[Openswan Users] Users Digest, Vol 134, Issue 5

mickylu mickylu at gmail.com
Sun Jun 21 08:19:39 EDT 2015 

2015-06-20 0:00 GMT+08:00 <users-request at lists.openswan.org>:

> Send Users mailing list submissions to
>         users at lists.openswan.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://lists.openswan.org/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
>         users-request at lists.openswan.org
>
> You can reach the person managing the list at
>         users-owner at lists.openswan.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Users digest..."
>
>
> Today's Topics:
>
>    1. Help configuring server to server connection AWS  VPC to
>       Checkpoint Firewall (Tyler Field)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 18 Jun 2015 11:55:58 -0600
> From: Tyler Field <tyler at ospreyinformatics.com>
> To: users at lists.openswan.org
> Subject: [Openswan Users] Help configuring server to server connection
>         AWS     VPC to Checkpoint Firewall
> Message-ID:
>         <
> CAH5cMhkjfZSkV40_20O9MNA3Asd0Z4mg6z_srq+t+8024rUeMw at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hello,
>
> We are trying to set up IPSec with GRE from an Amazon EC2 instance in our
> VPC to a third party.
>
> Our machine is Ubuntu 14.04 running Openswan Version 2.6.38
>
> They have provided the following IPSec configuration information:
>
> Client IP: 74.xxx.xxx.xxx
> Client Encryption Domain: 74.xxx.xxx.yyy/32
>
> Our IP: 54.aaa.bbb.ccc
> Our Encryption Domain: 10.160.255.181/30
>
> Encryption parameters:
> Phase 1: Diffie-Hellman Group 2 algorithm: 3DES-MD5
> Phase 2: Diffie-Hellman Group 2 algorithm: 3DES-MD5
> Perfect Forward Secrey: No
> Lifetime (for renegotiation): 3600sec
>
> In order to match the client encryption domain we had to create a virtual
> ethernet device on eth0 by adding the following to our network interfaces
> file:
>
> auto eth0:1
> iface eth0:1 inet static
> address 10.160.255.181
> netmask 255.255.255.252
>
>
> I have added the following to my ipsec.conf file based off the blog post
> here(http://blog.jameskyle.org/2012/07/configuring-openswan-ipsec-server/
> ).
> :
>
> config setup
>         nat_traversal=yes
>         oe=off
>         protostack=netkey
>         plutostderrlog=/var/log/pluto_err.log
>
> conn client_name
>         authby=secret
>         auto=start
>         left=%defaultroute
>         leftid=54.aaa.bbb.ccc
>         leftsubnet=10.161.255.181/30
>         leftnexthop=%defaultroute
>         right=74.xxx.xxx.xxx
>         rightid=74.xxx.xxx.xxx
>         rightsubnet=74.xxx.xxx.yyy/32
>         rightnexthop=%defaultroute
>
>         pfs=no
>         type=tunnel
>         aggrmode=no
>
>         ike=3des-md5;modp1024!
>         ikelifetime=1440m
>         phase2alg=3des-md5;modp1024
>
> The secrets file looks like this:
> 54.xxx.xxx.xxx 74.xxx.xxx.xxx : PSK "our_secret"
>
> Phase 1 seems to complete successfully but I get the following in the pluto
> logs:
>
> "client_name" #3: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> "client_name" #3: STATE_MAIN_R1: sent MR1, expecting MI2
> "client_name" #3: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> "client_name" #3: STATE_MAIN_R2: sent MR2, expecting MI3
> "client_name" #3: Main mode peer ID is ID_IPV4_ADDR: '74.198.28.1'
> "client_name" #3: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
> "client_name" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_md5
> group=modp1024}
> "client_name" #3: the peer proposed: 10.160.255.181/32:0/0 ->
> 74.198.28.244/32:0/0
> "client_name" #3: cannot respond to IPsec SA request because no connection
> is known for
> 10.160.251.181/32===10.50.35.105[54.aaa.bbb.ccc]...74.xxx.xxx.xxx
> <74.xxx.xxx.xxx>===74.xxx.xxx.yyy/32
>
> Any help or suggestions on what might be wrong with the config or where to
> go for more information would be greatly appreciated.
>
> Cheers,
> Tyler
>
> --
> Tyler Field
> DevOps Admin
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://lists.openswan.org/pipermail/users/attachments/20150618/f0283de8/attachment-0001.html
> >
>
> ------------------------------
>
> _______________________________________________
> Users mailing list
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
>
>
> End of Users Digest, Vol 134, Issue 5
> *************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150621/c5a107d5/attachment.html>

More information about the Users mailing list