[Openswan Users] Net to Net in the Amazon Cloud

Murty, Sudarshan sudarshan_murty at standardandpoors.com
Tue Aug 23 17:28:37 EDT 2011 

Hi All,

I am a noob with OpenSwan. 

I am trying to set up a VPN tunnel between a subnet in Amazon VPC (EU)
and a subnet in Amazon VPC (Singapore). So basically a peer to peer,
OpenSwan to OpenSwan VPN connection. No Hardware VPNs involved.

 

The VPN tunnel gets set up ok but there seems to be a routing problem.

I cant tracert from a host on the subnet on the left to a host on the
subnet on the right.

It is unable to get out of the host on the left ;-(

 

I built the 2.6.35 from src and followed the instructions on the
OpenSwan web site.

The tunnel comes up fine as follows:

--------------------------------------------

[root at ip-10-169-1-14 default]# service ipsec restart

ipsec_setup: Stopping Openswan IPsec...

ipsec_setup: Starting Openswan IPsec U2.6.35/K2.6.21.7-2.fc8xen...

--------------------------------------------

 

[root at ip-10-169-1-14 default]# ipsec auto --up cld-to-cld

104 "cld-to-cld" #1: STATE_MAIN_I1: initiate

003 "cld-to-cld" #1: received Vendor ID payload [Openswan (this version)
2.6.35 ]

003 "cld-to-cld" #1: received Vendor ID payload [Dead Peer Detection]

106 "cld-to-cld" #1: STATE_MAIN_I2: sent MI2, expecting MR2

108 "cld-to-cld" #1: STATE_MAIN_I3: sent MI3, expecting MR3

003 "cld-to-cld" #1: received Vendor ID payload [CAN-IKEv2]

004 "cld-to-cld" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}

117 "cld-to-cld" #2: STATE_QUICK_I1: initiate

004 "cld-to-cld" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0xdfd9ad7e <0x9a8c9720 xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=none DPD=none}

--------------------------------------------

 

My /etc/ipsec.conf:

 

config setup

            (Same as that came with the install except I set
protostack=netkey. nat_traversal=no)

 

My left side VPN Server:

conn cld-to-cld

    left=10.169.1.14                       -- VPC private IP but this
host also has an Elastic IP

    leftsubnet=10.169.1.16/28

    leftid=@eu.mhf.com

    leftrsasigkey=my-left-secret-key

    leftnexthop=%defaultroute

    right=46.51.216.14                   -- Elastic IP of the right VPN
Server

    rightsubnet=10.169.2.16/28

    rightid=@sgp.mhf.com

    rightrsasigkey=my-right-secret-key

    rightnexthop=%defaultroute

    auto=add

--------------------------------------------

 

My right side Server:

conn cld-to-cld

    left=46.51.196.62

    leftsubnet=10.169.1.16/28

    leftid=@eu.mhf.com

    leftrsasigkey=my-left-secret-key

    leftnexthop=%defaultroute

    right=10.169.2.14

    rightsubnet=10.169.2.16/28

    rightid=@sgp.mhf.com

    rightrsasigkey=my-right-secret-key

    rightnexthop=%defaultroute

    auto=add

--------------------------------------------

 

Any guidance is really appreciated.

 

 

regards

- sudarshan

 

MHF Architecture

 

There are only 10 types of people in the world - Those who understand
binary, and those who don't.
 
--------------------------------------------------------

The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. The McGraw-Hill Companies, Inc. reserves the right, subject to applicable local law, to monitor, review and process the content of any electronic message or information sent to or from McGraw-Hill e-mail addresses without informing the sender or recipient of the message. By sending electronic message or information to McGraw-Hill e-mail addresses you, as the sender, are consenting to McGraw-Hill  processing any of your personal data therein.
--------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110823/a2367e86/attachment-0001.html

More information about the Users mailing list