[Openswan Users] Problem routing over tunnel
Matt Shields
matt at mattshields.org
Thu Jul 9 13:17:10 EDT 2015
I currently have two Amazon VPC clouds setup, each has a nat
gateway/firewall and I've setup a vpn server in the public subnet for each
VPC and NAT'd UDP500/4500. I've setup both servers (configs below) and it
seems as though the tunnel is up, but when I try to ping the private IP of
the other server, it doesn't work. Any suggestions?
VPC1 (10.10.0.0/16) (external IP x.x.x.x)
config setup
klipsdebug=none
plutodebug=none
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.10.0.0/16,%v4:!192.168.0.0/24
oe=off
conn site-to-site
auto=start
type=tunnel
left=10.10.10.43
leftsourceip=x.x.x.x
leftsubnet=10.10.0.0/16
leftid=x.x.x.x
right=y.y.y.y
rightsubnet=192.168.0.0/24
rightid=y.y.y.y
#phase 1 encryption-integrity-DiffieHellman
keyexchange=ike
ike=3des-md5-modp1024,aes256-sha1-modp1024
ikelifetime=86400s
authby=secret #use presharedkey
rekey=yes #should we rekey when key lifetime is about to expire
#phase 2 encryption-pfsgroup
phase2=esp #esp for encryption | ah for authentication only
phase2alg=3des-md5;modp1024
pfs=no
forceencaps=yes
VPC2 (192.168.0.0/24) (external IP y.y.y.y)
config setup
klipsdebug=none
plutodebug=none
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:192.168.0.0/24,%v4:!10.10.0.0/16
oe=off
conn site-to-site
auto=start
type=tunnel
left=192.168.0.22
leftsourceip=y.y.y.y
leftsubnet=192.168.0.0/24
leftid=y.y.y.y
right=x.x.x.x
rightsubnet=10.10.0.0/16
rightid=x.x.x.x
#phase 1 encryption-integrity-DiffieHellman
keyexchange=ike
ike=3des-md5-modp1024,aes256-sha1-modp1024
ikelifetime=86400s
authby=secret #use presharedkey
rekey=yes #should we rekey when key lifetime is about to expire
#phase 2 encryption-pfsgroup
phase2=esp #esp for encryption | ah for authentication only
phase2alg=3des-md5;modp1024
pfs=no
forceencaps=yes
Output of "service ipsec status" shows 2 tunnels up on both sides
IPsec running - pluto pid: 19702
pluto pid 19702
2 tunnels up
some eroutes exist
VPC1 log
adjusting ipsec.d to /etc/ipsec.d
nss directory plutomain: /etc/ipsec.d
NSS Initialized
Non-fips mode set in /proc/sys/crypto/fips_enabled
Starting Pluto (Openswan Version 2.6.37; Vendor ID
OEu\134d\134jy\134\134ap) pid:19702
Non-fips mode set in /proc/sys/crypto/fips_enabled
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [enabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
NAT-Traversal support [enabled]
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
starting up 1 cryptographic helpers
started helper (thread) pid=140413867869952 (fd:7)
Using Linux 2.6 IPsec interface code on 3.14.44-32.39.amzn1.x86_64
(experimental code)
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Could not change to directory '/etc/ipsec.d/cacerts': /
Could not change to directory '/etc/ipsec.d/aacerts': /
Could not change to directory '/etc/ipsec.d/ocspcerts': /
Could not change to directory '/etc/ipsec.d/crls'
Non-fips mode set in /proc/sys/crypto/fips_enabled
Non-fips mode set in /proc/sys/crypto/fips_enabled
Non-fips mode set in /proc/sys/crypto/fips_enabled
added connection description "site-to-site"
listening for IKE messages
adding interface eth0/eth0 10.10.10.43:500
adding interface eth0/eth0 10.10.10.43:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
loaded private key for keyid: PPK_RSA:AQPBMnX+l
loading secrets from "/etc/ipsec.d/site-to-site.secrets"
"site-to-site" #1: initiating Main Mode
"site-to-site" #1: received Vendor ID payload [Openswan (this version)
2.6.37 ]
"site-to-site" #1: received Vendor ID payload [Dead Peer Detection]
"site-to-site" #1: received Vendor ID payload [RFC 3947] method set to=109
"site-to-site" #1: enabling possible NAT-traversal with method 4
"site-to-site" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
"site-to-site" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"site-to-site" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
both are NATed
"site-to-site" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
