[Openswan Users] Connecting OpenSwan on EC2 Fedora8 to Cisco ASA/PIX
Nils Pommerien
Nils_Pommerien at avid.com
Tue Mar 10 21:35:41 EDT 2009
Hello,
I am experimenting with Amazon's EC2 cloud and I have successfully established a tunnel to a Cisco Firewall using my Fedora 8 instance. At least the tunnel seems to be up when I issue a "/usr/sbin/ipsec auto --status" (see far below). However I am not able to ping through the tunnel to the actual private interface of the AMI. Here is my config:
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug="none"
plutodebug="none"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
interfaces=%defaultroute
conn pix
# The Linux box
left=10.249.186.37
leftsubnet=10.249.186.37/32
# The Cisco PIX
right=198.x.x.x
rightsubnet=10.3.1.0/24
# Pre-shared keys
authby=secret
# Turn perfect forwarding security off
pfs=no
# auto=start will bring this up when you start ipsec
auto=add
#IKE params
keyexchange=ike
ikelifetime=240m
#IPsec Params
type=tunnel
auth=esp
compress=no
keylife=60m
As I said the tunnel establishes no problem, but doing a ping through it is not possible. Has anybody experience with this (specifically connecting to an ASA/PIX)? If so would you be able to assist by either sending me your config example and what kind of pitfalls you've experienced during your implementation? I think the trick is that the Fedora instance only has one IP address instead of an outside and inside IP. Also I am used to Klips and I am somewhat concerned how I the routing works with netkey.
Thank you very much!
/usr/sbin/ipsec auto --status:
000 "pix": 10.249.186.37/32===10.249.186.37<10.249.186.37>[S=C]...198.37.32.11<198.x.x.x>[S=C]===10.3.1.0/24; erouted; eroute owner: #2
000 "pix": myip=unset; hisip=unset;
000 "pix": ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "pix": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio: 32,24; interface: eth0;
000 "pix": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "pix": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000
000 #2: "pix":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2150s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "pix" esp.2b48b530 at 198.x.x.x esp.36d00bd6 at 10.249.186.37 tun.0 at 198.x.x.x tun.0 at 10.249.186.37
000 #1: "pix":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 12631s; newest ISAKMP; lastdpd=16s(seq in:0 out:0); idle; import:admin initiate
000
More information about the Users
mailing list