[Openswan Users] EC2 <--> RoadWarrior routing problems
Richard Hurt
rnhurt at gmail.com
Mon Nov 23 12:29:11 EST 2015
I'm trying to use OpenSwan (Linux Openswan
U2.6.37/K4.1.10-17.31.amzn1.x86_64 (netkey)) to build a VPN between an
EC2 VPC and my laptop. It seems to almost work (authentication works,
not logging any errors, etc.) but the routing is just not happing
properly. The EC2 server is in the 10.223.0.0/16 block (10.223.6.20
in this case) and my local machine is behind a NAT in the
192.168.0.0/16 block (192.168.59.26 in this case). I'm running Mac OS
X 10.11 and bringing the VPN connection up using the native IPSec
Cisco VPN client causes all packets to stop flowing everywhere.
Playing around with the IPSec settings on the server I was able to get
packets to flow to the server from my laptop but everything else was
blocked (DNS, ping, etc.)
Basically, I want everything to stay out of the VPN except for traffic
to 10.223.0.0/16. What am I doing wrong? One thing that looks really
weird to me is that when I bring the tunnel up I see this in my
ifconfig (0.2.0.4 doesn't look like a valid IP address to me):
utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet 0.2.0.4 --> 0.2.0.4 netmask 0xffffffff
nd6 options=1<PERFORMNUD>
===============================================
# /etc/ipsec.conf
version 2.0
config setup
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.223.0.0/16
oe=off
include /etc/ipsec.d/*.conf
===============================================
===============================================
# /etc/ipsec.d/roadwarrior.conf
conn roadwarrior
type=tunnel
authby=secret
auto=add
rekey=no
pfs=no
forceencaps=yes
# Setup local side
left=10.223.6.20
leftsubnet=10.223.0.0/16
leftxauthserver=yes
leftmodecfgserver=yes
# Setup remote side
right=%any
rightsubnet=vhost:%priv,%no
rightxauthclient=yes
rightmodecfgclient=yes
# Config MODE
modecfgpull=yes
modecfgdns1=8.8.8.8
modecfgdns2=8.8.4.4
===============================================
===============================================
Nov 23 17:15:24 ip-10-223-6-20 ipsec__plutorun: Starting Pluto subsystem...
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: nss directory plutomain:
/etc/ipsec.d
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS Initialized
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Starting Pluto (Openswan
Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:15882
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
/proc/sys/crypto/fips_enabled
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: LEAK_DETECTIVE support [disabled]
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: OCF support for IKE [disabled]
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAref support [disabled]:
Protocol not available
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAbind support
[disabled]: Protocol not available
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS support [enabled]
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: HAVE_STATSD notification
support not compiled in
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Setting NAT-Traversal
port-4500 floating to on
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: port floating
activation criteria nat_t=1/port_float=1
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NAT-Traversal support [enabled]
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: starting up 1 cryptographic helpers
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: started helper (thread)
pid=140240508929792 (fd:8)
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Using Linux 2.6 IPsec
interface code on 4.1.10-17.31.amzn1.x86_64 (experimental code)
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
Algorithm already exists
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
Algorithm already exists
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
Algorithm already exists
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
Algorithm already exists
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
Algorithm already exists
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
directory '/etc/ipsec.d/cacerts': /
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
directory '/etc/ipsec.d/aacerts': /
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
directory '/etc/ipsec.d/ocspcerts': /
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
directory '/etc/ipsec.d/crls'
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: added connection
description "roadwarrior"
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: listening for IKE messages
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
eth0/eth0 10.223.6.20:500
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
eth0/eth0 10.223.6.20:4500
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
127.0.0.1:500
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
127.0.0.1:4500
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo ::1:500
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
"/etc/ipsec.secrets"
Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
"/etc/ipsec.d/road-warrior.secrets"
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: received Vendor ID payload [RFC 3947] method set
to=109
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike] method set to=110
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: ignoring unknown Vendor ID payload
[8f8d83826d246b6fc7a8a6a428c11de8]
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: ignoring unknown Vendor ID payload
[439b59f8ba676c4c7737ae22eab8f582]
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: ignoring unknown Vendor ID payload
[4d1e0e136deafa34c4f3ea9f02ec7285]
