No subject

Tue Feb 5 18:22:43 EST 2013

[binand at sarajevo ~]$ traceroute -n
traceroute to (, 30 hops max, 60 byte packets
 1  0.125 ms  0.115 ms  0.111 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *

Not sure where this traffic is going.

So I know there is something in the configuration that I have missed. Given
that this is a sort of standard deployment scenario for VPNs, I am hoping
someone out there has gotten this working already.



Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi All,<div><br></div><div>I am struggling to setup an IPS=
ec VPN between an Openswan installation (Centos 6.3, packaged version=A0ope=
nswan-2.6.32-16.el6.x86_64) and my Amazon EC2 VPC (which is basically a pri=
vate network with EC2 with NAT at the edge using a black box, details at=A0=
<a href=3D""></a>).</di=
<div><br></div><div style>My topology is like this:</div><div style><br></d=
iv><div style><div>Office has two subnets, <a href=3D"
4"></a> and <a href=3D"">
24</a>, with default gateway set to and respectiv=
ely. Office has externally visible IP address (network: <a h=
ref=3D""></a>) with ISP-side gatew=
ay as</div>
<div><br></div><div>EC2 VPC has LAN within <a href=3D"">1=</a>, with default gateway set to</div></div><div><br><=
/div><div style>Here are the steps I followed:</div><div style><br></div>
<div style><div>1. Created a &quot;customer gateway&quot; with my office ex=
ternal IP address, and routing =3D Static.</div><div><br></d=
iv><div>2. Created a &quot;virtual private gateway&quot;. Attach it to my V=
<div><br></div><div>3. Went to my routing table, route propagation configur=
ation and added the virtual private gateway to it. My understanding is that=
 the EC2 LAN can be accessed by traffic emerging out of the virtual private=
<div><br></div><div>4. Created VPN connection with:</div><div><br></div><di=
v>VPG =3D created in step 2</div><div>CG =3D created in step 1</div><div>IP=
 prefix to be specified =3D <a href=3D"">
/24</a> and <a href=3D""></a></div>
<div><br></div><div>5. Selected the VPN thus created and downloaded configu=
ration with these parameters: Vendor: Generic, Platform: Generic, Software:=
 Vendor agnostic. The configuration dump is available at:</div><div><br>
</div><div><a href=3D"">
YEpFi</a><br></div><div><br></div><div style>6. Used this dump to create my=
 Openswan configuration. It is:</div><div style><br></div><div style>ipsec.=
<div style><br></div><div style><div># AWS VPC connection</div><div># The P=
SK is autogenerated by AWS.</div><div> =A0203.0.113.224 =A0 :=
 =A0 =A0 =A0 PSK =A0 =A0 &quot;PSK1&quot;</div><div> =A0203.0=
.113.192 =A0 : =A0 =A0 =A0 PSK =A0 =A0 &quot;PSK2&quot;</div>
<div><br></div><div style>ipsec.conf (I don&#39;t think the two-tunnel HA m=
odel works with Openswan, so I have let one of them to be down all the time=
).</div><div style><br></div><div style><div>conn aws-vpc-1</div><div>=A0 =
=A0 =A0 =A0 leftsourceip=3D192.168.1.74</div>
<div>=A0 =A0 =A0 =A0 leftsubnets=3D&quot;<a href=3D""=
></a> <a href=3D""></a>=
&quot;</div><div>=A0 =A0 =A0 =A0 right=3D203.0.113.224</div><div>=A0 =A0 =
=A0 =A0 rightid=3D203.0.113.224</div>
<div>=A0 =A0 =A0 =A0 rightsourceip=3D192.168.1.73</div><div>=A0 =A0 =A0 =A0=
