No subject
Tue Feb 5 18:22:43 EST 2013
[binand at sarajevo ~]$ traceroute -n 10.0.0.53
traceroute to 10.0.0.53 (10.0.0.53), 30 hops max, 60 byte packets
1 172.16.100.1 0.125 ms 0.115 ms 0.111 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
Not sure where this traffic is going.
So I know there is something in the configuration that I have missed. Given
that this is a sort of standard deployment scenario for VPNs, I am hoping
someone out there has gotten this working already.
Thanks,
Binand
--20cf301d3dc67dd8f604d5d2015e
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Hi All,<div><br></div><div>I am struggling to setup an IPS=
ec VPN between an Openswan installation (Centos 6.3, packaged version=A0ope=
nswan-2.6.32-16.el6.x86_64) and my Amazon EC2 VPC (which is basically a pri=
vate network with EC2 with NAT at the edge using a black box, details at=A0=
<a href=3D"http://aws.amazon.com/vpc/">http://aws.amazon.com/vpc/</a>).</di=
v>
<div><br></div><div style>My topology is like this:</div><div style><br></d=
iv><div style><div>Office has two subnets, <a href=3D"http://172.16.100.0/2=
4">172.16.100.0/24</a> and <a href=3D"http://172.16.101.0/24">172.16.101.0/=
24</a>, with default gateway set to 172.16.100.1 and 172.16.101.1 respectiv=
ely. Office has externally visible IP address 198.51.100.194 (network: <a h=
ref=3D"http://198.51.100.192/29">198.51.100.192/29</a>) with ISP-side gatew=
ay as 198.51.100.193.</div>
<div><br></div><div>EC2 VPC has LAN within <a href=3D"http://10.0.0.0/24">1=
0.0.0.0/24</a>, with default gateway set to 10.0.0.1.</div></div><div><br><=
/div><div style>Here are the steps I followed:</div><div style><br></div>
<div style><div>1. Created a "customer gateway" with my office ex=
ternal IP address, 198.51.100.194 and routing =3D Static.</div><div><br></d=
iv><div>2. Created a "virtual private gateway". Attach it to my V=
PC.</div>
<div><br></div><div>3. Went to my routing table, route propagation configur=
ation and added the virtual private gateway to it. My understanding is that=
the EC2 LAN can be accessed by traffic emerging out of the virtual private=
gateway.=A0</div>
<div><br></div><div>4. Created VPN connection with:</div><div><br></div><di=
v>VPG =3D created in step 2</div><div>CG =3D created in step 1</div><div>IP=
prefix to be specified =3D <a href=3D"http://172.16.100.0/24">172.16.100.0=
/24</a> and <a href=3D"http://172.16.101.0/24">172.16.101.0/24</a></div>
<div><br></div><div>5. Selected the VPN thus created and downloaded configu=
ration with these parameters: Vendor: Generic, Platform: Generic, Software:=
Vendor agnostic. The configuration dump is available at:</div><div><br>
</div><div><a href=3D"http://pastebin.com/vrjYEpFi">http://pastebin.com/vrj=
YEpFi</a><br></div><div><br></div><div style>6. Used this dump to create my=
Openswan configuration. It is:</div><div style><br></div><div style>ipsec.=
secrets:</div>
<div style><br></div><div style><div># AWS VPC connection</div><div># The P=
SK is autogenerated by AWS.</div><div>198.51.100.194 =A0203.0.113.224 =A0 :=
=A0 =A0 =A0 PSK =A0 =A0 "PSK1"</div><div>198.51.100.194 =A0203.0=
.113.192 =A0 : =A0 =A0 =A0 PSK =A0 =A0 "PSK2"</div>
<div><br></div><div style>ipsec.conf (I don't think the two-tunnel HA m=
odel works with Openswan, so I have let one of them to be down all the time=
).</div><div style><br></div><div style><div>conn aws-vpc-1</div><div>=A0 =
=A0 =A0 =A0 leftsourceip=3D192.168.1.74</div>
<div>=A0 =A0 =A0 =A0 leftsubnets=3D"<a href=3D"http://172.16.100.0/24"=
>172.16.100.0/24</a> <a href=3D"http://172.16.101.0/24">172.16.101.0/24</a>=
"</div><div>=A0 =A0 =A0 =A0 right=3D203.0.113.224</div><div>=A0 =A0 =
=A0 =A0 rightid=3D203.0.113.224</div>
<div>=A0 =A0 =A0 =A0 rightsourceip=3D192.168.1.73</div><div>=A0 =A0 =A0 =A0=
