[Openswan Users] esp string error: enc_alg not found

Steve Zeng SteveZ at airg.com
Fri May 21 15:22:46 EDT 2010 

Paul,

I reply back because manually creating the tunnel interface actually leads me in a dead corner now.

My currently situation is as follows:

My_subnet(192.168.1.0/24) -- my_vpn_gateway -- internet -- amazon_vpn_gateway -- vpc (10.0.0.0/24)  

My_vpn_gateway currently has two interfaces:
Public interface: 209.90.164.199
Private interface: 192.168.1.152

amazon_vpn_gateway: (I am not sure how many interfaces but at least one public IP and one tunnel IP available)
public interface: 72.21.109.125
tunnel interface: 169.254.255.1/30

what amazon tells me is:
==========================================================================
The Customer Gateway inside IP address should be configured on your tunnel
interface.

Outside IP Addresses:
  - Customer Gateway:        : 209.90.164.199
  - Amazon VPN Gateway       : 72.21.109.125

Inside IP Addresses
  - Customer Gateway         : 169.254.255.2/30
  - Amazon VPN Gateway       : 169.254.255.1/30
==========================================================================

So I configure my ipsec.conf as below:

==========================================================================
config setup
        interfaces=%defaultroute
        protostack=netkey
        klipsdebug=none
        plutodebug=none

conn ec2-tunnel-01
        type=           tunnel
        authby=         secret
        auth=           esp
        keyexchange=    ike
        ike=            aes128-sha1-modp1024
        ikelifetime=    28800s
        pfs=            yes
        esp=            aes128-sha1
        salifetime=     3600s
        dpdtimeout=     10
        dpddelay=       3
        left=           209.90.164.199
        right=          72.21.109.125
        leftsubnet=     169.254.255.2/30
        rightsubnet=    169.254.255.1/30
        auto=           start
==========================================================================

Now two symptoms is observed:

1) if I create a tunnel interface 169.254.255.2, then I can ping amazon's tunnel interface successfully. If I remove the tunnel interface, the ping will fail. 

2) if I ping from one machine within mynetwork(192.168.1.0/24) to one instance within Amazon VPC (10.0.0.0/24), it does not get any response. 

When I look back my ipsec.conf, I realized that there is no subnet configs for either 192.168.1.0/24 or 10.0.0.0/24. I suspect that is the cause. So How can I add them in? I tried with 

	  leftsubnets=    169.254.255.2/30, 192.168.1.0/24
        rightsubnet=    169.254.255.1/30, 10.0.0.0/24

but it does not seems the right syntax. 
syntax error, unexpected STRING, expecting EOL [192.168.1.0/24]

thanks for any hints.

Steve
 

  




-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Steve Zeng
Sent: May 18, 2010 11:22 AM
To: Paul Wouters
Cc: users at openswan.org
Subject: Re: [Openswan Users] esp string error: enc_alg not found

I manully configured the tunnel interface and I now can ping the other peer. 

# tunl0 for openswan
DEVICE=tunl0
BOOTPROTO=static
IPADDR=169.254.255.2
NETMASK=255.255.255.252
ONBOOT=yes

Thanks Paul, I appreciate your help. 

Steve

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Steve Zeng
Sent: May 18, 2010 10:53 AM
To: Paul Wouters
Cc: users at openswan.org
Subject: Re: [Openswan Users] esp string error: enc_alg not found

It turns out that the problem is the pre-shared key. After re-create it again. Now I got one more step further. I see something like "IPsec SA established" and "ISAKMP SA established" when I run "ipsec auto --status".

000 #2: "ec2-tunnel-01":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2098s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "ec2-tunnel-01" esp.91e019af at 72.21.209. esp.c948fbc8 at 209.90.164.199 tun.0 at 72.21.109.125 tun.0 at 209.90.164.199 ref=0 refhim=4294901761
000 #1: "ec2-tunnel-01":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 27682s; newest ISAKMP; lastdpd=2s(seq in:17821 out:0); idle; import:admin initiate
000


>As stated numerous times now. Openswan will NOT GIVE you a tunnel interface.
I understand that openswan will not give me a tunnel interface. I am not sure if I need to create a tunnel interface as below or not. I could give it a try, though.
/etc/sysconfig/network-scripts/ifcfg-tunl0
# tunl0 for IPIP and LVS-TUN
DEVICE=tunl0
BOOTPROTO=static
IPADDR=204.92.101.25
NETMASK=255.255.255.255
ONBOOT=yes

Thanks for your hints, paul. 

Steve

-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Steve Zeng
Sent: May 18, 2010 10:29 AM
To: Paul Wouters
Cc: users at openswan.org
Subject: Re: [Openswan Users] esp string error: enc_alg not found

Right. I recreated a new preshared key already. Thanks, paul. 

Steve

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: May 18, 2010 9:55 AM
To: Steve Zeng
Cc: users at openswan.org
Subject: RE: [Openswan Users] esp string error: enc_alg not found

On Tue, 18 May 2010, Steve Zeng wrote:

> Unfortunetely there is nothing I can configure on amazon side. All I got is the following instruction. So I think there maybe something missing on my side. Because I did not figured out the tunnel interface part yet. i.e. there is no tunnel interface up. or maybe I am in a dead corner?

As stated numerous times now. Openswan will NOT GIVE you a tunnel interface.

>  - Authentication Method    : Pre-Shared Key
>  - Pre-Shared Key           : jjwzQIHrPjr.ec31DU_ZGvucsE5lVikIZDZcqAkm

Anyone with access to the mailing list can now connect to that machine. I suggest
you immediately contact the remote sysadmin and change the Pre-Shared Key!!

> The Customer Gateway inside IP address should be configured on your tunnel
> interface.

That will require a leftsubnet= option on your end.

Paul
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list