[Openswan Users] Amazon EC2 , Openswan , L2TP/IPSec

Troy X troyx77 at hotmail.com
Sun Feb 27 11:27:23 EST 2011




Hi,
I'm trying to setup OpenSwan VPN Server on Amazon EC2 by using L2TP/IPSec and PSK to connect from Microsoft Window based Laptops. Unfortunately I'm not a Linux expert, I'm just trying to configure it by reading available documents. I receive "VPN server is not responding message" for about 20 seconds after I initiate the connection from my laptop.
Here are the components I have installed so far ;
	Amazon Linux version 2.6.34.7-56.40.amzn1.x86_64  on EC2	Linux Openswan U2.6.27	xl2tpd version xl2tpd-1.2.8		in addtion I modified Amazon security group settings to allow required UDP traffic

I believe there is something wrong about my configuration since I'm a newbie. Probably I misconfigured it or skipped some necessary steps.
Thank you in advance for your help and comments,
Troy

========================================                                  ====    Configurations                ====                                  ========================================

cat /etc/ipsec.conf--------------------------------------version 2.0
config setup        protostack=netkey        nat_traversal=yes        virtual_private=%v4:192.168.2.0/24,%v4:!192.168.1.0/24        oe=off        nhelpers=0        interfaces=%defaultroute
conn tons         auto=add         left=##EC2_IP##         leftid=##EC2_ELASTIC_IP##         leftsubnet=##EC2_IP##/32         leftnexthop=%defaultroute         leftprotoport=17/1701         rightprotoport=17/%any         right=%any         rightsubnet=vhost:%priv,%no         forceencaps=yes         authby=secret         pfs=no

cat /etc/ipsec.secrets---------------------------------------##EC2_ELASTIC_IP## %any: PSK "MYPSKKEY"

cat /etc/xl2tpd/xl2tpd.conf---------------------------------------[global]
[lns default]ip range = 192.168.2.2-192.168.2.254local ip = 192.168.2.1require chap = yesrefuse pap = yesrequire authentication = yesname = openSwanVPNserverppp debug = yespppoptfile = /etc/ppp/options.xl2tpdlength bit = yes

cat /etc/ppp/options.xl2tpd---------------------------------------ipcp-accept-localipcp-accept-remotenoccpauthcrtsctsidle 1800mtu 1410mru 1410defaultroutedebuglockproxyarpconnect-delay 5000

cat /etc/ppp/chap-secrets---------------------------------------# client        server  secret                  IP addressesmyusername   *       "mypassword" 192.168.2.3/25



========================================                                  ====    Command Outputs               ====                                  ========================================


 /etc/init.d/ipsec start======================================/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabledipsec_setup: Starting Openswan IPsec U2.6.27/K2.6.34.7-56.40.amzn1.x86_64...ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

/etc/init.d/xl2tpd start======================================Starting xl2tpd:                                           [  OK  ]

ipsec verify======================================Checking your system to see if IPsec got installed and started correctly:Version check and ipsec on-path                                 [OK]Linux Openswan U2.6.27/K2.6.34.7-56.40.amzn1.x86_64 (netkey)Checking for IPsec support in kernel                            [OK]NETKEY detected, testing for disabled ICMP send_redirects       [OK]NETKEY detected, testing for disabled ICMP accept_redirects     [OK]Checking that pluto is running                                  [OK]Pluto listening for IKE on udp 500                              [OK]Pluto listening for NAT-T on udp 4500                           [OK]Checking for 'ip' command                                       [OK]Checking for 'iptables' command                                 [OK]Opportunistic Encryption Support                                [DISABLED]


