[Openswan Users] OpenSwan in Amazon VPC to local subnet behind ISA Server
Pete Holmes
peteholmes at yahoo.com
Tue Oct 18 11:23:14 EDT 2011
Hi,
I wonder if anybody can give me any pointers with the following setup? I'm
attempting to create an IPSec tunnel between a local subnet
192.168.2.0/24behind ISA Server 2006 and an OpenSwan machine in an
Amazon Virtual Private
Cloud (VPC) subnet 10.0.0.0/24, e.g.
Host A (192.168.2.2) --> (192.168.2.3) ISA Server (a.b.c.d) --> Internet <--
(e.f.g.h) OpenSwan Host (10.0.0.206) <-- Host B (10.0.0.210)
The OpenSwan host has a public AWS Elastic IP of (e.f.g.h) and the default
gateway for the VPC is 10.0.0.1.
When I start the IPSec service, the tunnel comes up successfully. The
problem is that when I ping OpenSwan Host from Host A I get no response. I
can see ICMP echo requests coming through the tunnel by using tcpdump on the
OpenSwan machine, but nothing is coming back. e.g.
tcpdump -i eth0 -n -p ip host 10.0.0.206 and not port 22
14:03:04.995393 IP a.b.c.d.ipsec-nat-t > 10.0.0.206.ipsec-nat-t: UDP-encap:
ESP(spi=0x3b525e3a,seq=0x1), length 92
14:03:04.995393 IP 192.168.2.2 > 10.0.0.206: ICMP echo request, id 1, seq 5,
length 40
Also when pinging Host A from the OpenSwan machine I get 100% packet loss.
Any pointers gratefully received. My configuration is detailed below.
Regards,
Pete
My ipsec configuration on the OpenSwan machine:
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=%v4:
192.168.0.0/8,%v4:172.16.0.0/12,%v4:10.0.0.0/8,%v4:!192.168.2.0/24
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
interfaces=%defaultroute
conn home
type=tunnel
left=10.0.0.206 (OpenSwan machine VPC internal address)
leftid=e.f.g.h (OpenSwan AWS elastic ip)
leftsourceip=e.f.g.h (OpenSwan elastic ip)
leftsubnet=10.0.0.0/24 (AWS VPC subnet)
leftnexthop=%defaultroute
right=a.b.c.d (ISA Server public IP)
rightid=@MACHINE.DOMAIN.local (ISA Server ID)
rightsubnet=192.168.2.0/24 (Internal local subnet)
esp=3des-md5-1024
ike=3des-md5-1024
authby=secret
forceencaps=yes
pfs=yes
auto=start
Output from iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Output from route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
10.0.0.0 * 255.255.255.0 U 0 0 0 eth0
192.168.2.0 10.0.0.1 255.255.255.0 UG 0 0 0 eth0
default 10.0.0.1 0.0.0.0 UG 0 0 0 eth0
Output from ipsec verify
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.35.11-83.9.amzn1.i686 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
I have also set net.ipv4.ip_forward = 1 in /etc/sysctl.conf and ensured that
the AWS security groups allow ICMP traffic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111018/683891b5/attachment.html
More information about the Users
mailing list