet), capture size 65535<br>
bytes<br></span>
07:40:47.303742 IP 52.1.197.54 > 10.40.56.13 [5]: ICMP echo request,<span class=""><br>
id 47689, seq 1, length 64<br>
<br></span>
07:40:48.310951 IP 52.1.197.54 > 10.40.56.13 [5]: ICMP echo request,<span class=""><br>
id 47689, seq 2, length 64<br></span>
07:40:49.318979 IP 52.1.197.54 > 10.40.56.13 [5]: ICMP echo request,<span class=""><br>
id 47689, seq 3, length 64<br>
<br>
So it looks to me like packets get to 10.40.56.13 but there is not<br>
route to get the reply back?<br>
But there is a route in place.<br>
<br>
[root@left ~]# ip a<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN<br>
group default<br>
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br></span>
    inet <a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">127.0.0.1/8</a> [6] scope host lo<span class=""><br>
       valid_lft forever preferred_lft forever<br>
    inet6 ::1/128 scope host<br>
       valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast<br>
state UP group default qlen 1000<br>
    link/ether 12:a9:5e:40:e3:67 brd ff:ff:ff:ff:ff:ff<br></span>
    inet <a href="http://10.33.254.184/24" rel="noreferrer" target="_blank">10.33.254.184/24</a> [7] brd 10.33.254.255 scope global eth0<br>
       valid_lft forever preferred_lft forever<br>
    inet <a href="http://52.1.197.54/16" rel="noreferrer" target="_blank">52.1.197.54/16</a> [8] scope global eth0<span class=""><br>
       valid_lft forever preferred_lft forever<br>
    inet6 fe80::10a9:5eff:fe40:e367/64 scope link<br>
       valid_lft forever preferred_lft forever<br>
<br>
[root@left ~]# ip r<br>
default via 10.33.254.1 dev eth0<br>
</span><a href="http://10.33.254.0/24" rel="noreferrer" target="_blank">10.33.254.0/24</a> [9] dev eth0  proto kernel  scope link  src<br>
10.33.254.184<br>
<a href="http://10.40.0.0/16" rel="noreferrer" target="_blank">10.40.0.0/16</a> [2] dev eth0  scope link  src 52.1.197.54<br>
<a href="http://52.1.0.0/16" rel="noreferrer" target="_blank">52.1.0.0/16</a> [10] dev eth0  proto kernel  scope link  src 52.1.197.54<span class=""><br>
169.254.169.254 dev eth0<br>
<br>
[root@right ~]# ip a<br>
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN<br>
group default<br>
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br></span>
    inet <a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">127.0.0.1/8</a> [6] scope host lo<span class=""><br>
       valid_lft forever preferred_lft forever<br>
    inet6 ::1/128 scope host<br>
       valid_lft forever preferred_lft forever<br>
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast<br>
state UP group default qlen 1000<br>
    link/ether 12:18:04:de:81:1b brd ff:ff:ff:ff:ff:ff<br></span>
    inet <a href="http://10.40.56.13/16" rel="noreferrer" target="_blank">10.40.56.13/16</a> [11] brd 10.40.255.255 scope global eth0<br>
       valid_lft forever preferred_lft forever<br>
    inet <a href="http://52.20.89.24/16" rel="noreferrer" target="_blank">52.20.89.24/16</a> [12] scope global eth0<span class=""><br>
       valid_lft forever preferred_lft forever<br>
    inet6 fe80::1018:4ff:fede:811b/64 scope link<br>
       valid_lft forever preferred_lft forever<br>
<br>
[root@right ~]# ip r<br>
default via 10.40.0.1 dev eth0<br>
</span><a href="http://10.33.0.0/16" rel="noreferrer" target="_blank">10.33.0.0/16</a> [1] dev eth0  scope link  src 52.20.89.24<br>
<a href="http://52.20.0.0/16" rel="noreferrer" target="_blank">52.20.0.0/16</a> [13] dev eth0  proto kernel  scope link  src 52.20.89.24<span class=""><br>
169.254.169.254 dev eth0<br>
<br>
These are EC2 instances and their security groups allow ICMP from<br>
everywhere.<br>
I also have no iptables rules (nat or otherwise) in place.<br>
<br>
Can anyone advise?<br>
Thanks,<br>
Cooper<br>
<br>
<br>
<br></span>
Links:<br>
------<br>
[1] <a href="http://10.33.0.0/16" rel="noreferrer" target="_blank">http://10.33.0.0/16</a><br>
[2] <a href="http://10.40.0.0/16" rel="noreferrer" target="_blank">http://10.40.0.0/16</a><br>
[3] <a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16" rel="noreferrer" target="_blank">http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.33.0.0/16</a><br>
[4] <a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16" rel="noreferrer" target="_blank">http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.40.0.0/16</a><br>
[5] <a href="http://10.40.56.13" rel="noreferrer" target="_blank">http://10.40.56.13</a><br>
[6] <a href="http://127.0.0.1/8" rel="noreferrer" target="_blank">http://127.0.0.1/8</a><br>
[7] <a href="http://10.33.254.184/24" rel="noreferrer" target="_blank">http://10.33.254.184/24</a><br>
[8] <a href="http://52.1.197.54/16" rel="noreferrer" target="_blank">http://52.1.197.54/16</a><br>
[9] <a href="http://10.33.254.0/24" rel="noreferrer" target="_blank">http://10.33.254.0/24</a><br>
[10] <a href="http://52.1.0.0/16" rel="noreferrer" target="_blank">http://52.1.0.0/16</a><br>
[11] <a href="http://10.40.56.13/16" rel="noreferrer" target="_blank">http://10.40.56.13/16</a><br>
[12] <a href="http://52.20.89.24/16" rel="noreferrer" target="_blank">http://52.20.89.24/16</a><br>
[13] <a href="http://52.20.0.0/16" rel="noreferrer" target="_blank">http://52.20.0.0/16</a><br>
<br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
</blockquote>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><span style="color:rgb(102,102,102)"><font face="arial,helvetica,sans-serif"><strong><span>Cooper</span> <span>Simmons</span></strong><br>Engineering</font></span><p style="color:rgb(136,136,136)"><span style="font-family:arial,helvetica,sans-serif"><b><span style="color:rgb(53,28,117)"><font face="arial,helvetica,sans-serif">Square Root, Inc.</font><a href="http://square-root.com/" style="color:rgb(17,85,204)" target="_blank"></a></span></b><a href="http://square-root.com/" style="color:rgb(17,85,204)" target="_blank"><br></a><font color="#1155cc" face="arial,helvetica,sans-serif" style="color:rgb(17,85,204)"><a href="http://square-root.com/" style="color:rgb(17,85,204)" target="_blank">Square-Root.com</a><br></font></span><b style="color:rgb(102,102,102);font-family:arial,helvetica,sans-serif">[m]</b><span style="color:rgb(102,102,102);font-family:arial,helvetica,sans-serif"> </span><a value="+15126508063" style="color:rgb(17,85,204);font-family:arial,helvetica,sans-serif">512.527.4910</a><span style="color:rgb(102,102,102);font-family:arial,helvetica,sans-serif"> </span><span style="font-family:arial,helvetica,sans-serif"><font color="#1155cc" face="arial,helvetica,sans-serif" style="color:rgb(17,85,204)"><br></font></span></p><p style="color:rgb(136,136,136)"><span style="font-family:arial,helvetica,sans-serif"><br></span></p></div></div>
</div></div>