cat /var/log/messages---------------------------------------Feb 27 15:38:24 domU-XXXXX xl2tpd[5509]: setsockopt recvref[22]: Protocol not availableFeb 27 15:38:24 domU-XXXXX xl2tpd[5509]: This binary does not support kernel L2TP.Feb 27 15:38:24 domU-XXXXX xl2tpd[5510]: xl2tpd version xl2tpd-1.2.8 started on domU-XXXXX PID:5510Feb 27 15:38:24 domU-XXXXX xl2tpd[5510]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.Feb 27 15:38:24 domU-XXXXX xl2tpd[5510]: Forked by Scott Balmos and David Stipp, (C) 2001Feb 27 15:38:24 domU-XXXXX xl2tpd[5510]: Inherited by Jeff McAdams, (C) 2002Feb 27 15:38:24 domU-XXXXX xl2tpd[5510]: Forked again by Xelerance (www.xelerance.com) (C) 2006Feb 27 15:38:24 domU-XXXXX xl2tpd[5510]: Listening on IP address 0.0.0.0, port 1701Feb 27 15:38:29 domU-XXXXX klogd: [83853.424654] NET: Registered protocol family 15Feb 27 15:38:29 domU-XXXXX ipsec_setup: Starting Openswan IPsec U2.6.27/K2.6.34.7-56.40.amzn1.x86_64...Feb 27 15:38:29 domU-XXXXX ipsec_setup: Using NETKEY(XFRM) stackFeb 27 15:38:29 domU-XXXXX klogd: [83853.526662] Initializing XFRM netlink socketFeb 27 15:38:30 domU-XXXXX klogd: [83853.548747] Intel AES-NI instructions are not detected.Feb 27 15:38:30 domU-XXXXX ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabledFeb 27 15:38:30 domU-XXXXX ipsec_setup: ...Openswan IPsec startedFeb 27 15:38:30 domU-XXXXX ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.dFeb 27 15:38:30 domU-XXXXX pluto: adjusting ipsec.d to /etc/ipsec.dFeb 27 15:38:30 domU-XXXXX ipsec__plutorun: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabledFeb 27 15:38:30 domU-XXXXX last message repeated 2 timesFeb 27 15:38:30 domU-XXXXX ipsec__plutorun: 002 added connection description "tons"Feb 27 15:38:30 domU-XXXXX ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-TFeb 27 15:38:30 domU-XXXXX ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)Feb 27 15:38:30 domU-XXXXX ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T


