[Openswan Users] Amazon EC2: Can't avoid 10.0.0.0/8

Alex Crow acrow at integrafin.co.uk
Wed Jun 6 13:25:36 EDT 2012 

Hi,

Also any route with a range more specific than 10.0.0.0/8, eg 
10.10.1.0/16 or /24, will take precedence, so you can add a network 
route like that and you should be good to go.

Cheers

Alex

On 06/06/12 18:02, Ryan Whelan wrote:
> If you add a host route, it should take precedence over a network range route.
>
> On Wed, Jun 6, 2012 at 12:51 PM, Wes Winham<wes at policystat.com>  wrote:
>> Hello,
>>
>> I'm attempting to follow the tutorial
>> at: https://www.openswan.org/projects/openswan/wiki/Amazon_EC2_example
>>
>> I have an Ubuntu 10.04 ec2 instance that needs to be able to access an LDAP
>> server on a remote network behind a Cisco ASA. The problem is that the LDAP
>> server has the IP 10.10.1.13, which is in the block that EC2 uses.
>>
>> There's a note in the tutorial "If it is via port forward, avoid 10/8 that
>> Amazon uses". Any suggestions for what needs to be done if the other side
>> does use that block?
>>
>> Right now, the tunnel is successfully established:
>>
>> $ sudo ipsec auto --up apd
>> 117 "apd" #3: STATE_QUICK_I1: initiate
>> 004 "apd" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
>> {ESP/NAT=>0x4041650d<0xa7665556 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none
>> DPD=none}
>>
>> The problem is that pings to 10.10.1.13 aren't reaching the other end. From
>> the EC2 instance, I run:
>>
>> $ ping 10.1.1.13
>>
>> All of the packets are lost, even though that box is in fact configured to
>> respond to ping (same results with nmap to the LDAP port). I then monitor
>> with:
>>
>> $ sudo tcpdump -n host 10.1.1.13
>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
>> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
>> 12:40:07.212436 IP 10.243.79.134>  10.1.1.13: ICMP echo request, id 62815,
>> seq 1, length 64
>> 12:40:08.229371 IP 10.243.79.134>  10.1.1.13: ICMP echo request, id 62815,
>> seq 2, length 64
>>
>> My IPSec verify looks good I think:
>>
>> $ sudo ipsec verify
>> Checking your system to see if IPsec got installed and started correctly:
>> Version check and ipsec on-path                             [OK]
>> Linux Openswan U2.6.23/K2.6.32-318-ec2 (netkey)
>> Checking for IPsec support in kernel                         [OK]
>> NETKEY detected, testing for disabled ICMP send_redirects   [OK]
>> NETKEY detected, testing for disabled ICMP accept_redirects [OK]
>> Checking for RSA private key (/etc/ipsec.secrets)           [OK]
>> Checking that pluto is running                               [OK]
>> Pluto listening for IKE on udp 500                           [OK]
>> Pluto listening for NAT-T on udp 4500                       [OK]
>> Two or more interfaces found, checking IP forwarding         [OK]
>> Checking NAT and MASQUERADEing                               [N/A]
>> Checking for 'ip' command                                   [OK]
>> Checking for 'iptables' command                             [OK]
>> Opportunistic Encryption Support                             [DISABLED]
>>
>> Any hints on how to solve the 10.0.0.0/8 thing or maybe some additional
>> debugging tips I could try?
>>
>> Also, if anyone else is trying to follow that tutorial using Ubuntu 10.04,
>> this might help:
>> https://gist.github.com/2871257
>>
>> I wrote up detailed instructions for Ubuntu 10.04 (which needs network
>> parameters to be tuned) and a subnet to subnet connection specifically.
>>
>> Thanks
>> -Wes
>>
>> --
>> Wes Winham, Product Development
>> PolicyStat, LLC | mobile: 405.320.9379 | desk: 317.644.1296 x1105
>> schedule: http://tungle.me/weswinham
>>
>> _______________________________________________
>> Users at lists.openswan.org
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>


-- 
This message is intended only for the addressee and may contain
confidential information.  Unless you are that person, you may not
disclose its contents or use it in any way and are requested to delete
the message along with any attachments and notify us immediately.

"Transact" is operated by Integrated Financial Arrangements plc
Domain House, 5-7 Singer Street, London  EC2A 4BQ
Tel: (020) 7608 4900 Fax: (020) 7608 5300
(Registered office: as above; Registered in England and Wales under number: 3727592)
Authorised and regulated by the Financial Services Authority (entered on the FSA Register; number: 190856)

More information about the Users mailing list