[Openswan Users] Amazon EC2: Can't avoid 10.0.0.0/8
Ryan Whelan
rcwhelan at gmail.com
Wed Jun 6 13:02:24 EDT 2012
If you add a host route, it should take precedence over a network range route.
On Wed, Jun 6, 2012 at 12:51 PM, Wes Winham <wes at policystat.com> wrote:
> Hello,
>
> I'm attempting to follow the tutorial
> at: https://www.openswan.org/projects/openswan/wiki/Amazon_EC2_example
>
> I have an Ubuntu 10.04 ec2 instance that needs to be able to access an LDAP
> server on a remote network behind a Cisco ASA. The problem is that the LDAP
> server has the IP 10.10.1.13, which is in the block that EC2 uses.
>
> There's a note in the tutorial "If it is via port forward, avoid 10/8 that
> Amazon uses". Any suggestions for what needs to be done if the other side
> does use that block?
>
> Right now, the tunnel is successfully established:
>
> $ sudo ipsec auto --up apd
> 117 "apd" #3: STATE_QUICK_I1: initiate
> 004 "apd" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP/NAT=>0x4041650d <0xa7665556 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
> DPD=none}
>
> The problem is that pings to 10.10.1.13 aren't reaching the other end. From
> the EC2 instance, I run:
>
> $ ping 10.1.1.13
>
> All of the packets are lost, even though that box is in fact configured to
> respond to ping (same results with nmap to the LDAP port). I then monitor
> with:
>
> $ sudo tcpdump -n host 10.1.1.13
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
> 12:40:07.212436 IP 10.243.79.134 > 10.1.1.13: ICMP echo request, id 62815,
> seq 1, length 64
> 12:40:08.229371 IP 10.243.79.134 > 10.1.1.13: ICMP echo request, id 62815,
> seq 2, length 64
>
> My IPSec verify looks good I think:
>
> $ sudo ipsec verify
> Checking your system to see if IPsec got installed and started correctly:
> Version check and ipsec on-path [OK]
> Linux Openswan U2.6.23/K2.6.32-318-ec2 (netkey)
> Checking for IPsec support in kernel [OK]
> NETKEY detected, testing for disabled ICMP send_redirects [OK]
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
> Checking for RSA private key (/etc/ipsec.secrets) [OK]
> Checking that pluto is running [OK]
> Pluto listening for IKE on udp 500 [OK]
> Pluto listening for NAT-T on udp 4500 [OK]
> Two or more interfaces found, checking IP forwarding [OK]
> Checking NAT and MASQUERADEing [N/A]
> Checking for 'ip' command [OK]
> Checking for 'iptables' command [OK]
> Opportunistic Encryption Support [DISABLED]
>
> Any hints on how to solve the 10.0.0.0/8 thing or maybe some additional
> debugging tips I could try?
>
> Also, if anyone else is trying to follow that tutorial using Ubuntu 10.04,
> this might help:
> https://gist.github.com/2871257
>
> I wrote up detailed instructions for Ubuntu 10.04 (which needs network
> parameters to be tuned) and a subnet to subnet connection specifically.
>
> Thanks
> -Wes
>
> --
> Wes Winham, Product Development
> PolicyStat, LLC | mobile: 405.320.9379 | desk: 317.644.1296 x1105
> schedule: http://tungle.me/weswinham
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
More information about the Users
mailing list