<div dir="ltr">Hello!<div><br></div><div>First I'll just say thank you for having such a list and for creating a great product. I've come from basically ground 0 with VPN technology to 'almost there' for a basic configuration over the last couple of weeks. Switched between Strongswan and Openswan implementations on Centos 7 and basically always got stuck at the same part regardless of which product is used. Here goes and thanks in advance for considering my situation.</div><div><br></div><div>I have configured an AWS VPC Hardware VPN and have an offsite office running OpenSwan (and also Strongswan configured, but only running one at a time). Thus far traffic can transmit from AWS into office network and any of the machines can respond. I cannot however transmit from the office to an AWS EC2 instance. </div><div><br></div><div>I've added static routes on the EC2 side and established the tunnel successfully but I see packets from the office destined for the VPC VPN getting filtered by my ISP's gateway (admin prohibted refuses to forward packets destined private address range (and rightly so!)). This tells me I have a problem on my end. </div><div><br></div><div>My desired configuration is similar to this test case for Strongswan (I realize this is OpenSwan we're talking): </div><div><br></div><div><a href="https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/">https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/</a><br></div><div><br></div><div>OFFICE / LEFT / MOON</div><div><div><br></div><div># cat /etc/ipsec.d/aws_vpc.conf</div><div><br></div><div>conn VPC-CUST-GW1</div><div> type=tunnel</div><div> authby=secret</div><div> left=%defaultroute</div><div> pfs=yes</div><div> ike=aes128-sha1</div><div> ikelifetime=28800s</div><div> salifetime=3600s</div><div> ikev2=never</div><div> phase2=esp</div><div> phase2alg=aes128-sha1</div><div> leftsubnet=<a href="http://10.0.0.0/22">10.0.0.0/22</a></div><div> leftnexthop=%defaultroute</div><div> leftid=216.243.47.245</div><div> rekey=yes</div><div> right=52.39.7.197</div><div> rightsubnet=<a href="http://10.0.4.0/24">10.0.4.0/24</a></div><div> auto=start</div><div> keyingtries=%forever</div><div> dpddelay=10</div><div> dpdtimeout=60</div><div> dpdaction=restart_by_peer</div></div><div><br></div><div><div># /etc/ipsec.conf - Libreswan IPsec configuration file</div><div><br></div><div># This file: /etc/ipsec.conf</div><div>#</div><div># Enable when using this configuration file with openswan instead of libreswan</div><div>#version 2</div><div>#</div><div># Manual: ipsec.conf.5</div><div><br></div><div># basic configuration</div><div>config setup</div><div> # which IPsec stack to use, "netkey" (the default), "klips" or "mast".</div><div> # For MacOSX use "bsd"</div><div> protostack=netkey</div><div> #</div><div> # Normally, pluto logs via syslog. If you want to log to a file,</div><div> # specify below or to disable logging, eg for embedded systems, use</div><div> # the file name /dev/null</div><div> # Note: SElinux policies might prevent pluto writing to a log file at</div><div> # an unusual location.</div><div> logfile=/var/log/pluto.log</div><div> #</div><div> # The interfaces= line is only required for the klips/mast stack</div><div> #interfaces="%defaultroute"</div><div> #interfaces="ipsec0=eth0 ipsec1=ppp0"</div><div> #</div><div> # If you want to limit listening on a single IP - not required for</div><div> # normal operation</div><div> #listen=127.0.0.1</div><div> #</div><div> # Do not set debug options to debug configuration issues!</div><div> #</div><div> # plutodebug / klipsdebug = "all", "none" or a combation from below:</div><div> # "raw crypt parsing emitting control kernel pfkey natt x509 dpd</div><div> # private".</div><div> # Note: "crypt" is not included with "all", as it can show confidential</div><div> # information. It must be specifically specified</div><div> # examples:</div><div> # plutodebug="control parsing"</div><div> # plutodebug="all crypt"</div><div> # Again: only enable plutodebug or klipsdebug when asked by a developer</div><div> #plutodebug=none</div><div> #klipsdebug=none</div><div> #</div><div> # Enable core dumps (might require system changes, like ulimit -C)</div><div> # This is required for abrtd to work properly</div><div> # Note: SElinux policies might prevent pluto writing the core at</div><div> # unusual locations</div><div> dumpdir=/var/run/pluto/</div><div> #</div><div> # NAT-TRAVERSAL support</div><div> # exclude networks used on server side by adding %v4:!a.b.c.0/24</div><div> # It seems that T-Mobile in the US and Rogers/Fido in Canada are</div><div> # using 25/8 as "private" address space on their wireless networks.