[Openswan Users] Amazon Ec2 Ipsec and Cisco
Paul Wouters
paul at xelerance.com
Tue Jun 30 11:30:05 EDT 2009
On Tue, 30 Jun 2009, Joe Skop wrote:
> again me. So I solved some problems, but still the vpn doesn't works.
> Really, I don't know what else can I do...
>
> /etc/ipsec.conf:
> ------------------------------------------------------------------
> version 2.0
> config setup
> nat_traversal=yes
> nhelpers=0
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
>
> conn test
> type= tunnel
> authby= secret
> left= %defaultroute
> leftsubnet= 10.xxx.xxx.0/24
> right= 77.xxx.xxx.xxx
> rightsubnet= 192.xxx.xxx.xxx/32
Are you sure the policy at the cisco end has 192.x.x.x/32 ?
Often people configure this because they did not properly support NAT.
> esp= 3des-sha1
> keyexchange= ike
> pfs= no
> auto= start
Since there is a weird NAT happening at EC2, try adding forceencaps=yes
to ensure you're not sending ESP, but ESPinUDP packets.
> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #2: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
>
> ==> syslog <==
> Jun 30 14:33:21 ip-10-xxx-xxx-xxx ipsec_setup: ...Openswan IPsec started
Your openswan crashed.
> Jun 30 14:33:21 ip-10-xxx-xxx-xxx ipsec_setup: Starting Openswan IPsec 2.4.12...
upgrade to 2.4.15 (or better 2.6.22) and let me know if the problem remains.
If it does, define dumpdir= and get me a gdb trace.
Paul
More information about the Users
mailing list