[Openswan Users] Amazon Ec2 Ipsec and Cisco

Paul Wouters paul at xelerance.com
Tue Jun 30 11:30:05 EDT 2009


On Tue, 30 Jun 2009, Joe Skop wrote:

> again me. So I solved some problems, but still the vpn doesn't works.
> Really, I don't know what else can I do...
>
> /etc/ipsec.conf:
> ------------------------------------------------------------------
> version 2.0
> config setup
> nat_traversal=yes
> nhelpers=0
> interfaces=%defaultroute
> klipsdebug=none
> plutodebug=none
>
> conn test
>        type=           tunnel
>        authby=         secret
>        left=           %defaultroute
>        leftsubnet=     10.xxx.xxx.0/24
>        right=          77.xxx.xxx.xxx
>        rightsubnet=    192.xxx.xxx.xxx/32

Are you sure the policy at the cisco end has 192.x.x.x/32 ?
Often people configure this because they did not properly support NAT.

>        esp=            3des-sha1
>        keyexchange=    ike
>        pfs=            no
>        auto=           start

Since there is a weird NAT happening at EC2, try adding forceencaps=yes
to ensure you're not sending ESP, but ESPinUDP packets.

> STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY
> cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
> Jun 30 14:33:22 ip-10-xxx-xxx-xxx pluto[23556]: "test" #2: initiating
> Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#1}
>
> ==> syslog <==
> Jun 30 14:33:21 ip-10-xxx-xxx-xxx ipsec_setup: ...Openswan IPsec started

Your openswan crashed.

> Jun 30 14:33:21 ip-10-xxx-xxx-xxx ipsec_setup: Starting Openswan IPsec 2.4.12...

upgrade to 2.4.15 (or better 2.6.22) and let me know if the problem remains.
If it does, define dumpdir= and get me a gdb trace.

Paul



More information about the Users mailing list