 rightsubnet=3D<a href=3D""></a></div><div>=A0=
 =A0 =A0 =A0 also=3Daws-vpc-common</div><div><br></div><div>#conn aws-vpc-2=
</div><div>=A0 =A0 =A0 =A0 #leftsourceip=3D192.168.1.78</div>
<div>=A0 =A0 =A0 =A0 #leftsubnets=3D&quot;<a href=3D"
"></a> <a href=3D""></a=
>&quot;</div><div>=A0 =A0 =A0 =A0 #right=3D203.0.113.192</div><div>=A0 =A0 =
=A0 =A0 #rightid=3D203.0.113.192</div>
<div>=A0 =A0 =A0 =A0 #rightsourceip=3D192.168.1.77</div><div>=A0 =A0 =A0 =
=A0 #rightsubnet=3D<a href=3D""></a></div><div=
>=A0 =A0 =A0 =A0 #also=3Daws-vpc-common</div><div><br></div><div>conn aws-v=
pc-common</div><div>=A0 =A0 =A0 =A0 left=3D198.51.100.194</div>
<div>=A0 =A0 =A0 =A0 leftid=3D198.51.100.194</div><div>=A0 =A0 =A0 =A0 left=
nexthop=3D198.51.100.193</div><div>=A0 =A0 =A0 =A0 type=3Dtunnel</div><div>=
=A0 =A0 =A0 =A0 authby=3Dsecret</div><div>=A0 =A0 =A0 =A0 auto=3Dstart</div=
><div>=A0 =A0 =A0 =A0 ike=3Daes128-sha1;modp1024</div><div>
=A0 =A0 =A0 =A0 phase2=3Desp</div><div>=A0 =A0 =A0 =A0 phase2alg=3Daes128-s=
ha1;modp1024</div><div>=A0 =A0 =A0 =A0 aggrmode=3Dno</div><div><br></div><d=
iv><br></div><div><br></div><div><div>[root at zagreb ipsec.d]# service ipsec =
start</div><div>ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-279.19=
<div>ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys=
/crypto/fips_enabled</div><div>ipsec_setup: defaulting leftsubnet to 192.16=
8.1.74</div><div>ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set =
in /proc/sys/crypto/fips_enabled</div>
</div><div><br></div><div><br></div><div style>And this is what is logged t=
o syslog:</div><div style><br></div><div style><a href=3D"http://pastebin.c=
om/mb57S3eb"></a><br></div><div style><br></div=
<div style>Finally:</div><div style><br></div><div style><div>[root at zagreb =
ipsec.d]# service ipsec status</div><div>IPsec running =A0- pluto pid: 3597=
</div><div>pluto pid 3597</div><div>2 tunnels up</div><div>some eroutes exi=
<div><br></div><div style>My problem is that nothing goes through the tunne=
l.</div><div style><br></div><div style><div>[root at zagreb ipsec.d]# ip rout=
e show</div><div> dev tun0 =A0proto kernel =A0scope link =A0src=</div>
<div><a href=3D""></a> dev eth1 =
=A0proto kernel =A0scope link =A0src</div><div><a href=3D"ht=
tp://"></a> dev eth0 =A0proto kernel =A0scope=
 link =A0src</div>
<div><a href=3D""></a> via 172.16.101.=
2 dev tun0</div><div><a href=3D""></a> via 198=
.51.100.193 dev eth1 =A0src</div><div><a href=3D"http://169.25=
4.0.0/16"></a> dev eth1 =A0scope link =A0metric 1002</div>
<div><a href=3D""></a> dev eth0 =A0scope=
 link =A0metric 1003</div><div>default via dev eth1</div><di=
v><br></div><div style>From VPC end:</div><div style><br></div><div style><=
[binand at n5 ~]$ traceroute -n</div><div>traceroute to 172.16.1=
00.10 (, 30 hops max, 60 byte packets</div><div>=A01 =A0192.1=
68.1.29 =A00.689 ms =A00.644 ms =A00.600 ms</div><div>=A02 =A0192.168.1.73 =
=A02.245 ms =A02.173 ms =A02.257 ms</div>
<div>=A03 =A0* * *</div><div>=A04 =A0* * *</div><div>=A05 =A0* * *</div><di=
v>=A06 =A0* * *</div><div><br></div></div><div style>(Looks like the VPC en=
d is pushing traffic into the tunnel, looking at hop #2)</div><div style><b=
r></div><div style>

More information about the Users mailing list