<div dir="ltr">Hello all,<div><br></div><div>I've been trying to set up a server-to-server IPSec VPN tunnel from a Ubuntu 14.04 server hosted in Amazon to a clients Cisco (the logs say it's a Cisco VPN 3000 Series).</div><div><br></div><div>I am new to IPSec so to test, i created 2 VPCs in amazon following this guide <a href="http://aws.amazon.com/articles/5472675506466066">http://aws.amazon.com/articles/5472675506466066</a>. It worked, when I checked ipsec status, it said I had 2 tunnels up.</div><div><br></div><div>Now, when I connect to the client, I get some weird messages in my pluto log.</div><div><br></div><div><br></div><div><div>"net2net" #1: received Vendor ID payload [Cisco-Unity]</div><div>"net2net" #1: received Vendor ID payload [XAUTH]</div><div>"net2net" #1: received Vendor ID payload [Dead Peer Detection]</div><div>"net2net" #1: received Vendor ID payload [RFC 3947] method set to=115</div><div>"net2net" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]</div><div>"net2net" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]</div><div>"net2net" #1: protocol/port in Phase 1 ID Payload MUST be 0/0 or 17/500 but are 17/0 (attempting to continue)</div><div>"net2net" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '172.28.100.10'</div><div>| refine_connection: starting with net2net</div><div>| started looking for secret for MY_PUBLIC_IP->THIER_PUBLIC_IP of kind PPK_PSK</div><div>| actually looking for secret for MY_PUBLIC_IP->THIER_PUBLIC_IP of kind PPK_PSK</div><div>| line 2: key type PPK_PSK(MY_PUBLIC_IP) to type PPK_PSK</div><div>| 1: compared key THIER_PUBLIC_IP to MY_PUBLIC_IP / THIER_PUBLIC_IP -> 4</div><div>| 2: compared key MY_PUBLIC_IP to MY_PUBLIC_IP / THIER_PUBLIC_IP -> 12</div><div>| line 2: match=12</div><div>| best_match 0>12 best=0xb8829fb8 (line=2)</div><div>| concluding with best_match=12 best=0xb8829fb8 (lineno=2)</div><div>| match_id a=172.28.100.10</div><div>| b=THIER_PUBLIC_IP</div><div>| results fail</div><div>| trusted_ca called with a=(empty) b=(empty)</div><div>| refine_connection: checking net2net against net2net, best=(none) with match=0(id=0/ca=1/reqca=1)</div><div>| find_host_pair: comparing to <a href="http://172.31.28.158:500">172.31.28.158:500</a> THIER_PUBLIC_IP:500</div><div>| find_host_pair_conn (refine_host_connection): <a href="http://172.31.28.158:500">172.31.28.158:500</a> %any:500 -> hp:none</div><div>"net2net" #1: no suitable connection for peer '172.28.100.10'</div><div>"net2net" #1: initial Aggressive Mode packet claiming to be from THIER_PUBLIC_IP on THIER_PUBLIC_IP but no connection has been authorized</div></div><div><br></div><div><br></div><div>Some questions:</div><div>1) The Payload MUST be 0/0 or 17/500 -- how do I fix that?</div><div>2) Aggressive mode peer ID is ID_IPV4_ADDR -- is that my end or their end? 172.28.100.10 doesn't match my internal network (172.31.x.x) or theirs (172.17.x.x)</div><div>3) Do I need to set up any iptables? I configured routing tables in Amazon (following the guide)</div><div><br></div><div>Here is my configuration</div><div><br></div><div>Linux Openswan U2.6.38/K3.13.0-65-generic<br></div><div><br></div><div><br></div><div><div>config setup</div><div><span class="" style="white-space:pre"> </span>plutodebug=all</div><div> plutostderrlog=/var/log/pluto.log</div><div><span class="" style="white-space:pre"> </span>dumpdir=/var/run/pluto/</div><div><span class="" style="white-space:pre"> </span>nat_traversal=yes</div><div><span class="" style="white-space:pre"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10</a></div><div><span class="" style="white-space:pre"> </span>oe=off</div><div><span class="" style="white-space:pre"> </span>protostack=netkey</div><div><span class="" style="white-space:pre"> </span>force_keepalive=yes</div><div> keep_alive=60</div><div><br></div><div>include /etc/ipsec.d/*.conf</div><div><br></div><div><br></div><div>conn net2net</div><div> left=%defaultroute</div><div> leftid=MY_PUBLIC_IP</div><div> leftnexthop=%defaultroute</div><div> leftsubnet=<a href="http://172.31.16.0/20">172.31.16.0/20</a></div><div> <span class="" style="white-space:pre"> </span>right=THEIR_PUBLIC_IP</div><div> <span class="" style="white-space:pre"> </span>rightsubnet=<a href="http://172.17.2.0/24">172.17.2.0/24</a></div><div> <span class="" style="white-space:pre"> </span>remote_peer_type=cisco</div><div><br></div><div> <span class="" style="white-space:pre"> </span>forceencaps=yes</div><div><br></div><div> type=tunnel</div><div> authby=secret</div><div> auto=start</div><div> ## phase 1 ##</div><div> keyexchange=ike</div><div> <span class="" style="white-space:pre"> </span>keyingtries=%forever</div><div> ike=aes256-sha1;modp1536!</div><div> ikelifetime=86400s</div><div> aggrmode=yes</div><div> ## phase 2 ##</div><div> phase2alg=aes256-sha1;modp1536</div><div> keylife=3600s</div><div> pfs=no</div><div><br></div><div> <span class="" style="white-space:pre"> </span>dpddelay=10</div><div> <span class="" style="white-space:pre"> </span>dpdtimeout=3600</div><div> <span class="" style="white-space:pre"> </span>dpdaction=restart</div><div><br></div><div><br></div><div>/etc/ipsec.secrets</div><div>include /var/lib/openswan/ipsec.secrets.inc</div><div>MY_PUBLIC_IP THEIR_PUBLIC_IP : PSK "secret"</div></div><div><br></div><div><br></div><div>Thanks for any assistance.</div>
</div>