[Openswan Users] OpenSwan in Amazon VPC to local subnet behind ISA Server

Pete Holmes peteholmes at yahoo.com
Tue Oct 18 11:23:14 EDT 2011


I wonder if anybody can give me any pointers with the following setup? I'm
attempting to create an IPSec tunnel between a local subnet ISA Server 2006 and an OpenSwan machine in an
Amazon Virtual Private
Cloud (VPC) subnet, e.g.

Host A ( --> ( ISA Server (a.b.c.d) --> Internet <--
(e.f.g.h) OpenSwan Host ( <-- Host B (

The OpenSwan host has a public AWS Elastic IP of (e.f.g.h) and the default
gateway for the VPC is

When I start the IPSec service, the tunnel comes up successfully. The
problem is that when I ping OpenSwan Host from Host A I get no response. I
can see ICMP echo requests coming through the tunnel by using tcpdump on the
OpenSwan machine, but nothing is coming back. e.g.

tcpdump -i eth0 -n -p ip host and not port 22
14:03:04.995393 IP a.b.c.d.ipsec-nat-t > UDP-encap:
ESP(spi=0x3b525e3a,seq=0x1), length 92
14:03:04.995393 IP > ICMP echo request, id 1, seq 5,
length 40

Also when pinging Host A from the OpenSwan machine I get 100% packet loss.

Any pointers gratefully received. My configuration is detailed below.


My ipsec configuration on the OpenSwan machine:

config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        # Enable this if you see "failed to find any available worker"

conn home
  left= (OpenSwan machine VPC internal address)
  leftid=e.f.g.h  (OpenSwan AWS elastic ip)
  leftsourceip=e.f.g.h (OpenSwan elastic ip)
  leftsubnet=  (AWS VPC subnet)
  right=a.b.c.d (ISA Server public IP)
  rightid=@MACHINE.DOMAIN.local (ISA Server ID)
  rightsubnet= (Internal local subnet)

Output from iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Output from route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface        *        U     0      0        0 eth0   UG    0      0        0 eth0
default         UG    0      0        0 eth0

Output from ipsec verify
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.35.11-83.9.amzn1.i686 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

I have also set net.ipv4.ip_forward = 1 in /etc/sysctl.conf and ensured that
the AWS security groups allow ICMP traffic.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20111018/683891b5/attachment.html 

More information about the Users mailing list