[Openswan Users] Am I actually using NAT?
James Nelson
james.nelson.ii at gmail.com
Thu Sep 22 12:17:33 EDT 2011
Me again. Paul, I appreciate your assistance greatly up to this point.
I've simplified my original configuration, but still can't see any traffic
after the Ipsec SA established tunnel mode is enabled. I try pinging or
hitting servers on the client side from my Amazon EC2 server and get
silence. The client side says they can't even see any traffic hitting their
firewall, much less passing through it.
1) Assume we have a fresh installation. From the Amazon end, upon the
creation of the server, besides disabling ICMP send and accept redirects and
enabling ip forwarding, is there anything else that has to be done on the
instance? (ifconfig, port opening, iptables, etc...) This is where my
knowledge is weakest, and therefore where I'm most concerned I'm missing
something obvious or stupid that any network engineer would know.
2) After establishing the SA tunnel, what is the best way to test whether or
not I can send traffic to the client, and how can I tell if its being
NAT'ed/going through the correct ports (UDP 500/4500)? Right now, I've been
just trying to ping the client gateway or using elinks to see if I can reach
the client WSDL addresses for download.
My .conf:
config setup
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%4:168.94.151.0/24,%v4:10.0.0.0/8,%v4:192.168.0.0/16
oe=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey
#testing
interfaces=%defaultroute
conn ec2check
connaddrfamily=ipv4
type=tunnel
authby=secret
ike=3des-md5
ikelifetime=86400s
phase2=esp
phase2alg=3des-md5
lifetime=28800s
forceencaps=yes
pfs=no
left=<AMAZON LOCAL IP>
leftid=<AMAZON ELASTIC IP>
leftnexthop=%defaultroute
leftsubnet=0.0.0.0/0
right=<CLIENT CHECKPOINT GATEWAY>
rightid=<CLIENT CHECKPOINT GATEWAY>
rightsubnet=<CLIENT INTERNAL NETWORK>
auto=add
* * *
The route I'm trying for is
Amazon Local---------------Amazon Elastic===Internet===Client
Checkpoint----------Client Internal
10.XX.XX.XX 184.XX.XX.XX
198.XX.XX.XX 168.XX.XX.XX/XX
-- James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110922/ac070548/attachment.html
More information about the Users
mailing list