[Openswan Users] Openswan on EC2 - Resolving IP confusions
Hammad
raohammad at gmail.com
Thu Dec 23 06:46:16 EST 2010
Hi,
Ok, given below connection configuration on EC2 this I am up with my tunnel,
"connection": 10.5.5.5/32===10.254.254.254<10.254.254.1>[59.59.59.59,+S=C]
...... 202.2.2.2<202.2.2.2>[+S=C]===172.7.7.7/32;
Now since my Elastic IP is my ID leftid=59.59.59.59; remote end recognizes
me as a good boy.
But... when I ping/trace route remote end's encryption domain IP, it says
connection timeout.
Now when I try to traceroute; none of its bit goes through my Elastic IP -
since there is no record other than leftid, on my end machine that I am in
fact 59.59.59.59.
How can I make my application reach 172.7.7.7 through 59.59.59.59 on my
Amazon instance?
*Here is my tunnel.*
"connection" #1: ignoring unknown Vendor ID payload
[48a45f8a629df21329e84ed5b051ef831b7746440000000d00000614]
"connection" #1: received Vendor ID payload [Dead Peer Detection]
"connection" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
"connection" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
"connection" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"connection" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
"connection" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"connection" #1: Main mode peer ID is ID_IPV4_ADDR: '202.2.2.2'
"connection" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
"connection" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
"connection" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW
{using isakmp#1 msgid:93df71f8 proposal=defaults pfsgroup=no-pfs}
"connection" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
"connection" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x6397e30b <0x2588073b xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
DPD=none}
On Sun, Dec 5, 2010 at 7:14 PM, Piavlo <piavka at cs.bgu.ac.il> wrote:
> Hi,
>
> it should be similar to this:
>
> -----------------
> config setup
> nat_traversal=yes
> virtual_private=%v4172.7.7.7/32:,%v4:!10.5.5.5/32
> oe=off
> protostack=netkey
> # force_keepalive=yes
> # keep_alive=30
> conn ec2-to-juniper
> connaddrfamily=ipv4
> type=tunnel
> authby=secret
> # ike=3des-sha1;modp1536
> phase2=esp
> # phase2alg=3des-sha1;modp1536
> forceencaps=yes
> pfs=yes
> #
> # dpddelay=30
> # dpdtimeout=120
> # dpdaction=restart
> #
> left=10.254.254.254
> leftid=59.59.59.59
> leftnexthop=%defaultroute
> leftsubnet=10.5.5.5 <http://10.5.5.5/32>/32
> leftsourceip=10.5.5.5 <http://10.5.5.5/32>
> #
> right=202.2.2.2
> rightsubnet=172.7.7.7/32
> #
> auto=add
> -----------------
>
> Regards
> Alex
>
>
> On 12/05/2010 12:19 PM, Hammad wrote:
>
> Hi,
>
> Can somebody help to put the pieces of puzzle together for configuring
> openswan on EC2;
>
> My Elastic Ip: 59.59.59.59
> My EC2 Instance IP: 10.254.254.254
> My encryption domain (a virtual interface created to cater dynamic IPs on
> EC2 instance/restart persistent): 10.5.5.5/32
>
> Other end public (Using Netscreen/juniper): 202.2.2.2
> Other end encrypted domain: 172.7.7.7/32
>
> 1) How do I fill in following fields for this connection;
> left=
> leftid=
> leftnexthop=
> leftsubnet=
> right=
> rightnexthop=
> rightsubnet=
> rightid=
>
>
> 2) My EC2 provides me firewall webinterface; do I need to configure my
> iptables in that case? for masquerading etc?
>
> Regards,
> Hammad
>
>
> _______________________________________________Users at openswan.orghttp://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101223/c59ce5f4/attachment.html
More information about the Users
mailing list