</div><div> # This range has never been announced via BGP (at least upto 2015)</div><div><br></div><div><br></div><div># cat /etc/ipsec.conf</div><div> virtual_private=%v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10</a></div><div><br></div><div># For example connections, see your distribution's documentation directory,</div><div># or <a href="https://libreswan.org/wiki/">https://libreswan.org/wiki/</a></div><div>#</div><div># There is also a lot of information in the manual page, "man ipsec.conf"</div><div>#</div><div># It is best to add your IPsec connections as separate files in /etc/ipsec.d/</div><div>include /etc/ipsec.d/*.conf</div></div><div><br></div><div><div># ip xfrm state </div><div>src 52.39.7.197 dst 216.243.47.245</div><div> proto esp spi 0x266885c1 reqid 16389 mode tunnel</div><div> replay-window 32 flag af-unspec</div><div> auth-trunc hmac(sha1) 0x10dbf3efa43767dc1d32ae9a0feec92392e1aaa9 96</div><div> enc cbc(aes) 0x28d9edd61a117bdd44498a6f754e5fde</div><div> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div><div>src 216.243.47.245 dst 52.39.7.197</div><div> proto esp spi 0xd962f547 reqid 16389 mode tunnel</div><div> replay-window 32 flag af-unspec</div><div> auth-trunc hmac(sha1) 0x3594bd0dc9a907603f582f1246106edbb4332c67 96</div><div> enc cbc(aes) 0x381e74cfc6b05a187e1c96e456df249c</div><div> encap type espinudp sport 4500 dport 4500 addr 0.0.0.0</div></div><div><br></div><div><div> # ip -s xfrm policy</div><div>src <a href="http://10.0.0.0/22">10.0.0.0/22</a> dst <a href="http://10.0.4.0/24">10.0.4.0/24</a> uid 0</div><div> dir out action allow index 1121 priority 2408 ptype main share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft (INF)(bytes), hard (INF)(bytes)</div><div> limit: soft (INF)(packets), hard (INF)(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2016-05-02 14:24:39 use 2016-05-02 14:55:35</div><div> tmpl src 216.243.47.245 dst 52.39.7.197</div><div> proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode tunnel</div><div> level required share any </div><div> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff</div><div>src <a href="http://10.0.4.0/24">10.0.4.0/24</a> dst <a href="http://10.0.0.0/22">10.0.0.0/22</a> uid 0</div><div> dir fwd action allow index 1186 priority 2408 ptype main share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft (INF)(bytes), hard (INF)(bytes)</div><div> limit: soft (INF)(packets), hard (INF)(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2016-05-02 14:24:39 use 2016-05-02 14:55:35</div><div> tmpl src 52.39.7.197 dst 216.243.47.245</div><div> proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode tunnel</div><div> level required share any </div><div> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff</div><div>src <a href="http://10.0.4.0/24">10.0.4.0/24</a> dst <a href="http://10.0.0.0/22">10.0.0.0/22</a> uid 0</div><div> dir in action allow index 1176 priority 2408 ptype main share any flag (0x00000000)</div><div> lifetime config:</div><div> limit: soft (INF)(bytes), hard (INF)(bytes)</div><div> limit: soft (INF)(packets), hard (INF)(packets)</div><div> expire add: soft 0(sec), hard 0(sec)</div><div> expire use: soft 0(sec), hard 0(sec)</div><div> lifetime current:</div><div> 0(bytes), 0(packets)</div><div> add 2016-05-02 14:24:39 use -</div><div> tmpl src 52.39.7.197 dst 216.243.47.245</div><div> proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode tunnel</div><div> level required share any </div><div> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff</div><div>src ::/0 dst ::/0 proto ipv6-icmp type 135 uid 0</div></div><div><br></div><div>.....</div><div><br></div><div><div># ip route </div><div>default via 216.243.47.1 dev enp3s0 </div><div><a href="http://10.0.0.0/22">10.0.0.0/22</a> dev bond0 proto kernel scope link src 10.0.0.1 </div><div><a href="http://169.254.0.0/16">169.254.0.0/16</a> dev enp3s0 scope link metric 1002 </div><div><a href="http://169.254.0.0/16">169.254.0.0/16</a> dev bond0 scope link metric 1005 </div><div><a href="http://216.243.47.0/24">216.243.47.0/24</a> dev enp3s0 proto kernel scope link src 216.243.47.245 </div><div><br></div><div># ipsec status </div><div>000 using kernel interface: netkey</div><div>000 interface lo/lo ::1@500</div><div>000 interface enp3s0/enp3s0 2604:4080:115f:0:52e5:49ff:feb5:8b5e@500</div><div>000 interface lo/lo 