[Openswan Users] Can't get tunnel up from EC2
Ernest Mueller
Ernest.Mueller at ni.com
Thu May 20 14:08:29 EDT 2010
Ah, hate to reply to myself but initial problem solved; we got ESP
negotiated right and then after probing our network admin for a while he
admitted the router on his side was NATted, so I added a rightid for its
real IP and the tunnel came up.
A followup question, though - I can't ping yet, I'm having trouble figuring
our how to route now that I have the tunnel up... It's netkey so I can't
just add a route to ipsec0, and having the NAT on both sides leaves me
unsure how to set it up.
So if someone has a moment to humor me -
On the left, I have a 10. network.
Box 1 is privately 10.254.110.A, publically IP 184.73.168.B.
Netkey tunnel up.
Box 2 is publically 130.164.26.C, privately 130.164.0.D
And my conf is
conn ni
type= tunnel
authby= secret
left= 10.254.110.A
leftid= 184.73.168.B
leftnexthop= %defaultroute
leftsubnet= 10.254.0.0/32
right= 130.164.26.C
rightid= 130.164.0.D
rightnexthop= %defaultroute
rightsubnet= 130.164.0.0/18
keyexchange= ike
pfs= no
auto= start
keyingtries= 3
disablearrivalcheck=no
ikelifetime= 240m
auth= esp
compress= no
keylife= 60m
forceencaps= yes
esp= 3des-md5
What do I need to do route and/or iptable wise for a) my box and b) the
rest of my 10. to get over to the 130.164? I messed with adding a route
through eth0 using 10.254.110.A as the gateway (130.164.0.0/18 via
10.254.110.A dev eth0) but that doesn't work... I am not sure how the
netkey magic works, and most of the docs I can find assume KLIPS. Some of
the openswan docs and posts I see indicate that I might need to do some
iptables work but none of them really say much about what.
Tips welcome!
Thanks,
Ernest
______________________
UN-altered REPRODUCTION and DISSEMINATION of
this IMPORTANT information is ENCOURAGED.
From: Ernest Mueller <Ernest.Mueller at ni.com>
To: users at openswan.org
Date: 05/20/2010 10:43 AM
Subject: [Openswan Users] Can't get tunnel up from EC2
Sent by: users-bounces at openswan.org
Hi! I'm trying to set up a VPN tunnel between a system running in Amazon
EC2 and our shop. But I'm having a heck of a time getting it to work, so I
thought I'd ask to see if anyone has it working - I've followed the various
tips I've seen out there but no luck so far. I'm new to openswan, but
think I get the gist of it...
EC2 side - a Fedora 12 box with the newest OpenSWAN, 2.6.25, using netkey
(can't use KLIPS in EC2, no control over kernels).
Enterprise side - Cisco IOS. Our network guy tried a 2650 and a PIX both.
/etc/ipsec.conf:
config setup
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
include /etc/ipsec.d/*.conf
/etc/ipsec.d/ni.conf:
conn ni
type= tunnel
authby= secret
left= 10.254.X.X - my EC2 instance's private IP
leftid= 184.73.X.X - my EC2 instance's public elastic IP
leftnexthop= %defaultroute
leftsubnet= 10.254.0.0/32
right= 130.164.X.X - my enterprise cisco public IP
rightnexthop= %defaultroute
rightsubnet= 130.164.0.0/18
keyexchange= ike
pfs= no
auto= start
keyingtries= 3
disablearrivalcheck=no
ikelifetime= 240m
auth= esp
compress= no
keylife= 60m
my .secrets file:
184.73.X.X 10.254.X.X 130.164.X.X : PSK "ASharedKeyYouDontNeedToKnow"
In my EC2 security group (essentially its network firewall) I've opened
port udp 500 and udp 4500 for that 130.164 host.
