[Openswan Users] Net to Net in the Amazon Cloud

Murty, Sudarshan sudarshan_murty at standardandpoors.com
Wed Aug 24 17:17:04 EDT 2011


Thanks Paul.

I did all that you said below and also turned on nat_traversal=yes in
the config section.

 

When I start up ipsec it looks like this. Does it look ok?

 

[root at ip-10-169-1-14 ~]# ipsec auto --up cld-to-cld

104 "cld-to-cld" #1: STATE_MAIN_I1: initiate

003 "cld-to-cld" #1: received Vendor ID payload [Openswan (this version)
2.6.35 ]

003 "cld-to-cld" #1: received Vendor ID payload [Dead Peer Detection]

003 "cld-to-cld" #1: received Vendor ID payload [RFC 3947] method set
to=109

106 "cld-to-cld" #1: STATE_MAIN_I2: sent MI2, expecting MR2

003 "cld-to-cld" #1: NAT-Traversal: Result using RFC 3947
(NAT-Traversal): both are NATed

108 "cld-to-cld" #1: STATE_MAIN_I3: sent MI3, expecting MR3

003 "cld-to-cld" #1: received Vendor ID payload [CAN-IKEv2]

004 "cld-to-cld" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}

117 "cld-to-cld" #2: STATE_QUICK_I1: initiate

004 "cld-to-cld" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP/NAT=>0xa489360c <0x2edaf4dc xfrm=AES_128-HMAC_SHA1
NATOA=none NATD=46.51.216.14:4500 DPD=none}

--------------------------------------

 

But I still can't tracert from a host in the left subnet to the right
subnet

 

10.169.1.14 - VPN Server on left  (subnet 10.169.1.0/28)

10.169.2.14 - VPN Server on right (subnet 10.169.2.0/28)

 

10.169.1.20 - host in left subnet  (subnet 10.169.1.16/28)

10.169.2.20 - host in right subnet (subnet 10.169.2.16/28)

 

[root at ip-10-169-1-20 ~]# tracert 10.169.2.20

traceroute to 10.169.2.20 (10.169.2.20), 30 hops max, 40 byte packets

 1  * * *

 2  * * *

 3  * * *

 4  * * *

--------------------------------------

 

My Routing table in the Amazon VPC on left (10.169.1.0/26) looks like
this (right is similar):

Destination        Target

--------------------------

10.169.2.0/26      instance running the VPN Server (Amazon labels this
as a NAT - link below)

10.169.1.0/26      local

0.0.0.0/0          Internet GW

 

Amazon NAT instance:
http://docs.amazonwebservices.com/AmazonVPC/latest/UserGuide/

Click on left: Routing in Your VPC -> NAT Instances

--------------------------------------

 

[root at ip-10-169-1-14 ~]# netstat -rn   (VPN GW on left)

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface

10.169.1.0      0.0.0.0         255.255.255.240 U         0 0          0
eth0

0.0.0.0         10.169.1.1      0.0.0.0         UG        0 0          0
eth0

--------------------------------------

 

[root at ip-10-169-1-20 ~]# netstat -rn    (host in left subnet)

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt
Iface

10.169.1.16     0.0.0.0         255.255.255.240 U         0 0          0
eth0

0.0.0.0         10.169.1.17     0.0.0.0         UG        0 0          0
eth0

--------------------------------------

 

 

Any other hunches/hints/suggestion you can give me?

Appreciate the help.

 

Regards

Sudarshan

 

 

 

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, August 24, 2011 11:22 AM
To: Murty, Sudarshan
Cc: users at openswan.org
Subject: Re: [Openswan Users] Net to Net in the Amazon Cloud

 

On Tue, 23 Aug 2011, Murty, Sudarshan wrote:

 

> I am trying to set up a VPN tunnel between a subnet in Amazon VPC (EU)
and a subnet in Amazon VPC (Singapore). So basically a peer to

> peer, OpenSwan to OpenSwan VPN connection. No Hardware VPNs involved.

 

> 004 "cld-to-cld" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode {ESP=>0xdfd9ad7e <0x9a8c9720 xfrm=AES_128-HMAC_SHA1

> NATOA=none NATD=none DPD=none}

 

That shows "no nat" which is kinda strange, as amazon does a weird 1:1
NAT mapping.

Note that they don't route ESP packets, so you must encapsulate it in
UDP 4500 with:

 

       forceencaps=yes

 

>     left=10.169.1.14                       -- VPC private IP but this
host also has an Elastic IP

 

Use left=%defaultroute to support getting different IPs.

 

Paul
 
--------------------------------------------------------

The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. The McGraw-Hill Companies, Inc. reserves the right, subject to applicable local law, to monitor, review and process the content of any electronic message or information sent to or from McGraw-Hill e-mail addresses without informing the sender or recipient of the message. By sending electronic message or information to McGraw-Hill e-mail addresses you, as the sender, are consenting to McGraw-Hill  processing any of your personal data therein.
--------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110824/78c87b7e/attachment-0001.html 


More information about the Users mailing list