"site-to-site" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"site-to-site" #1: received Vendor ID payload [CAN-IKEv2]
"site-to-site" #1: Main mode peer ID is ID_IPV4_ADDR: 'y.y.y.y'
"site-to-site" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
"site-to-site" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
"site-to-site" #2: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:3bd3e66f
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
"site-to-site" #2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
"site-to-site" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP/NAT=>0x11221f07 <0xa08c7912 xfrm=3DES_0-HMAC_MD5 NATOA=none
NATD=y.y.y.y:4500 DPD=none}
packet from y.y.y.y:500: received Vendor ID payload [Openswan (this
version) 2.6.37 ]
packet from y.y.y.y:500: received Vendor ID payload [Dead Peer Detection]
packet from y.y.y.y:500: received Vendor ID payload [RFC 3947] method set
to=109
packet from y.y.y.y:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
packet from y.y.y.y:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
packet from y.y.y.y:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
packet from y.y.y.y:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
"site-to-site" #3: responding to Main Mode
"site-to-site" #3: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
"site-to-site" #3: STATE_MAIN_R1: sent MR1, expecting MI2
"site-to-site" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
both are NATed
"site-to-site" #3: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
"site-to-site" #3: STATE_MAIN_R2: sent MR2, expecting MI3
"site-to-site" #3: Main mode peer ID is ID_IPV4_ADDR: 'y.y.y.y'
"site-to-site" #3: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
"site-to-site" #3: new NAT mapping for #3, was y.y.y.y:500, now y.y.y.y:4500
"site-to-site" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
"site-to-site" #3: the peer proposed: 10.10.0.0/16:0/0 -> 192.168.0.0/24:0/0
"site-to-site" #4: responding to Quick Mode proposal {msgid:ee8d0a53}
"site-to-site" #4: us: 10.10.0.0/16===10.10.10.43
<10.10.10.43>[x.x.x.x,+S=C]
"site-to-site" #4: them: y.y.y.y<y.y.y.y>[+S=C]===192.168.0.0/24
"site-to-site" #4: keeping refhim=4294901761 during rekey
"site-to-site" #4: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
"site-to-site" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
"site-to-site" #4: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
"site-to-site" #4: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP/NAT=>0x82e90be9 <0x0e8a4136 xfrm=3DES_0-HMAC_MD5 NATOA=none
NATD=y.y.y.y:4500 DPD=none}
VPC2 log
adjusting ipsec.d to /etc/ipsec.d
nss directory plutomain: /etc/ipsec.d
NSS Initialized
Non-fips mode set in /proc/sys/crypto/fips_enabled
Starting Pluto (Openswan Version 2.6.37; Vendor ID
OEu\134d\134jy\134\134ap) pid:28146
Non-fips mode set in /proc/sys/crypto/fips_enabled
LEAK_DETECTIVE support [disabled]
OCF support for IKE [disabled]
SAref support [disabled]: Protocol not available
SAbind support [disabled]: Protocol not available
NSS support [enabled]
HAVE_STATSD notification support not compiled in
Setting NAT-Traversal port-4500 floating to on
port floating activation criteria nat_t=1/port_float=1
NAT-Traversal support [enabled]
ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
starting up 1 cryptographic helpers
started helper (thread) pid=140498468075264 (fd:7)
Using Linux 2.6 IPsec interface code on 3.14.35-28.38.amzn1.x86_64
(experimental code)
ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
ike_alg_add(): ERROR: Algorithm already exists
ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Could not change to directory '/etc/ipsec.d/cacerts': /
Could not change to directory '/etc/ipsec.d/aacerts': /
Could not change to directory '/etc/ipsec.d/ocspcerts': /
Could not change to directory '/etc/ipsec.d/crls'
Non-fips mode set in /proc/sys/crypto/fips_enabled
Non-fips mode set in /proc/sys/crypto/fips_enabled
Non-fips mode set in /proc/sys/crypto/fips_enabled
