<div dir="ltr">Hi Neal,<div><br></div><div>Just a quick update - I'm not sure what changed but I managed to get the VPN working without adding the sourceip fields. The second tunnel also reports up after a while, sometimes.</div><div><br></div><div>I also got forwarding between all subnets (public and private on each side of the VPN) as well as NAT to the public Internet from the single EC2 instance.</div><div><br></div><div>Here are the working configuration files, in case someone else finds this useful:</div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">/etc/ipsec.conf (note - 172.29/16 is the local subnet of the EC2 instance running openswan):</font></div><div><div><font face="monospace, monospace">version 2.0</font></div><div><font face="monospace, monospace">config setup</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>dumpdir=/var/run/pluto/</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>nat_traversal=yes</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.29.0.0/16">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.29.0.0/16</a></font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>oe=off</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>protostack=netkey</font></div><div><font face="monospace, monospace"><span class="" style="white-space:pre"> </span>interfaces=%defaultroute</font></div><div><font face="monospace, monospace">include /etc/ipsec.d/*.conf</font></div></div><div><font face="monospace, monospace"><br></font></div><div><font face="monospace, monospace">/etc/ipsec.d/tunnel1.conf:</font></div><div><div style="font-family:monospace,monospace">conn sin-test-1-syd-test-3-1</div><div style="font-family:monospace,monospace"> type=tunnel</div><div style="font-family:monospace,monospace"> authby=secret</div><div style="font-family:monospace,monospace"> forceencaps=yes</div><div style="font-family:monospace,monospace"> auto=start</div><div style="font-family:monospace,monospace"> left=%defaultroute</div><div style="font-family:monospace,monospace"> leftid=52.74.73.X</div><div style="font-family:monospace,monospace"> leftnexthop=%defaultroute</div><div style="font-family:monospace,monospace"> leftsubnet=<a href="http://172.29.0.0/16">172.29.0.0/16</a></div><div style="font-family:monospace,monospace"> right=52.64.24.Y</div><div style="font-family:monospace,monospace"> rightid=52.64.24.Y</div><div style="font-family:monospace,monospace"> rightsubnet=<a href="http://172.26.0.0/16">172.26.0.0/16</a></div><div style="font-family:monospace,monospace"><br></div><div><font face="arial, helvetica, sans-serif">Thanks for your help.</font></div></div><div><font face="arial, helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, sans-serif">--Amos</font></div></div><div class="gmail_extra"><br><div class="gmail_quote">On 19 January 2016 at 17:42, Amos Shapira <span dir="ltr"><<a href="mailto:amos.shapira@gmail.com" target="_blank">amos.shapira@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Thanks Neal,<div><br></div><div>I'll test that when I get back to the office tomorrow.</div><div><br></div><div>In the meantime I found a copy of the old working ipsec.conf and compared it with the one that doesn't work (which is basically the default one from the Ubuntu package, plus an "include /etc/ipsec.d/*.conf") and noticed that they differ in the "protostack" setting - the working one had "netkey" and the broken one had "auto". Once I updated the broken config file to "netkey" the connection came up (with everything else untouched, as far as I remember).</div><div><br></div><div>One of the VPN tunnels is now marked as "up" on the AWS side (the second one is down, with an error about "can't set eroute, already used" in the ipsec logs, I suspect this is normal), but no routing is happening. (ping to an EC2 instance behind the virtual GW doesn't get any response, and I don't see where the packets go. It's not a firewall/security-group/acl issue).</div><div><br></div><div>Cheers,</div><div><br></div><div>--Amos</div></div><div class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On 19 January 2016 at 17:04, Neal P. Murphy <span dir="ltr"><<a href="mailto:neal.p.murphy@alum.wpi.edu" target="_blank">neal.p.murphy@alum.wpi.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Tue, 19 Jan 2016 15:47:20 +1100<br>
Amos Shapira <<a href="mailto:amos.shapira@gmail.com" target="_blank">amos.shapira@gmail.com</a>> wrote:<br>
<br>
> Hello,<br>
><br>
> I'm trying to connect an EC2 instance to an Amazon Virtual gateway using<br>
> openswan.<br>
><br>
> My configuration:<br>
><br>
> 1. Ubuntu Trusty, up to date.<br>
> 2. Openswan 2.6.38 from the standard Ubuntu package.<br>
><br>
> The following configuration (real IP's slightly obscured) worked for me<br>
> before when I did manual tests:<br>
><br>
> conn sing-sydney<br>
> type=tunnel<br>
> authby=secret<br>
> forceencaps=yes<br>
> auto=start<br>
> left=%defaultroute<br>
> leftid=52.74.73.X<br>
> #leftsourceip=52.74.73.X<br>
> leftnexthop=%defaultroute<br>
> leftsubnet=<a href="http://172.28.0.0/16" rel="noreferrer" target="_blank">172.28.0.0/16</a><br>
> right=52.64.16.Y<br>
> rightid=52.64.16.Y<br>
> rightsubnet=<a href="http://172.27.0.0/16" rel="noreferrer" target="_blank">172.27.0.0/16</a><br>
><br>
</span>> ...<br>
<span>> So what am I missing to make it work?<br>
<br>
</span>I think you need *sourceip.<br>
<br>
In a nutshell (meaning this is close but mayhap not technically accurate), 'left' and 'right' are the publicly-accessible addresses; each tells the remote end where to send packets. 'leftsourceip' and 'rightsourceip' are the 'private' or 'locally assigned' addresses on the public-facing interfaces; each tells the local end which interface to use. *sourceip is usually used when an end is behind a NATting firewall; this end usually has to initiate the VPN.<br>
<br>
N<br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org" target="_blank">Users@lists.openswan.org</a><br>
<a href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" rel="noreferrer" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></blockquote></div><br><br clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- <br><div><div dir="ltr"><a href="http://au.linkedin.com/in/gliderflyer" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png"></a><br></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr"><a href="http://au.linkedin.com/in/gliderflyer" target="_blank"><img src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png"></a><br></div></div>
</div>