[Openswan Users] Tunnel is up, no traffic

Jeremy Coughlin coughlin.jeremy at gmail.com
Thu Jun 25 14:24:02 EDT 2015 

Hey all,

Managed to get a tunnel up between a CentOS 6.6 box and our AWS VPC. It
shows as connected both on the box, and in AWS. The problem is routing the
traffic from the server. Everything I've tried doesn't seem to have worked,
and I'm feeling a little beyond my reach here. Any advice?

**[USER at SERVER /]# sudo service ipsec status**
IPsec running  - pluto pid: 4605
pluto pid 4605
1 tunnels up
some eroutes exist

**[USER at SERVER /]# ip route**
10.0.0.0/24 dev eth0  proto kernel  scope link  src 10.0.0.43
10.4.0.0/16 via 10.0.0.1 dev eth0  src 10.0.0.43
169.254.0.0/16 dev eth0  scope link  metric 1002
default via 10.0.0.1 dev eth0

**[USER at SERVER /]# ip xfrm policy**
src 10.0.0.0/24 dst 10.4.0.0/16
dir out priority 2352 ptype main
tmpl src 10.0.0.43 dst 71.XX.XXX.XXX
proto esp reqid 16385 mode tunnel
src 10.4.0.0/16 dst 10.0.0.0/24
dir fwd priority 2352 ptype main
tmpl src 71.XX.XX.XXX  dst 10.0.0.43
proto esp reqid 16385 mode tunnel
src 10.4.0.0/16 dst 10.0.0.0/24
dir in priority 2352 ptype main
tmpl src 71.XX.XX.XXX  dst 10.0.0.43
proto esp reqid 16385 mode tunnel

**[USER at SERVER /]# ipsec verify**
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                             [OK]
Linux Openswan U2.6.32/K2.6.32-504.el6.i686 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                       [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [OK]
NETKEY detected, testing for disabled ICMP accept_redirects [OK]
Testing against enforced SElinux mode                       [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                         [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                   [OK]
Checking /bin/sh is not /bin/dash                           [OK]
Checking for 'iptables' command                             [OK]
Opportunistic Encryption Support                                [DISABLED]

**ipsec.conf**
        protostack=netkey
        nat_traversal=yes
        virtual_private=10.0.0.0/24
        oe=off

**tunnel.conf**

conn aws

    type=tunnel
    authby=secret
    left=%defaultroute
    leftid=171.X.XX.XX           <----Office Ext IP of Server
    leftnexthop=%defaultroute
    leftsubnet=10.0.0.0/24       <----Internal subnet
    right=71.XX.XX.XXX           <----AWS Ext VPC Gateway
    rightsubnet=10.4.0.0/16      <----AWS Internal Subnet
    phase2=esp
    phase2alg=aes128-sha1
    ike=aes128-sha1
    ikelifetime=28800s
    salifetime=3600s
    pfs=yes
    auto=start
    rekey=yes
    keyingtries=%forever
    dpddelay=10
    dpdtimeout=60
    dpdaction=restart_by_peer

**tunnel.secrets**
171.X.XX.XX  71.XX.XX.XXX: PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"

**IPTables rules added for IPSec Traffic**

iptables -A INPUT -i eth0 -p 50 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 500 -j ACCEPT
iptables -A INPUT -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -A INPUT -i eth0 -p 51 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m policy --dir in --pol ipsec -m udp
--dport 1701 -j ACCEPT

**[USER at SERVER /]# ipsec verify**
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36}
trans={0,2,1536} attrs={0,2,2048}
000
000 "aws":
10.0.0.0/24===10.0.0.43[171.X.XX.73,+S=C]---10.0.0.1...71.XX.XX.XXX
<71.XX.XX.XXX>[+S=C]===10.4.0.0/16; erouted; eroute owner: #2
000 "aws":     myip=10.0.0.43; hisip=unset;
000 "aws":   ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s;
rekey_fuzz: 100%; keyingtries: 0; nat_keepalive: yes
000 "aws":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,16;
interface: eth0;
000 "aws":   dpd: action:restart_by_peer; delay:10; timeout:60;
000 "aws":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "aws":   IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)_000-MODP1536(5),
AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
000 "aws":   IKE algorithms found:  AES_CBC(7)_128-SHA1(2)_160-MODP1536(5),
AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "aws":   IKE algorithm newest: AES_CBC_128-SHA1-MODP1024
000 "aws":   ESP algorithms wanted: AES(12)_128-SHA1(2)_000
000 "aws":   ESP algorithms loaded: AES(12)_128-SHA1(2)_160
000 "aws":   ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=<Phase1>
000
000 #2: "aws":500 STATE_QUICK_I2 (sent QI2, IPsec SA established);
EVENT_SA_REPLACE in 1978s; newest IPSEC; eroute owner; isakmp#1; idle;
import:admin initiate
000 #2: "aws" esp.6e00a5b at 71.XX.XXX.XXX esp.8a07a523 at 10.0.0.43
tun.0 at 71.XX.XX.XXX tun.0 at 10.0.0.43 ref=0 refhim=4294901761
000 #1: "aws":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE
in 26936s; newest ISAKMP; lastdpd=8s(seq in:2113 out:0); idle; import:admin
initiate
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150625/5d5223ba/attachment.html>

More information about the Users mailing list