ipsec verify shows everything is good. When I try to bring up the
connection, I get this:
ipsec auto --status
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.254.X.X
000 interface eth0/eth0 10.254.X.X
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo
+controlmore+pfkey+nattraversal+x509
000
000 virtual_private (%priv):
000 - allowed 0 subnets:
000 - disallowed 0 subnets:
000 WARNING: Either virtual_private= was not specified, or there was a
syntax
000 error in that line. 'left/rightsubnet=%priv' will not work!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40,
keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8,
keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16,
keydeflen=128
000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH,
blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans=
{0,0,0} attrs={0,0,0}
000
000 "ni": 10.254.0.0/32===10.254.X.X<10.254.X.X>
[184.73.X.X,+S=C]---10.254.X.X...10.254.X.1---130.164.X.X<130.164.X.X>
[+S=C]===130.164.0.0/18; prospective erouted; eroute owner: #0
000 "ni": myip=unset; hisip=unset;
000 "ni": ike_life: 14400s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 3
000 "ni": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+lKOD+rKOD; prio:
32,18; interface: eth0;
000 "ni": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #1: "ni":500 STATE_MAIN_I3 (sent MI3, expecting MR3); none in -1s;
lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: pending Phase 2 for "ni" replacing #0
000
In /var/log/messages:
May 20 10:43:32 domU-12-31-39-00-69-44 ipsec_setup: Stopping Openswan
IPsec...
May 20 10:43:33 domU-12-31-39-00-69-44 kernel: NET: Unregistered protocol
family 15
May 20 10:43:33 domU-12-31-39-00-69-44 ipsec_setup: ...Openswan IPsec
stopped
May 20 10:43:35 domU-12-31-39-00-69-44 kernel: NET: Registered protocol
family 15
May 20 10:43:35 domU-12-31-39-00-69-44 ipsec_setup: Using NETKEY(XFRM)
stack
May 20 10:43:35 domU-12-31-39-00-69-44 ipsec_setup: Starting Openswan IPsec
U2.6.25/K2.6.21.7-2.fc8xen...
May 20 10:43:36 domU-12-31-39-00-69-44
ipsec_setup: /usr/libexec/ipsec/addconn Not able to
open /proc/sys/crypto/fips_enabled, returning non-fips mode
May 20 10:43:36 domU-12-31-39-00-69-44 ipsec_setup: ...Openswan IPsec
started
May 20 10:43:36 domU-12-31-39-00-69-44 pluto: adjusting ipsec.d
to /etc/ipsec.d
May 20 10:43:36 domU-12-31-39-00-69-44 ipsec__plutorun: adjusting ipsec.d
to /etc/ipsec.d
May 20 10:43:36 domU-12-31-39-00-69-44
ipsec__plutorun: /usr/libexec/ipsec/addconn Not able to
open /proc/sys/crypto/fips_enabled, returning non-fips mode
May 20 10:43:36 domU-12-31-39-00-69-44
ipsec__plutorun: /usr/libexec/ipsec/addconn Not able to
open /proc/sys/crypto/fips_enabled, returning non-fips mode
May 20 10:43:36 domU-12-31-39-00-69-44
ipsec__plutorun: /usr/libexec/ipsec/addconn Not able to
open /proc/sys/crypto/fips_enabled, returning non-fips mode
May 20 10:43:36 domU-12-31-39-00-69-44 ipsec__plutorun: 002 added
connection description "ni"
May 20 10:43:36 domU-12-31-39-00-69-44 ipsec__plutorun: 003 NAT-Traversal:
Trying new style NAT-T
May 20 10:43:36 domU-12-31-39-00-69-44 ipsec__plutorun: 003 NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
May 20 10:43:36 domU-12-31-39-00-69-44 ipsec__plutorun: 003 NAT-Traversal:
Trying old style NAT-T
May 20 10:43:37 domU-12-31-39-00-69-44 ipsec__plutorun: 104 "ni" #1:
STATE_MAIN_I1: initiate
and that's it. Not getting very far, sadly. Does anyone have suggestions
of what I'm doing wrong?
Thanks,
Ernest
______________________
UN-altered REPRODUCTION and DISSEMINATION of
this IMPORTANT information is ENCOURAGED.
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list