[Openswan Users] Amazon Ec2 Ipsec and Cisco

Paul Wouters paul at xelerance.com
Thu Jun 25 13:23:43 EDT 2009

On Thu, 25 Jun 2009, Joe Skop wrote:

> Hi to all,
> I'm starting writing in this mailing-list with a fine question with
> long description.
> Scenario:
> A big customer asks my firm to make a lan2lan o site2site trought him
> cisco Pix and our Amazon EC2 istance.
> This is for me, unfortunally, the first time.
> This is the infos they send me, directly from them Cisco Pix:

Last time I attempted to use the NETKEY IPsec kernel code on EC2, I had the
image becoming very unstable under load. Be warned.

> IP Protocols permitted:			IP Protocols permitted:
> ANY					TCP 443

That is kind of strange. These options (in openswan leftprotoport= and rightprotoport=)
only make sense if they're symmetrical. No point sending something that the other
end cannot respond to. With UDP I could still see that, but TCP 443 obviously not.

> *** Connection Type / Tunnel initiating peer: BOTH (answer and originate)

You cannot have the cisco initiate, because EC2 NAT's your private ip to a public one.
You will need to ensure your openswan end always initiates (set a shorter keylife)

> After this, I open in the group the port 500 udp/tcp.

You also need to open sending on udp 4500 to randomh high ports and to
accept random high ports to your udp 4500. Remember also that you're
NAT'ed, so ports may change.

> conn test
>        type=           tunnel
>        authby=         secret
>        left= 
>        leftsubnet=     333.333.333.0/24
>        right=
>        rightsubnet=    444.444.444.444/32
>        ike=3des-sha1-modp1024,aes128-sha1-modp1024

With Cisco it is best to pick one proposal only. The one they gave you.

>        esp=           3des-md5-96
>        keyexchange=    ike
>        pfs=            no
>        auto=           start

> Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]: Setting NAT-Traversal
> port-4500 floating to off
> Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]:    port floating
> activation criteria nat_t=0/port_fload=1
> Jun 25 15:13:25 ip-333-333-333-333 pluto[9732]:   including
> NAT-Traversal patch (Version 0.6c) [disabled]

You need to add nat_traversal=yes to config setup.

> Jun 25 15:13:26 ip-333-333-333-333 pluto[9732]: "test": We cannot
> identify ourselves with either end of this connection.

You need to configure your end with its REAL IP address, not the public IP
it will be NAT'ed too.


More information about the Users mailing list