[Openswan Users] Amazon Ec2 Ipsec and Cisco

Joe Skop joe.skop at gmail.com
Thu Jun 25 11:22:26 EDT 2009 

Hi to all,
I'm starting writing in this mailing-list with a fine question with
long description.

Scenario:
A big customer asks my firm to make a lan2lan o site2site trought him
cisco Pix and our Amazon EC2 istance.

This is for me, unfortunally, the first time.

This is the infos they send me, directly from them Cisco Pix:


*************** VPN IPSEC L2L ********************************* DETAIL
*******************

*** XXX peer				*** YYY peer

Public/Global/External network		Public/Global/External network

Primary Site: 	111.111.111.111		Primary Site: 222.222.222.222

Backup Site: None			Backup Site: none	

*** IPsec Phase 2 proxy ID

Private/Local network			Private/Local network

private ip address:			private ip address:

333.333.333.333				444.444.444.444/32

IP Protocols permitted:			IP Protocols permitted:

ANY					TCP 443

*** Connection Type / Tunnel initiating peer: BOTH (answer and originate)

*** ISAKMP Phase 1 (IKE) Properties:

Exchange Mode				Main Mode (NOT AGGRESSIVE !)

Authentication Method			Pre-Shared Secret

Encryption algorithm			3DES

Data Integrity				SHA1 (Secure Hash Standard)

Diffie-Hellman				Group 2 (1024 bit)

SA Lifetime				8 Hour/480 Minutes/28800 seconds

*** IPSEC Phase 2 Properties:

Security Protocol 			ESP

Encapsulation Mode			Tunnel

Encryption 				3DES

Data Integrity 				SHA1 (Secure Hash Standard)

SA Lifetime     			8 Hour/480 Minutes/28800 seconds

Compression Method 			Disabled/OFF

Perfect Forward Secrecy 		Disabled/OFF


----------------------------------------------------

So, I installed a new istance Debian 5.0, with the 333.333.333.333
private IP, and the 444.444.444 reserved Elastic IP.

After this, I open in the group the port 500 udp/tcp.

So, I installed openswan.

ipsec.conf:
----------------------------------------------------
config setup

        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none

conn test
        type=           tunnel
        authby=         secret
        left=           111.111.111.111
        leftsubnet=     333.333.333.0/24
        right=          222.222.222.222
        rightsubnet=    444.444.444.444/32
        ike=3des-sha1-modp1024,aes128-sha1-modp1024
        esp=           3des-md5-96
        keyexchange=    ike
        pfs=            no
        auto=           start

include /etc/ipsec.d/examples/no_oe.conf

ipsec.secrets:
-----------------------------------------------------
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005-09-28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".
111.111.111.111 333.333.333.333 222.222.222.222 : PSK "secrettest"

After starting ipsec,
These are the logs.
------------------------------------------------------

Jun 25 15:13:24 ip-333-333-333-333 kernel: NET: Registered protocol family 15
Jun 25 15:13:24 ip-333-333-333-333 ipsec_setup: NETKEY on eth0
333.333.333.333/255.255.254.0 broadcast 333.333.333.255

==> auth.log <==
Jun 25 15:13:25 ip-333-333-333-333 ipsec__plutorun: Unknown default
RSA hostkey scheme, not generating a default hostkey
Jun 25 15:13:25 ip-333-333-333-333 ipsec__plutorun: Starting Pluto subsystem...
Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]: Starting Pluto
(Openswan Version 2.4.12 LDAP_V3 PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR; Vendor ID OE`lPH|Vbpuu)
Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]: Setting NAT-Traversal
port-4500 floating to off
Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]:    port floating
activation criteria nat_t=0/port_fload=1
Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]:   including
NAT-Traversal patch (Version 0.6c) [disabled]
Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]:
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]: starting up 1
cryptographic helpers
Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]: started helper pid=9733 (fd:6)
Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]: Using NETKEY IPsec
interface code on 2.6.21.7-2.fc8xen
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: Changing to directory
'/etc/ipsec.d/cacerts'
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: Changing to directory
'/etc/ipsec.d/aacerts'
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: Changing to directory
'/etc/ipsec.d/ocspcerts'
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: Changing to directory
'/etc/ipsec.d/crls'
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]:   Warning: empty directory
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: loading secrets from
"/etc/ipsec.secrets"
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: added connection
description "test"
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: listening for IKE messages
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: adding interface
eth0/eth0 333.333.333.333:500
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: adding interface lo/lo
127.0.0.1:500
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: adding interface lo/lo ::1:500
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: forgetting secrets
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: loading secrets from
"/etc/ipsec.secrets"
Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: "test": We cannot
identify ourselves with either end of this connection.

==> syslog <==
Jun 25 15:13:26 ip-333-333-333-333 ipsec_setup: ...Openswan IPsec started
Jun 25 15:13:26 ip-333-333-333-333 ipsec_setup: Starting Openswan
IPsec 2.4.12...
Jun 25 15:13:26 ip-333-333-333-333 ipsec__plutorun: 022 "test": we
cannot identify ourselves with either end of this connection
Jun 25 15:13:26 ip-333-333-333-333 ipsec__plutorun: ...could not route
conn "test"
Jun 25 15:13:26 ip-333-333-333-333 ipsec__plutorun: 022 "test": We
cannot identify ourselves with either end of this connection.
Jun 25 15:13:26 ip-333-333-333-333 ipsec__plutorun: ...could not start
conn "test"

==> auth.log <==
Jun 25 15:13:30 ip-333-333-333-333 pluto[9732]: packet from
222.222.222.222:500: ignoring Vendor ID payload [FRAGMENTATION
c0000000]
Jun 25 15:13:30 ip-333-333-333-333 pluto[9732]: packet from
222.222.222.222:500: initial Main Mode message received on
333.333.333.333:500 but no connection has been authorized
[...]


----------------------------------------------------

If someone can help me,
Thanks!

JS

More information about the Users mailing list