127.0.0.1@4500</div><div>000 interface lo/lo 127.0.0.1@500</div><div>000 interface enp3s0/enp3s0 216.243.47.245@4500</div><div>000 interface enp3s0/enp3s0 216.243.47.245@500</div><div>000 interface enp3s0/enp3s0 169.254.12.17@4500</div><div>000 interface enp3s0/enp3s0 169.254.12.17@500</div><div>000 interface bond0/bond0 10.0.0.1@4500</div><div>000 interface bond0/bond0 10.0.0.1@500</div><div>000 </div><div>000 </div><div>000 fips mode=disabled;</div><div>000 SElinux=enabled</div><div>000 </div><div>000 config setup options:</div><div>000 </div><div>000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset</div><div>000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec</div><div>000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15</div><div>000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s, xfrmlifetime=300s</div><div>000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto</div><div>000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>, nflog-all=0</div><div>000 secctx-attr-type=32001</div><div>000 myid = (none)</div><div>000 debug none</div><div>000 </div><div>000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500</div><div>000 virtual-private (%priv):</div><div>000 - allowed subnets: <a href="http://10.0.0.0/8">10.0.0.0/8</a>, <a href="http://192.168.0.0/16">192.168.0.0/16</a>, <a href="http://172.16.0.0/12">172.16.0.0/12</a>, <a href="http://25.0.0.0/8">25.0.0.0/8</a>, <a href="http://100.64.0.0/10">100.64.0.0/10</a>, fd00::/8, fe80::/10</div><div>000 </div><div>000 ESP algorithms supported:</div><div>000 </div><div>000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192</div><div>000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128, keysizemax=128</div><div>000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0</div><div>000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256</div><div>000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128</div><div>000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160</div><div>000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256</div><div>000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384</div><div>000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512</div><div>000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160</div><div>000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC, keysizemin=128, keysizemax=128</div><div>000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0</div><div>000 </div><div>000 IKE algorithms supported:</div><div>000 </div><div>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192</div><div>000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24, v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20, v2name=AES_GCM_C, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19, v2name=AES_GCM_B, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18, v2name=AES_GCM_A, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC, v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC, v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128</div><div>000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH, v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128</div><div>000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16</div><div>000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20</div><div>000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32</div><div>000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48</div><div>000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64</div><div>000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16</div><div>000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024</div><div>000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536</div><div>000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048</div><div>000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072</div><div>000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096</div><div>000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144</div><div>000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192</div><div>000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024</div><div>000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048</div><div>000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048</div><div>000 </div><div>000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64} trans={0,2,6144} attrs={0,2,4096} </div><div>000 </div><div>000 Connection list:</div><div>000 </div><div>000 "VPC-CUST-GW1": <a