[Openswan Users] Help configuring server to server connection AWS VPC to Checkpoint Firewall

Thu Jun 18 13:55:58 EDT 2015

Hello,

We are trying to set up IPSec with GRE from an Amazon EC2 instance in our
VPC to a third party.

Our machine is Ubuntu 14.04 running Openswan Version 2.6.38

They have provided the following IPSec configuration information:

Client IP: 74.xxx.xxx.xxx
Client Encryption Domain: 74.xxx.xxx.yyy/32

Our IP: 54.aaa.bbb.ccc
Our Encryption Domain: 10.160.255.181/30

Encryption parameters:
Phase 1: Diffie-Hellman Group 2 algorithm: 3DES-MD5
Phase 2: Diffie-Hellman Group 2 algorithm: 3DES-MD5
Perfect Forward Secrey: No
Lifetime (for renegotiation): 3600sec

In order to match the client encryption domain we had to create a virtual
ethernet device on eth0 by adding the following to our network interfaces
file:

auto eth0:1
iface eth0:1 inet static
address 10.160.255.181
netmask 255.255.255.252

I have added the following to my ipsec.conf file based off the blog post
here(http://blog.jameskyle.org/2012/07/configuring-openswan-ipsec-server/).
:

config setup
        nat_traversal=yes
        oe=off
        protostack=netkey
        plutostderrlog=/var/log/pluto_err.log

conn client_name
        authby=secret
        auto=start
        left=%defaultroute
        leftid=54.aaa.bbb.ccc
        leftsubnet=10.161.255.181/30
        leftnexthop=%defaultroute
        right=74.xxx.xxx.xxx
        rightid=74.xxx.xxx.xxx
        rightsubnet=74.xxx.xxx.yyy/32
        rightnexthop=%defaultroute

        pfs=no
        type=tunnel
        aggrmode=no

        ike=3des-md5;modp1024!
        ikelifetime=1440m
        phase2alg=3des-md5;modp1024

The secrets file looks like this:
54.xxx.xxx.xxx 74.xxx.xxx.xxx : PSK "our_secret"

Phase 1 seems to complete successfully but I get the following in the pluto
logs:

"client_name" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
"client_name" #3: STATE_MAIN_R1: sent MR1, expecting MI2
"client_name" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
"client_name" #3: STATE_MAIN_R2: sent MR2, expecting MI3
"client_name" #3: Main mode peer ID is ID_IPV4_ADDR: '74.198.28.1'
"client_name" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
"client_name" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
group=modp1024}
"client_name" #3: the peer proposed: 10.160.255.181/32:0/0 ->
74.198.28.244/32:0/0
"client_name" #3: cannot respond to IPsec SA request because no connection
is known for
10.160.251.181/32===10.50.35.105[54.aaa.bbb.ccc]...74.xxx.xxx.xxx
<74.xxx.xxx.xxx>===74.xxx.xxx.yyy/32

Any help or suggestions on what might be wrong with the config or where to
go for more information would be greatly appreciated.

Cheers,
Tyler

-- 
Tyler Field
DevOps Admin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150618/f0283de8/attachment.html>