[Openswan Users] Problem with site-to-site VPN on Amazon VPC.

Gustavo Ávila gustavo.avila at gmail.com
Thu Jan 3 14:59:24 EST 2013


Hi folks,

I'm very noob about openswan and I was tried to configure a site-to-site
IPSec VPN between Amazon VPC (172.20.10.0/24) and my branch office network (
172.20.2.0/24).

I was guiding me with this tutorial: gist.github.com/2871257 but I can get
connection.

Here is my configuration:

*Amazon VPC:*

Ubuntu 12.04 x64
Openswan 2.6.37
Network: 172.20.10.0/24
Ubuntu local IP: 172.20.10.221
Public IP: 107.23.111.XXX

ipsec.conf:

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a
developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the
core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto
2010-12-21)
        virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.20.2.0./24
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then
mast
        protostack=auto
        # Use this to log to a file, or disable logging on embedded systems
(like openwrt)
        #plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward
right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward
left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=add

include /etc/ipsec.d/*.conf




/etc/ipsec.d/vimex.conf:

conn vimex
        authby=secret
        forceencaps=yes
        auto=start
        left=%defaultroute
        leftid=107.23.111.XXX
        leftsourceip=107.23.111.XXX
        right=201.122.32.XXX
        rightid=201.122.32.XXX
        rightsubnet=172.20.2.0/24



vimex.secrets:

201.122.32.XXX 0.0.0.0: PSK "12345"

Branch office (VIMEX):

Ubuntu 12.04 x32
Openswan 2.6.37
Network: 172.20.2.0/24
Ubuntu local IP: 172.20.2.193
Public IP: 201.122.32.XXX
*This network is behind endian firewall and the Ubuntu server is NATed.



ipsec.conf:


# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a
developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the
core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto
2010-12-21)
        virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,$/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,,%v4:!172.20.10.0/24
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then
mast
        protostack=netkey
        # Use this to log to a file, or disable logging on embedded systems
(like openwrt)
        #plutostderrlog=/dev/null

# Add connections here

# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward
right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward
left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=add

include /etc/ipsec.d/*.conf



/etc/ipsec.d/vpc.conf:

conn vpc
        authby=secret
        forceencaps=yes
        auto=start
        left=%defaultroute
        leftid=201.122.32.XX
        leftsourceip=201.122.32.XX
        right=107.23.111.XX
        rightid=107.23.111.XX
        rightsubnet=172.20.10.0/24



vpc.secrets:


107.23.111.XXX 0.0.0.0: PSK "12345"



When I start the openswan service and do ipsec auto --up vpc or ipsec auto
--up vimex, I get this error:

022 "vpc": We cannot identify ourselves with either end of this connection.


Do you have any idea whats wrong?

Thanks for advice
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20130103/f85b0f1f/attachment.html>


More information about the Users mailing list