[Openswan Users] Openswan on EC2 - Resolving IP confusions
Piavlo
piavka at cs.bgu.ac.il
Thu Dec 23 14:33:29 EST 2010
Hammad wrote:
> Hi Piavlo,
>
> Its a virtual interface. I created with;
>
> ifconfig eth0:0 *10.5.5.5* netmask 255.255.255.255 broadcast 10.5.5.255
I think you need to use real virtual device - use tap device.
Not sure kernel can do ipsec routing correctly with interface alias.
>
> I have already used this scheme with OpenSWAN and virtual interface
> created this way. But in that case, my public IP was on interface eth0.
> But here on EC2, I see a new IP 10.254.254.254...
>
> Rgds,
> Hammad
>
>
> On Thu, Dec 23, 2010 at 9:45 PM, Piavlo <piavka at cs.bgu.ac.il
> <mailto:piavka at cs.bgu.ac.il>> wrote:
>
> Hi,
>
> How did you create the virtual interface with ip 10.5.5.5
> <http://10.5.5.5/32===10.254.254.254> ?
>
>
> On 12/23/2010 01:46 PM, Hammad wrote:
>> Hi,
>>
>> Ok, given below connection configuration on EC2 this I am up with
>> my tunnel,
>> "connection": 10.5.5.5/32===10.254.254.254
>> <http://10.5.5.5/32===10.254.254.254><10.254.254.1>[59.59.59.59,+S=C]
>> ...... 202.2.2.2<202.2.2.2>[+S=C]===172.7.7.7/32
>> <http://172.7.7.7/32>;
>>
>> Now since my Elastic IP is my ID leftid=59.59.59.59; remote end
>> recognizes me as a good boy.
>>
>> But... when I ping/trace route remote end's encryption domain IP,
>> it says connection timeout.
>> Now when I try to traceroute; none of its bit goes through my
>> Elastic IP - since there is no record other than leftid, on my end
>> machine that I am in fact 59.59.59.59.
>>
>> How can I make my application reach 172.7.7.7 through 59.59.59.59
>> on my Amazon instance?
>>
>> _*Here is my tunnel.*_
>> "connection" #1: ignoring unknown Vendor ID payload
>> [48a45f8a629df21329e84ed5b051ef831b7746440000000d00000614]
>> "connection" #1: received Vendor ID payload [Dead Peer Detection]
>> "connection" #1: ignoring Vendor ID payload [HeartBeat Notify
>> 386b0100]
>> "connection" #1: transition from state STATE_MAIN_I1 to state
>> STATE_MAIN_I2
>> "connection" #1: STATE_MAIN_I2: sent MI2, expecting MR2
>> "connection" #1: transition from state STATE_MAIN_I2 to state
>> STATE_MAIN_I3
>> "connection" #1: STATE_MAIN_I3: sent MI3, expecting MR3
>> "connection" #1: Main mode peer ID is ID_IPV4_ADDR: '202.2.2.2'
>> "connection" #1: transition from state STATE_MAIN_I3 to state
>> STATE_MAIN_I4
>> "connection" #1: STATE_MAIN_I4: ISAKMP SA established
>> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192
>> prf=oakley_md5 group=modp1024}
>> "connection" #2: initiating Quick Mode
>> PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW {using isakmp#1 msgid:93df71f8
>> proposal=defaults pfsgroup=no-pfs}
>> "connection" #2: transition from state STATE_QUICK_I1 to state
>> STATE_QUICK_I2
>> "connection" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
>> tunnel mode {ESP=>0x6397e30b <0x2588073b xfrm=3DES_0-HMAC_MD5
>> NATOA=none NATD=none DPD=none}
>>
>>
>> On Sun, Dec 5, 2010 at 7:14 PM, Piavlo <piavka at cs.bgu.ac.il
>> <mailto:piavka at cs.bgu.ac.il>> wrote:
>>
>> Hi,
>>
>> it should be similar to this:
>>
>> -----------------
>> config setup
>> nat_traversal=yes
>> virtual_private=%v4172.7.7.7/32
>> <http://172.7.7.7/32>:,%v4:!10.5.5.5/32 <http://10.5.5.5/32>
>> oe=off
>> protostack=netkey
>> # force_keepalive=yes
>> # keep_alive=30
>> conn ec2-to-juniper
>> connaddrfamily=ipv4
>> type=tunnel
>> authby=secret
>> # ike=3des-sha1;modp1536
>> phase2=esp
>> # phase2alg=3des-sha1;modp1536
>> forceencaps=yes
>> pfs=yes
>> #
>> # dpddelay=30
>> # dpdtimeout=120
>> # dpdaction=restart
>> #
>> left=10.254.254.254
>> leftid=59.59.59.59
>> leftnexthop=%defaultroute
>> leftsubnet=10.5.5.5 <http://10.5.5.5/32>/32
>> leftsourceip=10.5.5.5 <http://10.5.5.5/32>
>> #
>> right=202.2.2.2
>> rightsubnet=172.7.7.7/32 <http://172.7.7.7/32>
>> #
>> auto=add
>> -----------------
>>
>> Regards
>> Alex
>>
>>
>> On 12/05/2010 12:19 PM, Hammad wrote:
>>> Hi,
>>>
>>> Can somebody help to put the pieces of puzzle together for
>>> configuring openswan on EC2;
>>>
>>> My Elastic Ip: 59.59.59.59
>>> My EC2 Instance IP: 10.254.254.254
>>> My encryption domain (a virtual interface created to cater
>>> dynamic IPs on EC2 instance/restart persistent): 10.5.5.5/32
>>> <http://10.5.5.5/32>
>>>
>>> Other end public (Using Netscreen/juniper): 202.2.2.2
>>> Other end encrypted domain: 172.7.7.7/32 <http://172.7.7.7/32>
>>>
>>> 1) How do I fill in following fields for this connection;
>>> left=
>>> leftid=
>>> leftnexthop=
>>> leftsubnet=
>>> right=
>>> rightnexthop=
>>> rightsubnet=
>>> rightid=
>>>
>>>
>>> 2) My EC2 provides me firewall webinterface; do I need to
>>> configure my iptables in that case? for masquerading etc?
>>>
>>> Regards,
>>> Hammad
>>>
>>>
>>> _______________________________________________
>>> Users at openswan.org <mailto:Users at openswan.org>
>>> http://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>>
>>
>
>
More information about the Users
mailing list