[Openswan Users] Openswan on EC2 - Resolving IP confusions

Hammad raohammad at gmail.com
Thu Dec 23 13:38:40 EST 2010


Hi Piavlo,

Its a virtual interface. I created with;

ifconfig eth0:0 *10.5.5.5* netmask 255.255.255.255 broadcast 10.5.5.255

I have already used this scheme with OpenSWAN and virtual interface created
this way. But in that case, my public IP was on interface eth0. But here on
EC2, I see a new IP 10.254.254.254...

Rgds,
Hammad


On Thu, Dec 23, 2010 at 9:45 PM, Piavlo <piavka at cs.bgu.ac.il> wrote:

>  Hi,
>
> How did you create the virtual interface with ip  10.5.5.5<http://10.5.5.5/32===10.254.254.254>?
>
>
> On 12/23/2010 01:46 PM, Hammad wrote:
>
> Hi,
>
> Ok, given below connection configuration on EC2 this I am up with my
> tunnel,
> "connection": 10.5.5.5/32===10.254.254.254<10.254.254.1>[59.59.59.59,+S=C]
> ......  202.2.2.2<202.2.2.2>[+S=C]===172.7.7.7/32;
>
> Now since my Elastic IP is my ID leftid=59.59.59.59; remote end recognizes
> me as a good boy.
>
> But... when I ping/trace route remote end's encryption domain IP, it says
> connection timeout.
> Now when I try to traceroute; none of its bit goes through my Elastic IP -
> since there is no record other than leftid, on my end machine that I am in
> fact 59.59.59.59.
>
> How can I make my application reach 172.7.7.7 through 59.59.59.59 on my
> Amazon instance?
>
> *Here is my tunnel.*
> "connection" #1: ignoring unknown Vendor ID payload
> [48a45f8a629df21329e84ed5b051ef831b7746440000000d00000614]
> "connection" #1: received Vendor ID payload [Dead Peer Detection]
> "connection" #1: ignoring Vendor ID payload [HeartBeat Notify 386b0100]
> "connection" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
> "connection" #1: STATE_MAIN_I2: sent MI2, expecting MR2
> "connection" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
> "connection" #1: STATE_MAIN_I3: sent MI3, expecting MR3
> "connection" #1: Main mode peer ID is ID_IPV4_ADDR: '202.2.2.2'
> "connection" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
> "connection" #1: STATE_MAIN_I4: ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1024}
> "connection" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW
> {using isakmp#1 msgid:93df71f8 proposal=defaults pfsgroup=no-pfs}
> "connection" #2: transition from state STATE_QUICK_I1 to state
> STATE_QUICK_I2
> "connection" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x6397e30b <0x2588073b xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
> DPD=none}
>
>
> On Sun, Dec 5, 2010 at 7:14 PM, Piavlo <piavka at cs.bgu.ac.il> wrote:
>
>>   Hi,
>>
>> it should be similar to this:
>>
>> -----------------
>> config setup
>>         nat_traversal=yes
>>         virtual_private=%v4172.7.7.7/32:,%v4:!10.5.5.5/32
>>         oe=off
>>         protostack=netkey
>>         # force_keepalive=yes
>>         # keep_alive=30
>> conn ec2-to-juniper
>>         connaddrfamily=ipv4
>>         type=tunnel
>>         authby=secret
>>         # ike=3des-sha1;modp1536
>>         phase2=esp
>>         # phase2alg=3des-sha1;modp1536
>>         forceencaps=yes
>>         pfs=yes
>>         #
>>         # dpddelay=30
>>         # dpdtimeout=120
>>         # dpdaction=restart
>>         #
>>         left=10.254.254.254
>>         leftid=59.59.59.59
>>         leftnexthop=%defaultroute
>>         leftsubnet=10.5.5.5 <http://10.5.5.5/32>/32
>>         leftsourceip=10.5.5.5 <http://10.5.5.5/32>
>>         #
>>         right=202.2.2.2
>>         rightsubnet=172.7.7.7/32
>>         #
>>         auto=add
>> -----------------
>>
>> Regards
>> Alex
>>
>>
>> On 12/05/2010 12:19 PM, Hammad wrote:
>>
>>  Hi,
>>
>> Can somebody help to put the pieces of puzzle together for configuring
>> openswan on EC2;
>>
>> My Elastic Ip: 59.59.59.59
>> My EC2 Instance IP: 10.254.254.254
>> My encryption domain (a virtual interface created to cater dynamic IPs on
>> EC2 instance/restart persistent): 10.5.5.5/32
>>
>> Other end public (Using Netscreen/juniper): 202.2.2.2
>> Other end encrypted domain: 172.7.7.7/32
>>
>> 1) How do I fill in following fields for this connection;
>>          left=
>>          leftid=
>>          leftnexthop=
>>          leftsubnet=
>>          right=
>>          rightnexthop=
>>          rightsubnet=
>>          rightid=
>>
>>
>> 2) My EC2 provides me firewall webinterface; do I need to configure my
>> iptables in that case? for masquerading etc?
>>
>> Regards,
>> Hammad
>>
>>
>> _______________________________________________Users at openswan.orghttp://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan: http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20101223/00b52999/attachment.html 


More information about the Users mailing list