added connection description "site-to-site"
listening for IKE messages
adding interface eth0/eth0 192.168.0.22:500
adding interface eth0/eth0 192.168.0.22:4500
adding interface lo/lo 127.0.0.1:500
adding interface lo/lo 127.0.0.1:4500
adding interface lo/lo ::1:500
loading secrets from "/etc/ipsec.secrets"
loaded private key for keyid: PPK_RSA:AQOYRIj+s
loading secrets from "/etc/ipsec.d/site-to-site.secrets"
"site-to-site" #1: initiating Main Mode
"site-to-site" #1: ERROR: asynchronous network error report on eth0
(sport=500) for message to x.x.x.x port 500, complainant x.x.x.x:
Connection refused [errno 111, origin ICMP type 3 code 3 (not
authenticated)]
packet from x.x.x.x:500: received Vendor ID payload [Openswan (this
version) 2.6.37 ]
packet from x.x.x.x:500: received Vendor ID payload [Dead Peer Detection]
packet from x.x.x.x:500: received Vendor ID payload [RFC 3947] method set
to=109
packet from x.x.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
packet from x.x.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
packet from x.x.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
packet from x.x.x.x:500: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]
"site-to-site" #2: responding to Main Mode
"site-to-site" #2: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
"site-to-site" #2: STATE_MAIN_R1: sent MR1, expecting MI2
"site-to-site" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
both are NATed
"site-to-site" #2: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
"site-to-site" #2: STATE_MAIN_R2: sent MR2, expecting MI3
"site-to-site" #2: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
"site-to-site" #2: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
"site-to-site" #2: new NAT mapping for #2, was x.x.x.x:500, now x.x.x.x:4500
"site-to-site" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
"site-to-site" #2: the peer proposed: 192.168.0.0/24:0/0 -> 10.10.0.0/16:0/0
"site-to-site" #3: responding to Quick Mode proposal {msgid:3bd3e66f}
"site-to-site" #3: us: 192.168.0.0/24===192.168.0.22
<192.168.0.22>[y.y.y.y,+S=C]
"site-to-site" #3: them: x.x.x.x<x.x.x.x>[+S=C]===10.10.0.0/16
"site-to-site" #3: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
"site-to-site" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed,
expecting QI2
"site-to-site" #3: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
"site-to-site" #3: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP/NAT=>0xa08c7912 <0x11221f07 xfrm=3DES_0-HMAC_MD5 NATOA=none
NATD=x.x.x.x:4500 DPD=none}
"site-to-site" #1: received Vendor ID payload [Openswan (this version)
2.6.37 ]
"site-to-site" #1: received Vendor ID payload [Dead Peer Detection]
"site-to-site" #1: received Vendor ID payload [RFC 3947] method set to=109
"site-to-site" #1: enabling possible NAT-traversal with method 4
"site-to-site" #1: transition from state STATE_MAIN_I1 to state
STATE_MAIN_I2
"site-to-site" #1: STATE_MAIN_I2: sent MI2, expecting MR2
"site-to-site" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal):
both are NATed
"site-to-site" #1: transition from state STATE_MAIN_I2 to state
STATE_MAIN_I3
"site-to-site" #1: STATE_MAIN_I3: sent MI3, expecting MR3
"site-to-site" #1: received Vendor ID payload [CAN-IKEv2]
"site-to-site" #1: Main mode peer ID is ID_IPV4_ADDR: 'x.x.x.x'
"site-to-site" #1: transition from state STATE_MAIN_I3 to state
STATE_MAIN_I4
"site-to-site" #1: STATE_MAIN_I4: ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
"site-to-site" #4: initiating Quick Mode
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:ee8d0a53
proposal=3DES(3)_192-MD5(1)_128 pfsgroup=no-pfs}
"site-to-site" #4: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2
"site-to-site" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel
mode {ESP/NAT=>0x0e8a4136 <0x82e90be9 xfrm=3DES_0-HMAC_MD5 NATOA=none
NATD=x.x.x.x:4500 DPD=none}
Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150709/97c0a347/attachment-0001.html>
More information about the Users
mailing list