[Openswan Users] Am I actually using NAT?

James Nelson james.nelson.ii at gmail.com
Thu Sep 22 12:17:33 EDT 2011 

Me again.  Paul, I appreciate your assistance greatly up to this point.
 I've simplified my original configuration, but still can't see any traffic
after the Ipsec SA established tunnel mode is enabled.  I try pinging or
hitting servers on the client side from my Amazon EC2 server and get
silence.  The client side says they can't even see any traffic hitting their
firewall, much less passing through it.

1) Assume we have a fresh installation.  From the Amazon end, upon the
creation of the server, besides disabling ICMP send and accept redirects and
enabling ip forwarding, is there anything else that has to be done on the
instance?  (ifconfig, port opening, iptables, etc...)  This is where my
knowledge is weakest, and therefore where I'm most concerned I'm missing
something obvious or stupid that any network engineer would know.

2) After establishing the SA tunnel, what is the best way to test whether or
not I can send traffic to the client, and how can I tell if its being
NAT'ed/going through the correct ports (UDP 500/4500)?  Right now, I've been
just trying to ping the client gateway or using elinks to see if I can reach
the client WSDL addresses for download.

My .conf:

config setup
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        virtual_private=%4:168.94.151.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16
        oe=off
        # which IPsec stack to use. netkey,klips,mast,auto or none
        protostack=netkey
        #testing
        interfaces=%defaultroute

conn ec2check
        connaddrfamily=ipv4
        type=tunnel
        authby=secret
        ike=3des-md5
        ikelifetime=86400s
        phase2=esp
        phase2alg=3des-md5
        lifetime=28800s
        forceencaps=yes
        pfs=no
        left=<AMAZON LOCAL IP>
        leftid=<AMAZON ELASTIC IP>
        leftnexthop=%defaultroute
        leftsubnet=0.0.0.0/0
        right=<CLIENT CHECKPOINT GATEWAY>
        rightid=<CLIENT CHECKPOINT GATEWAY>
        rightsubnet=<CLIENT INTERNAL NETWORK>
        auto=add

*     *     *

The route I'm trying for is
Amazon Local---------------Amazon Elastic===Internet===Client
Checkpoint----------Client Internal
10.XX.XX.XX                   184.XX.XX.XX
198.XX.XX.XX                 168.XX.XX.XX/XX

-- James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110922/ac070548/attachment.html

More information about the Users mailing list