cat /var/log/secure---------------------------------------Feb 27 15:38:30 domU-XXXXX ipsec__plutorun: Starting Pluto subsystem...Feb 27 15:38:30 domU-XXXXX pluto[5598]: nss directory plutomain: /etc/ipsec.dFeb 27 15:38:30 domU-XXXXX pluto[5598]: NSS InitializedFeb 27 15:38:30 domU-XXXXX pluto[5598]: Non-fips mode set in /proc/sys/crypto/fips_enabledFeb 27 15:38:30 domU-XXXXX pluto[5598]: Starting Pluto (Openswan Version 2.6.27; Vendor ID OEnTNwILvV~\134) pid:5598Feb 27 15:38:30 domU-XXXXX pluto[5598]: Non-fips mode set in /proc/sys/crypto/fips_enabledFeb 27 15:38:30 domU-XXXXX pluto[5598]: Setting NAT-Traversal port-4500 floating to onFeb 27 15:38:30 domU-XXXXX pluto[5598]:    port floating activation criteria nat_t=1/port_float=1Feb 27 15:38:30 domU-XXXXX pluto[5598]:    NAT-Traversal support  [enabled]Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)Feb 27 15:38:30 domU-XXXXX pluto[5598]: no helpers will be started, all cryptographic operations will be done inlineFeb 27 15:38:30 domU-XXXXX pluto[5598]: Using Linux 2.6 IPsec interface code on 2.6.34.7-56.40.amzn1.x86_64 (experimental code)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_add(): ERROR: Algorithm already existsFeb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_add(): ERROR: Algorithm already existsFeb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_add(): ERROR: Algorithm already existsFeb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_add(): ERROR: Algorithm already existsFeb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)Feb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_add(): ERROR: Algorithm already existsFeb 27 15:38:30 domU-XXXXX pluto[5598]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)Feb 27 15:38:30 domU-XXXXX pluto[5598]: Changed path to directory '/etc/ipsec.d/cacerts'Feb 27 15:38:30 domU-XXXXX pluto[5598]: Changed path to directory '/etc/ipsec.d/aacerts'Feb 27 15:38:30 domU-XXXXX pluto[5598]: Changed path to directory '/etc/ipsec.d/ocspcerts'Feb 27 15:38:30 domU-XXXXX pluto[5598]: Changing to directory '/etc/ipsec.d/crls'Feb 27 15:38:30 domU-XXXXX pluto[5598]:   Warning: empty directoryFeb 27 15:38:30 domU-XXXXX pluto[5598]: added connection description "tons"Feb 27 15:38:30 domU-XXXXX pluto[5598]: listening for IKE messagesFeb 27 15:38:30 domU-XXXXX pluto[5598]: NAT-Traversal: Trying new style NAT-TFeb 27 15:38:30 domU-XXXXX pluto[5598]: NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)Feb 27 15:38:30 domU-XXXXX pluto[5598]: NAT-Traversal: Trying old style NAT-TFeb 27 15:38:30 domU-XXXXX pluto[5598]: adding interface eth0/eth0 ##EC2_IP##:500Feb 27 15:38:30 domU-XXXXX pluto[5598]: adding interface eth0/eth0 ##EC2_IP##:4500Feb 27 15:38:30 domU-XXXXX pluto[5598]: adding interface lo/lo 127.0.0.1:500Feb 27 15:38:30 domU-XXXXX pluto[5598]: adding interface lo/lo 127.0.0.1:4500Feb 27 15:38:30 domU-XXXXX pluto[5598]: adding interface lo/lo ::1:500Feb 27 15:38:30 domU-XXXXX pluto[5598]: loading secrets from "/etc/ipsec.secrets"---------------------------------------After I initiate the connection from the Laptop following lines are added ;---------------------------------------Feb 27 16:04:45 domU-XXXXX pluto[5598]: packet from ##LAPTOP_IP##:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000008]Feb 27 16:04:45 domU-XXXXX pluto[5598]: packet from ##LAPTOP_IP##:500: received Vendor ID payload [RFC 3947] method set to=109Feb 27 16:04:45 domU-XXXXX pluto[5598]: packet from ##LAPTOP_IP##:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109Feb 27 16:04:45 domU-XXXXX pluto[5598]: packet from ##LAPTOP_IP##:500: ignoring Vendor ID payload [FRAGMENTATION]Feb 27 16:04:45 domU-XXXXX pluto[5598]: packet from ##LAPTOP_IP##:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]Feb 27 16:04:45 domU-XXXXX pluto[5598]: packet from ##LAPTOP_IP##:500: ignoring Vendor ID payload [Vid-Initial-Contact]Feb 27 16:04:45 domU-XXXXX pluto[5598]: packet from ##LAPTOP_IP##:500: ignoring Vendor ID payload [IKE CGA version 1]Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: responding to Main Mode from unknown peer ##LAPTOP_IP##Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTIONFeb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTIONFeb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: STATE_MAIN_R1: sent MR1, expecting MI2Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATedFeb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: STATE_MAIN_R2: sent MR2, expecting MI3Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: Main mode peer ID is ID_IPV4_ADDR: '192.168.2.3'Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[5] ##LAPTOP_IP## #15: switched from "tons" to "tons"Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: deleting connection "tons" instance with peer ##LAPTOP_IP## {isakmp=#0/ipsec=#0}Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: new NAT mapping for #15, was ##LAPTOP_IP##:500, now ##LAPTOP_IP##:4500Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp2048}Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: the peer proposed: ##EC2_ELASTIC_IP##/32:17/1701 -> 192.168.2.3/32:17/0Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: NAT-Traversal: received 2 NAT-OA. using first, ignoring othersFeb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #16: responding to Quick Mode proposal {msgid:01000000}Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #16:     us: ##EC2_IP##/32===##EC2_IP##<##EC2_IP##>[##EC2_ELASTIC_IP##,+S=C]:17/1701---10.198.129.1Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #16:   them: ##LAPTOP_IP##[192.168.2.3,+S=C]:17/1701===192.168.2.3/32Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #16: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1Feb 27 16:04:45 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #16: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #16: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #16: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x3c103329 <0xfdafa178 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.2.3 NATD=##LAPTOP_IP##:4500 DPD=none}Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: the peer proposed: ##EC2_ELASTIC_IP##/32:17/1701 -> 192.168.2.3/32:17/1701Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: NAT-Traversal: received 2 NAT-OA. using first, ignoring othersFeb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #17: responding to Quick Mode proposal {msgid:02000000}Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #17:     us: ##EC2_IP##/32===##EC2_IP##<##EC2_IP##>[##EC2_ELASTIC_IP##,+S=C]:17/1701---10.198.129.1Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #17:   them: ##LAPTOP_IP##[192.168.2.3,+S=C]:17/1701===192.168.2.3/32Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #17: keeping refhim=4294901761 during rekeyFeb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #17: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #17: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #17: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #17: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0xf7ab2e5e <0x0e00bfa3 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.2.3 NATD=##LAPTOP_IP##:4500 DPD=none}Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received Delete SA(0x3c103329) payload: deleting IPSEC State #16Feb 