[Openswan Users] Connecting to IPSec/L2tp with OpenSwan/xl2tpd from Windows7 to Amazon EC2

Noam Singer singern at gmail.com
Fri Jul 13 08:24:42 EDT 2012 

Hi all,

I am trying to connect from my Windows7 at home to my OpenSwan/xl2tpd
setup on an Ubuntu EC2 instance at Amazon
It is a connection being NATed from both the client and server ends.
I was following tips from several threads for how to accomplish this
connection but failed with all of them

What puzzles me mostly is the following line in the log:
    Jul 13 11:04:21 ip-10-117-59-224 pluto[8782]: "connRW48"[2]
85.178.143.82 #1: cannot respond to IPsec SA request because no
connection is known for
23.21.84.48/32===10.117.59.224<10.117.59.224>[23.21.84.48,+S=C]:17/1701...85.178.143.82[192.168.2.103,+S=C]:17/1701===192.168.2.103/32
This connection clearly exists with the external IP identified as the
leftid (see below about ipsec auto --status) . Why can't it be found?
Or what else am I doing wrong?

I'd appreciate any help.

My configuration:
=============

The IPs I am using:
- The EC2 instance internal IP: 10.117.59.224
- The elastic IP associated with the instance: 23.21.84.48
- My ISP's IP associated with my router at home: 85.178.143.82
- My home NAT IP: 192.168.2.103


I am currently getting these error messages on my /var/log/auth.log:
Jul 13 11:03:55 ip-10-117-59-224 pluto[8782]: Changed path to
directory '/etc/ipsec.d/ocspcerts'
Jul 13 11:03:55 ip-10-117-59-224 pluto[8782]: Changing to directory
'/etc/ipsec.d/crls'
Jul 13 11:03:55 ip-10-117-59-224 pluto[8782]:   Warning: empty directory
Jul 13 11:03:55 ip-10-117-59-224 pluto[8782]: listening for IKE messages
Jul 13 11:03:55 ip-10-117-59-224 pluto[8782]: adding interface
eth0/eth0 10.117.59.224:500
Jul 13 11:03:55 ip-10-117-59-224 pluto[8782]: adding interface lo/lo
127.0.0.1:500
Jul 13 11:03:55 ip-10-117-59-224 pluto[8782]: adding interface lo/lo ::1:500
Jul 13 11:03:55 ip-10-117-59-224 pluto[8782]: loading secrets from
"/etc/ipsec.secrets"
Jul 13 11:03:55 ip-10-117-59-224 pluto[8782]: loaded private key for
keyid: PPK_RSA:AQOnFE96U
Jul 13 11:03:57 ip-10-117-59-224 pluto[8782]: added connection
description "connRW48"
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: packet from
85.178.143.82:500: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY
00000008]
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: packet from
85.178.143.82:500: received Vendor ID payload [RFC 3947] meth=109, but
port floating is off
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: packet from
85.178.143.82:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but port floating is off
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: packet from
85.178.143.82:500: ignoring Vendor ID payload [FRAGMENTATION]
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: packet from
85.178.143.82:500: ignoring Vendor ID payload [MS-Negotiation
Discovery Capable]
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: packet from
85.178.143.82:500: ignoring Vendor ID payload [Vid-Initial-Contact]
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: packet from
85.178.143.82:500: ignoring Vendor ID payload [IKE CGA version 1]
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: "connRW48"[1]
85.178.143.82 #1: responding to Main Mode from unknown peer
85.178.143.82
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: "connRW48"[1]
85.178.143.82 #1: OAKLEY_GROUP 20 not supported.  Attribute
OAKLEY_GROUP_DESCRIPTION
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: "connRW48"[1]
85.178.143.82 #1: OAKLEY_GROUP 19 not supported.  Attribute
OAKLEY_GROUP_DESCRIPTION
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: "connRW48"[1]
85.178.143.82 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: "connRW48"[1]
85.178.143.82 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: "connRW48"[1]
85.178.143.82 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Jul 13 11:04:20 ip-10-117-59-224 pluto[8782]: "connRW48"[1]
85.178.143.82 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 13 11:04:21 ip-10-117-59-224 pluto[8782]: "connRW48"[1]
85.178.143.82 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.2.103'
Jul 13 11:04:21 ip-10-117-59-224 pluto[8782]: "connRW48"[1]
85.178.143.82 #1: switched from "connRW48" to "connRW48"
Jul 13 11:04:21 ip-10-117-59-224 pluto[8782]: "connRW48"[2]
85.178.143.82 #1: deleting connection "connRW48" instance with peer
85.178.143.82 {isakmp=#0/ipsec=#0}
Jul 13 11:04:21 ip-10-117-59-224 pluto[8782]: "connRW48"[2]
85.178.143.82 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Jul 13 11:04:21 ip-10-117-59-224 pluto[8782]: "connRW48"[2]
85.178.143.82 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp2048}
Jul 13 11:04:21 ip-10-117-59-224 pluto[8782]: "connRW48"[2]
85.178.143.82 #1: the peer proposed: 23.21.84.48/32:17/1701 ->
192.168.2.103/32:17/0
Jul 13 11:04:21 ip-10-117-59-224 pluto[8782]: "connRW48"[2]
85.178.143.82 #1: cannot respond to IPsec SA request because no
connection is known for
23.21.84.48/32===10.117.59.224<10.117.59.224>[23.21.84.48,+S=C]:17/1701...85.178.143.82[192.168.2.103,+S=C]:17/1701===192.168.2.103/32
Jul 13 11:04:21 ip-10-117-59-224 pluto[8782]: "connRW48"[2]
85.178.143.82 #1: sending encrypted notification
INVALID_ID_INFORMATION to 85.178.143.82:500
Jul 13 11:04:22 ip-10-117-59-224 pluto[8782]: "connRW48"[2]
85.178.143.82 #1: the peer proposed: 23.21.84.48/32:17/1701 ->
192.168.2.103/32:17/0
Jul 13 11:04:22 ip-10-117-59-224 pluto[8782]: "connRW48"[2]
85.178.143.82 #1: cannot respond to IPsec SA request because no
connection is known for
23.21.84.48/32===10.117.59.224<10.117.59.224>[23.21.84.48,+S=C]:17/1701...85.178.143.82[192.168.2.103,+S=C]:17/1701===192.168.2.103/32


