[Openswan Users] Net to Net in the Amazon Cloud

Murty, Sudarshan sudarshan_murty at standardandpoors.com
Thu Aug 25 10:59:01 EDT 2011

Thanks again Paul.
Tried ping & ssh - no luck yet ;-(
[root at ip-10-169-1-14 ~]# /usr/local/sbin/ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.35/K2.6.21.7-2.fc8xen (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]

  Please enable /proc/sys/net/core/xfrm_larval_drop
  or NETKEY will cause non-POSIX compliant long time-outs

Testing against enforced SElinux mode                           [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
[root at ip-10-169-1-14 ~]# cd /proc/sys/net/core/
[root at ip-10-169-1-14 core]# ls xf*
xfrm_aevent_etime  xfrm_aevent_rseqth         -- I don't have xfrm_larval_drop
[root at ip-10-169-1-14 ~]# uname -a
Linux ip-10-169-1-14 #1 SMP Fri Feb 15 12:34:28 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
[root at ip-10-169-1-14 ~]# cat /etc/redhat-release
CentOS release 5.4 (Final)

As re: linux firewalls: (all machines)
[root at ip-10-169-1-14 ~]# iptables -list    (I assume this lists the rules)
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root at ip-10-169-1-14 ~]#

As re: Amazon VPC firewalls:
On the Amazon instances, I have used only Security Groups, No Network ACLS.
ALL Security Groups are FULLY OPEN for ALL inbound and outbound traffic.

Does the ipsec verify look ok - especially the FAILED message?

Do I need to specify any iptables rules?

Thanks again for all the help.
Has anyone else done what I am attempting?


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Thursday, August 25, 2011 10:03 AM
To: Murty, Sudarshan
Cc: users at openswan.org
Subject: RE: [Openswan Users] Net to Net in the Amazon Cloud

On Wed, 24 Aug 2011, Murty, Sudarshan wrote:

> I did all that you said below and also turned on nat_traversal=yes in the config section.

> When I start up ipsec it looks like this. Does it look ok?

> 004 "cld-to-cld" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xa489360c <0x2edaf4dc xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=
> DPD=none}

Yes. looks good.

> But I still can’t tracert from a host in the left subnet to the right subnet

dont use traceroute, but ping. If that fails too, check firewall rules and
run "ipsec verify"


The information contained in this message is intended only for the recipient, and may be a confidential attorney-client communication or may otherwise be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, please be aware that any dissemination or copying of this communication is strictly prohibited. If you have received this communication in error, please immediately notify us by replying to the message and deleting it from your computer. The McGraw-Hill Companies, Inc. reserves the right, subject to applicable local law, to monitor, review and process the content of any electronic message or information sent to or from McGraw-Hill e-mail addresses without informing the sender or recipient of the message. By sending electronic message or information to McGraw-Hill e-mail addresses you, as the sender, are consenting to McGraw-Hill  processing any of your personal data therein.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110825/b370fd81/attachment-0001.html 

More information about the Users mailing list