27 16:04:46 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received and ignored informational messageFeb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: the peer proposed: ##EC2_ELASTIC_IP##/32:17/1701 -> 192.168.2.3/32:17/1701Feb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: NAT-Traversal: received 2 NAT-OA. using first, ignoring othersFeb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #18: responding to Quick Mode proposal {msgid:03000000}Feb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #18:     us: ##EC2_IP##/32===##EC2_IP##<##EC2_IP##>[##EC2_ELASTIC_IP##,+S=C]:17/1701---10.198.129.1Feb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #18:   them: ##LAPTOP_IP##[192.168.2.3,+S=C]:17/1701===192.168.2.3/32Feb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #18: keeping refhim=4294901761 during rekeyFeb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #18: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1Feb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #18: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2Feb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #18: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2Feb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #18: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x7e39e15e <0x505e8490 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.2.3 NATD=##LAPTOP_IP##:4500 DPD=none}Feb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received Delete SA(0xf7ab2e5e) payload: deleting IPSEC State #17Feb 27 16:04:49 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received and ignored informational messageFeb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: the peer proposed: ##EC2_ELASTIC_IP##/32:17/1701 -> 192.168.2.3/32:17/1701Feb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: NAT-Traversal: received 2 NAT-OA. using first, ignoring othersFeb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #19: responding to Quick Mode proposal {msgid:04000000}Feb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #19:     us: ##EC2_IP##/32===##EC2_IP##<##EC2_IP##>[##EC2_ELASTIC_IP##,+S=C]:17/1701---10.198.129.1Feb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #19:   them: ##LAPTOP_IP##[192.168.2.3,+S=C]:17/1701===192.168.2.3/32Feb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #19: keeping refhim=4294901761 during rekeyFeb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #19: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1Feb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #19: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2Feb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #19: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2Feb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #19: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x4dc78ad3 <0x8463f5a5 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.2.3 NATD=##LAPTOP_IP##:4500 DPD=none}Feb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received Delete SA(0x7e39e15e) payload: deleting IPSEC State #18Feb 27 16:04:53 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received and ignored informational messageFeb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: the peer proposed: ##EC2_ELASTIC_IP##/32:17/1701 -> 192.168.2.3/32:17/1701Feb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: NAT-Traversal: received 2 NAT-OA. using first, ignoring othersFeb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #20: responding to Quick Mode proposal {msgid:05000000}Feb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #20:     us: ##EC2_IP##/32===##EC2_IP##<##EC2_IP##>[##EC2_ELASTIC_IP##,+S=C]:17/1701---10.198.129.1Feb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #20:   them: ##LAPTOP_IP##[192.168.2.3,+S=C]:17/1701===192.168.2.3/32Feb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #20: keeping refhim=4294901761 during rekeyFeb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #20: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1Feb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #20: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2Feb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #20: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2Feb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #20: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0d7668ac <0x54846072 xfrm=AES_128-HMAC_SHA1 NATOA=192.168.2.3 NATD=##LAPTOP_IP##:4500 DPD=none}Feb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received Delete SA(0x4dc78ad3) payload: deleting IPSEC State #19Feb 27 16:05:01 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received and ignored informational messageFeb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: the peer proposed: ##EC2_ELASTIC_IP##/32:17/1701 -> 192.168.2.3/32:17/1701Feb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: NAT-Traversal: received 2 NAT-OA. using first, ignoring othersFeb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #21: responding to Quick Mode proposal {msgid:06000000}Feb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #21:     us: ##EC2_IP##/32===##EC2_IP##<##EC2_IP##>[##EC2_ELASTIC_IP##,+S=C]:17/1701---10.198.129.1Feb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #21:   them: ##LAPTOP_IP##[192.168.2.3,+S=C]:17/1701===192.168.2.3/32Feb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #21: keeping refhim=4294901761 during rekeyFeb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #21: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1Feb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #21: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2Feb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #21: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2Feb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #21: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x6a7a46bc <0x6e14517a xfrm=AES_128-HMAC_SHA1 NATOA=192.168.2.3 NATD=##LAPTOP_IP##:4500 DPD=none}Feb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received Delete SA(0x0d7668ac) payload: deleting IPSEC State #20Feb 27 16:05:11 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received and ignored informational messageFeb 27 16:05:21 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received Delete SA(0x6a7a46bc) payload: deleting IPSEC State #21Feb 27 16:05:21 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy unk255.10000@##EC2_IP## was too long: 168 > 36Feb 27 16:05:21 domU-XXXXX pluto[5598]: | raw_eroute result=0Feb 27 16:05:21 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received and ignored informational messageFeb 27 16:05:21 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP## #15: received Delete SA payload: deleting ISAKMP State #15Feb 27 16:05:21 domU-XXXXX pluto[5598]: "tons"[6] ##LAPTOP_IP##: deleting connection "tons" instance with peer ##LAPTOP_IP## {isakmp=#0/ipsec=#0}Feb 27 16:05:21 domU-XXXXX pluto[5598]: "tons": netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36Feb 27 16:05:21 domU-XXXXX pluto[5598]: "tons": netlink recvfrom() of response to our XFRM_MSG_DELPOLICY message for policy eroute_connection delete inbound was too long: 100 > 36Feb 27 16:05:21 domU-XXXXX pluto[5598]: packet from ##LAPTOP_IP##:4500: received and ignored informational message