href="http://10.0.0.0/22===216.243.47.245---216.243.47.1...52.39.7.197">10.0.0.0/22===216.243.47.245---216.243.47.1...52.39.7.197</a><52.39.7.197>===<a href="http://10.0.4.0/24">10.0.4.0/24</a>; erouted; eroute owner: #2</div><div>000 "VPC-CUST-GW1": oriented; my_ip=unset; their_ip=unset</div><div>000 "VPC-CUST-GW1": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]</div><div>000 "VPC-CUST-GW1": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;</div><div>000 "VPC-CUST-GW1": labeled_ipsec:no;</div><div>000 "VPC-CUST-GW1": policy_label:unset;</div><div>000 "VPC-CUST-GW1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;</div><div>000 "VPC-CUST-GW1": retransmit-interval: 500ms; retransmit-timeout: 60s;</div><div>000 "VPC-CUST-GW1": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;</div><div>000 "VPC-CUST-GW1": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;</div><div>000 "VPC-CUST-GW1": conn_prio: 22,24; interface: enp3s0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;</div><div>000 "VPC-CUST-GW1": dpd: action:restart; delay:10; timeout:60; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both</div><div>000 "VPC-CUST-GW1": newest ISAKMP SA: #1; newest IPsec SA: #2;</div><div>000 "VPC-CUST-GW1": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP2048(14), AES_CBC(7)_128-SHA1(2)_000-MODP1536(5), AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)</div><div>000 "VPC-CUST-GW1": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP2048(14), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)</div><div>000 "VPC-CUST-GW1": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048</div><div>000 "VPC-CUST-GW1": ESP algorithms wanted: AES(12)_128-SHA1(2)_000</div><div>000 "VPC-CUST-GW1": ESP algorithms loaded: AES(12)_128-SHA1(2)_000</div><div>000 "VPC-CUST-GW1": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1></div><div>000 "v6neighbor-hole-in": ::/0===::1<::1>:58/34560...%any:58/34816===::/0; prospective erouted; eroute owner: #0</div><div>000 "v6neighbor-hole-in": oriented; my_ip=unset; their_ip=unset</div><div>000 "v6neighbor-hole-in": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]</div><div>000 "v6neighbor-hole-in": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;</div><div>000 "v6neighbor-hole-in": labeled_ipsec:no;</div><div>000 "v6neighbor-hole-in": policy_label:unset;</div><div>000 "v6neighbor-hole-in": ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;</div><div>000 "v6neighbor-hole-in": retransmit-interval: 0ms; retransmit-timeout: 0s;</div><div>000 "v6neighbor-hole-in": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;</div><div>000 "v6neighbor-hole-in": policy: PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+PASS+NEVER_NEGOTIATE;</div><div>000 "v6neighbor-hole-in": conn_prio: 0,0; interface: lo; metric: 0; mtu: unset; sa_prio:1; nflog-group: unset;</div><div>000 "v6neighbor-hole-in": newest ISAKMP SA: #0; newest IPsec SA: #0;</div><div>000 "v6neighbor-hole-out": ::/0===::1<::1>:58/34816...%any:58/34560===::/0; prospective erouted; eroute owner: #0</div><div>000 "v6neighbor-hole-out": oriented; my_ip=unset; their_ip=unset</div><div>000 "v6neighbor-hole-out": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any]</div><div>000 "v6neighbor-hole-out": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;</div><div>000 "v6neighbor-hole-out": labeled_ipsec:no;</div><div>000 "v6neighbor-hole-out": policy_label:unset;</div><div>000 "v6neighbor-hole-out": ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s; rekey_fuzz: 0%; keyingtries: 0;</div><div>000 "v6neighbor-hole-out": retransmit-interval: 0ms; retransmit-timeout: 0s;</div><div>000 "v6neighbor-hole-out": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;</div><div>000 "v6neighbor-hole-out": policy: PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+PASS+NEVER_NEGOTIATE;</div><div>000 "v6neighbor-hole-out": conn_prio: 0,0; interface: lo; metric: 0; mtu: unset; sa_prio:1; nflog-group: unset;</div><div>000 "v6neighbor-hole-out": newest ISAKMP SA: #0; newest IPsec SA: #0;</div><div>000 </div><div>000 Total IPsec connections: loaded 3, active 1</div><div>000 </div><div>000 State Information: DDoS cookies not required, Accepting new IKE connections</div><div>000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)</div><div>000 IPsec SAs: total(1), authenticated(1), anonymous(0)</div><div>000 </div><div>000 #2: "VPC-CUST-GW1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 896s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate</div><div>000 #2: "VPC-CUST-GW1" <a