My security group allows incoming communication for UDP ports 500 &
4500 among others


My iptables allow also 1701 among others


My /etc/ipsec.conf:
version 2.0
config setup
        protostack=netkey
        interfaces=%defaultroute
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12
        oe=no
        nhelpers=0
        disable_port_floating=yes
include /etc/ipsec.d/*.conf


My /etc/ipsec.d/connRW48.conf
conn connRW48
        rightsubnet=vhost:%no,%priv
        type=transport
        authby=secret
        pfs=no
        rekey=no
        ikelifetime=8h
        keylife=1h
        leftprotoport=17/1701
        left=10.117.59.224
        #leftid=@ip-10-117-59-224.ec2.internal
        leftid=23.21.84.48
        rightprotoport=17/0
        right=%any
        auto=ignore


My (censored) /etc/ipsec.secrets:
: RSA   {
        # RSA 2048 bits   ip-10-117-59-224   Tue Jul 10 14:01:50 2012
        # for signatures only, UNSAFE FOR ENCRYPTION
        #pubkey=XXXXXXX
        Modulus: XXX
        PublicExponent: 0x03
        # everything after this point is secret
        PrivateExponent: XXX
        Prime1: XXX
        Prime2: XXX
        Exponent1: XXX
        Exponent2: XXX
        Coefficient: XXX
        }
# do not change the indenting of that "}"
@ip-10-117-59-224.ec2.internal %any: PSK "XXX"
23.21.84.48  %any: PSK "XXX"


My output from running  'ipsec verify' :
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.2.0-25-virtual (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [FAILED]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

My output for running 'ipsec auto --status' :
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 10.117.59.224
000 %myid = (none)
000 debug none
000
000 virtual_private (%priv):
000 - allowed 2 subnets: 10.0.0.0/8, 172.16.0.0/12
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64
...
...
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}
000
000 "connRW48":
10.117.59.224<10.117.59.224>[23.21.84.48,+S=C]:17/1701...%virtual[+S=C]:17/0===?;
unrouted; eroute owner: #0
000 "connRW48":     myip=unset; hisip=unset;
000 "connRW48":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "connRW48":   policy:
PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32;
interface: eth0;
000 "connRW48":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000

Thanks in advance

More information about the Users mailing list