ipsec auto --status---------------------------------------000 using kernel interface: netkey000 interface lo/lo ::1000 interface lo/lo 127.0.0.1000 interface lo/lo 127.0.0.1000 interface eth0/eth0 ##EC2_IP##000 interface eth0/eth0 ##EC2_IP##000 %myid = (none)000 debug none000000 virtual_private (%priv):000 - allowed 1 subnet: 192.168.2.0/24000 - disallowed 1 subnet: 192.168.1.0/24000000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0000000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128000 algorithm IKE encrypt: id=65004, name=OAKLEY_SERPENT_CBC, blocksize=16, keydeflen=128000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128000 algorithm IKE encrypt: id=65289, name=OAKLEY_TWOFISH_CBC_SSH, blocksize=16, keydeflen=128000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048000000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}000000 "tons": ##EC2_IP##/32===##EC2_IP##<##EC2_IP##>[##EC2_ELASTIC_IP##,+S=C]:17/1701---10.198.129.1...%virtual[+S=C]:17/%any===?; unrouted; eroute owner: #0000 "tons":     myip=unset; hisip=unset;000 "tons":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0000 "tons":   policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0;000 "tons":   newest ISAKMP SA: #0; newest IPsec SA: #0;---------------------------------------After I initiate the connection from the Laptop following lines are added ;---------------------------------------000 "tons"[2]: ##EC2_IP##/32===##EC2_IP##<##EC2_IP##>[##EC2_ELASTIC_IP##,+S=C]:17/1701---10.198.129.1...##LAPTOP_IP##[192.168.2.97,+S=C]:17/1701===192.168.2.97/32; erouted; eroute owner: #6000 "tons"[2]:     myip=unset; hisip=unset;000 "tons"[2]:   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0000 "tons"[2]:   policy: PSK+ENCRYPT+TUNNEL+IKEv2ALLOW+lKOD+rKOD; prio: 32,32; interface: eth0;000 "tons"[2]:   newest ISAKMP SA: #1; newest IPsec SA: #6;000 "tons"[2]:   IKE algorithm newest: AES_CBC_256-SHA1-MODP2048000000 #6: "tons"[2] ##LAPTOP_IP##:62595 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 3326s; newest IPSEC; eroute owner; isakmp#1; idle; import:not set000 #6: "tons"[2] ##LAPTOP_IP## esp.bd129a4a@##LAPTOP_IP## esp.b23a4ea5@##EC2_IP## ref=0 refhim=4294901761000 #1: "tons"[2] ##LAPTOP_IP##:62595 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 3310s; newest ISAKMP; nodpd; idle; import:not set000






 		 	   		  


More information about the Users mailing list