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: ignoring unknown Vendor ID payload
[80d0bb3def54565ee84645d4c85ce3ee]
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: ignoring unknown Vendor ID payload
[9909b64eed937c6573de52ace952fa6b]
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
110
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: received Vendor ID payload [XAUTH]
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: received Vendor ID payload [Cisco-Unity]
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: ignoring Vendor ID payload [FRAGMENTATION 80000000]
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:19: received Vendor ID payload [Dead Peer Detection]
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
69.196.222.250 #1: responding to Main Mode from unknown peer
69.196.222.250
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
69.196.222.250 #1: transition from state STATE_MAIN_R0 to state
STATE_MAIN_R1
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
69.196.222.250 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
69.196.222.250 #1: NAT-Traversal: Result using
draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
69.196.222.250 #1: transition from state STATE_MAIN_R1 to state
STATE_MAIN_R2
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
69.196.222.250 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
69.196.222.250 #1: ignoring informational payload, type
IPSEC_INITIAL_CONTACT msgid=00000000
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
69.196.222.250 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.59.26'
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
69.196.222.250 #1: switched from "roadwarrior" to "roadwarrior"
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: deleting connection "roadwarrior" instance with
peer 69.196.222.250 {isakmp=#0/ipsec=#0}
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: transition from state STATE_MAIN_R2 to state
STATE_MAIN_R3
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: new NAT mapping for #1, was 69.196.222.250:19, now
69.196.222.250:1340
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
group=modp1024}
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: Sending XAUTH Login/Password Request
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: User elison: Attempting to login
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: md5 authentication being called to
authenticate user elison
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: nope
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: nope
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: User elison: Authentication Successful
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: XAUTH: xauth_inR1(STF_OK)
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: transition from state STATE_XAUTH_R1 to state
STATE_MAIN_R3
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute
INTERNAL_ADDRESS_EXPIRY received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute APPLICATION_VERSION
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute CISCO_BANNER
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute CISCO_DEF_DOMAIN
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_DNS
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_INC
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute CISCO_UNKNOWN
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute CISCO_DO_PFS
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute CISCO_SAVE_PW
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute CISCO_FW_TYPE
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: unsupported mode cfg attribute CISCO_BACKUP_SERVER
received.
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: modecfg_inR0(STF_OK)
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: transition from state STATE_MODE_CFG_R0 to state
STATE_MODE_CFG_R1
Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: Applying workaround for Mac OS X NAT-OA bug,
ignoring proposed subnet
Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: the peer proposed: 0.0.0.0/0:0/0 ->
69.196.222.250/32:0/0
Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #2: responding to Quick Mode proposal {msgid:ba3b61a4}
Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #2: us:
10.223.0.0/16===10.223.6.20<10.223.6.20>[MS+XS+S=C]
Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #2: them: 69.196.222.250[192.168.59.26,+MC+XC+S=C]
Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #2: transition from state STATE_QUICK_R0 to state
STATE_QUICK_R1
Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
installed, expecting QI2
Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #2: transition from state STATE_QUICK_R1 to state
STATE_QUICK_R2
Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
{ESP=>0x0e95dea0 <0x397c4b2d xfrm=AES_256-HMAC_SHA1 NATOA=none
NATD=69.196.222.250:1340 DPD=none}
Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: received Delete SA(0x0e95dea0) payload: deleting
IPSEC State #2
Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: received and ignored informational message
Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250 #1: received Delete SA payload: deleting ISAKMP State
#1
Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
69.196.222.250: deleting connection "roadwarrior" instance with peer
69.196.222.250 {isakmp=#0/ipsec=#0}
Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: packet from
69.196.222.250:1340: received and ignored informational message
===============================================
More information about the Users
mailing list