href="mailto:esp.d962f547@52.39.7.197">esp.d962f547@52.39.7.197</a> <a href="mailto:esp.266885c1@216.243.47.245">esp.266885c1@216.243.47.245</a> <a href="mailto:tun.0@52.39.7.197">tun.0@52.39.7.197</a> <a href="mailto:tun.0@216.243.47.245">tun.0@216.243.47.245</a> ref=0 refhim=4294901761 Traffic: ESPout=157KB ESPin=159KB! ESPmax=4194303B </div><div>000 #1: "VPC-CUST-GW1":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 25855s; newest ISAKMP; lastdpd=2s(seq in:14566 out:0); idle; import:admin initiate</div><div>000 </div><div>000 Bare Shunt list:</div><div>000 </div></div><div><br></div><div><div>ip addr </div><div>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN </div><div> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</div><div> inet <a href="http://127.0.0.1/8">127.0.0.1/8</a> scope host lo</div><div> valid_lft forever preferred_lft forever</div><div> inet6 ::1/128 scope host </div><div> valid_lft forever preferred_lft forever</div><div>2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000</div><div> link/ether 50:e5:49:b5:8b:5e brd ff:ff:ff:ff:ff:ff</div><div> inet <a href="http://216.243.47.245/24">216.243.47.245/24</a> brd 216.243.47.255 scope global dynamic enp3s0</div><div> valid_lft 3469sec preferred_lft 3469sec</div><div> inet6 2604:4080:115f:0:52e5:49ff:feb5:8b5e/64 scope global mngtmpaddr dynamic </div><div> valid_lft 2591917sec preferred_lft 604717sec</div><div> inet6 fe80::52e5:49ff:feb5:8b5e/64 scope link </div><div> valid_lft forever preferred_lft forever</div><div>3: enp1s0f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 state UP qlen 1000</div><div> link/ether 00:15:17:94:0d:38 brd ff:ff:ff:ff:ff:ff</div><div>4: enp1s0f1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master bond0 state UP qlen 1000</div><div> link/ether 00:15:17:94:0d:38 brd ff:ff:ff:ff:ff:ff</div><div>5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP </div><div> link/ether 00:15:17:94:0d:38 brd ff:ff:ff:ff:ff:ff</div><div> inet <a href="http://10.0.0.1/22">10.0.0.1/22</a> brd 10.0.0.255 scope global bond0</div><div> valid_lft forever preferred_lft forever</div><div> inet6 fe80::215:17ff:fe94:d38/64 scope link </div><div> valid_lft forever preferred_lft forever</div><div>6: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN </div><div> link/ipip 0.0.0.0 brd 0.0.0.0</div></div><div><br></div><div># Trouble shooting</div><div><br></div><div>When I first configured, I could only transmit to the the Office gateway (the VPN endpoint), so I added this rule in the office gateway: </div><div><br></div><div>iptables -t nat -A POSTROUTING -s <a href="http://10.0.4.0/22">10.0.4.0/22</a> -d <a href="http://10.0.0.0/22">10.0.0.0/22</a> -j SNAT --to 10.0.0.1 <br></div><div><br></div><div>And then I could hit all of my Office machines from AWS.</div><div><br></div><div><br></div><div>So again, I can get packets into the office from AWS but I can't get them out of the office to AWS. When I tcpdump in the office I see ESP packets and the pings from AWS but when I ping to AWS from office, my ISP ends up with the traffic. I don't know why the interface is down too, but when I bring it up (ip_vti0) the tunneling from AWS that does work stops working. I can't seem to find a lot of good docs on how the interfaces and routing works but what I did find indicates that openswan eroutes like those indicated in the ipsec status all should handle the routing. </div><div><br></div><div><br></div><div>From EC2 instance (10.0.4.11) to Office machine::</div><div><div>[ec2-user@ip-10-0-4-11 ~]$ ping 10.0.0.12</div><div>PING 10.0.0.12 (10.0.0.12) 56(84) bytes of data.</div><div>64 bytes from <a href="http://10.0.0.12">10.0.0.12</a>: icmp_seq=1 ttl=127 time=9.07</div></div><div><br></div><div><br></div><div>From Office (<a href="http://10.0.0.1/22">10.0.0.1/22</a> : 216.243.47.245) to AWS : </div><div><div># ping 10.0.4.11</div><div>PING 10.0.4.11 (10.0.4.11) 56(84) bytes of data.</div><div>From 216.243.47.1 icmp_seq=2 Packet filtered</div></div><div><br></div><div><br></div><div>It seems like I need a route or some kind of rule to transmit properly? <br></div><div><br></div><div>Thanks, I know it's asking a lot for help like this so if I can get more information this is mostly a throwaway setup and can try anything to get it working. </div><div><br></div><div>Matt</div><div><br></div><div><br></div><div><br></div><div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>------------------<br>Matthew <br>"To be a rock and not to roll"<br></div></div></div></div></div>
</div></div>