[Openswan Users] Connecting OpenSwan on EC2 Fedora8 to Cisco ASA/PIX

Tue Mar 10 21:29:01 EDT 2009

Hello,

I am experimenting with Amazon's EC2 cloud and I have successfully established a tunnel to a Cisco Firewall using my Fedora 8 instance.  At least the tunnel seems to be up when I issue a "/usr/sbin/ipsec auto --status" (see far below).  However I am not able to ping through the tunnel to the actual private interface of the AMI.  Here is my config: 

config setup 
        # Debug-logging controls:  "none" for (almost) none, "all" for lots. 
        klipsdebug="none" 
        plutodebug="none" 
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey 
        protostack=netkey 
        nat_traversal=yes 
        interfaces=%defaultroute 
conn pix 
        # The Linux box 
        left=10.249.186.37 
        leftsubnet=10.249.186.37/32 
        # The Cisco PIX 
        right=198.x.x.x 
        rightsubnet=10.3.1.0/24 
        # Pre-shared keys 
        authby=secret 
        # Turn perfect forwarding security off 
        pfs=no 
        # auto=start will bring this up when you start ipsec 
        auto=add 
        #IKE params 
        keyexchange=ike 
        ikelifetime=240m 
        #IPsec Params 
        type=tunnel 
        auth=esp 
        compress=no 
        keylife=60m 

As I said the tunnel establishes no problem, but doing a ping through it is not possible.  Has anybody experience with this (specifically connecting to an ASA/PIX)?  If so would you be able to assist by either sending me your config example and what kind of pitfalls you've experienced during your implementation?  I think the trick is that the Fedora instance only has one IP address instead of an outside and inside IP.  Also I am used to Klips and I am somewhat concerned how I the routing works with netkey.

Thank you very much! 

/usr/sbin/ipsec auto --status: 
000 "pix": 10.249.186.37/32===10.249.186.37<10.249.186.37>[S=C]...198.37.32.11<198.x.x.x>[S=C]===10.3.1.0/24; erouted; eroute owner: #2 
000 "pix":     myip=unset; hisip=unset; 
000 "pix":   ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3 
000 "pix":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,24; interface: eth0; 
000 "pix":   newest ISAKMP SA: #1; newest IPsec SA: #2; 
000 "pix":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024 
000 
000 #2: "pix":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2150s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 
000 #2: "pix" esp.2b48b530 at 198.x.x.x esp.36d00bd6 at 10.249.186.37 tun.0 at 198.x.x.x tun.0 at 10.249.186.37 
000 #1: "pix":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 12631s; newest ISAKMP; lastdpd=16s(seq in:0 out:0); idle; import:admin initiate 
000 