rightsubnet=3D<a href=3D"http://10.0.0.0/24">10.0.0.0/24</a></div><div>=A0=
=A0 =A0 =A0 also=3Daws-vpc-common</div><div><br></div><div>#conn aws-vpc-2=
</div><div>=A0 =A0 =A0 =A0 #leftsourceip=3D192.168.1.78</div>
<div>=A0 =A0 =A0 =A0 #leftsubnets=3D"<a href=3D"http://172.16.100.0/24=
">172.16.100.0/24</a> <a href=3D"http://172.16.100.0/24">172.16.100.0/24</a=
>"</div><div>=A0 =A0 =A0 =A0 #right=3D203.0.113.192</div><div>=A0 =A0 =
=A0 =A0 #rightid=3D203.0.113.192</div>
<div>=A0 =A0 =A0 =A0 #rightsourceip=3D192.168.1.77</div><div>=A0 =A0 =A0 =
=A0 #rightsubnet=3D<a href=3D"http://10.0.0.0/24">10.0.0.0/24</a></div><div=
>=A0 =A0 =A0 =A0 #also=3Daws-vpc-common</div><div><br></div><div>conn aws-v=
pc-common</div><div>=A0 =A0 =A0 =A0 left=3D198.51.100.194</div>
<div>=A0 =A0 =A0 =A0 leftid=3D198.51.100.194</div><div>=A0 =A0 =A0 =A0 left=
nexthop=3D198.51.100.193</div><div>=A0 =A0 =A0 =A0 type=3Dtunnel</div><div>=
=A0 =A0 =A0 =A0 authby=3Dsecret</div><div>=A0 =A0 =A0 =A0 auto=3Dstart</div=
><div>=A0 =A0 =A0 =A0 ike=3Daes128-sha1;modp1024</div><div>
=A0 =A0 =A0 =A0 phase2=3Desp</div><div>=A0 =A0 =A0 =A0 phase2alg=3Daes128-s=
ha1;modp1024</div><div>=A0 =A0 =A0 =A0 aggrmode=3Dno</div><div><br></div><d=
iv><br></div><div><br></div><div><div>[root at zagreb ipsec.d]# service ipsec =
start</div><div>ipsec_setup: Starting Openswan IPsec U2.6.32/K2.6.32-279.19=
.1.el6.x86_64...</div>
<div>ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys=
/crypto/fips_enabled</div><div>ipsec_setup: defaulting leftsubnet to 192.16=
8.1.74</div><div>ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set =
in /proc/sys/crypto/fips_enabled</div>
</div><div><br></div><div><br></div><div style>And this is what is logged t=
o syslog:</div><div style><br></div><div style><a href=3D"http://pastebin.c=
om/mb57S3eb">http://pastebin.com/mb57S3eb</a><br></div><div style><br></div=
>
<div style>Finally:</div><div style><br></div><div style><div>[root at zagreb =
ipsec.d]# service ipsec status</div><div>IPsec running =A0- pluto pid: 3597=
</div><div>pluto pid 3597</div><div>2 tunnels up</div><div>some eroutes exi=
st</div>
<div><br></div><div style>My problem is that nothing goes through the tunne=
l.</div><div style><br></div><div style><div>[root at zagreb ipsec.d]# ip rout=
e show</div><div>172.16.101.2 dev tun0 =A0proto kernel =A0scope link =A0src=
172.16.101.1</div>
<div><a href=3D"http://198.51.100.192/29">198.51.100.192/29</a> dev eth1 =
=A0proto kernel =A0scope link =A0src 198.51.100.194</div><div><a href=3D"ht=
tp://172.16.100.0/24">172.16.100.0/24</a> dev eth0 =A0proto kernel =A0scope=
link =A0src 172.16.100.1</div>
<div><a href=3D"http://172.16.101.0/24">172.16.101.0/24</a> via 172.16.101.=
2 dev tun0</div><div><a href=3D"http://10.0.0.0/24">10.0.0.0/24</a> via 198=
.51.100.193 dev eth1 =A0src 192.168.1.74</div><div><a href=3D"http://169.25=
4.0.0/16">169.254.0.0/16</a> dev eth1 =A0scope link =A0metric 1002</div>
<div><a href=3D"http://169.254.0.0/16">169.254.0.0/16</a> dev eth0 =A0scope=
link =A0metric 1003</div><div>default via 198.51.100.193 dev eth1</div><di=
v><br></div><div style>From VPC end:</div><div style><br></div><div style><=
div>
[binand at n5 ~]$ traceroute -n 172.16.100.10</div><div>traceroute to 172.16.1=
00.10 (172.16.100.10), 30 hops max, 60 byte packets</div><div>=A01 =A0192.1=
68.1.29 =A00.689 ms =A00.644 ms =A00.600 ms</div><div>=A02 =A0192.168.1.73 =
=A02.245 ms =A02.173 ms =A02.257 ms</div>
<div>=A03 =A0* * *</div><div>=A04 =A0* * *</div><div>=A05 =A0* * *</div><di=
v>=A06 =A0* * *</div><div><br></div></div><div style>(Looks like the VPC en=
d is pushing traffic into the tunnel, looking at hop #2)</div><div style><b=
r></div><div style>
More information about the Users
mailing list