[Openswan Users] EC2 <--> RoadWarrior routing problems

Mon Nov 23 15:46:45 EST 2015

If you run. IPSec auto status on the ec2 instance when your tunnel is up what does it say?

Have you got rules in your security groups to allow routing between your client and the host and rest of the traffic as well as rules on the ec2 Linux instances that are blocking traffic going through the box ??

Sent from my iPhone

> On 23 Nov 2015, at 17:29, Richard Hurt <rnhurt at gmail.com> wrote:
> 
> I'm trying to use OpenSwan (Linux Openswan
> U2.6.37/K4.1.10-17.31.amzn1.x86_64 (netkey)) to build a VPN between an
> EC2 VPC and my laptop.  It seems to almost work (authentication works,
> not logging any errors, etc.) but the routing is just not happing
> properly.  The EC2 server is in the 10.223.0.0/16 block (10.223.6.20
> in this case) and my local machine is behind a NAT in the
> 192.168.0.0/16 block (192.168.59.26 in this case).  I'm running Mac OS
> X 10.11 and bringing the VPN connection up using the native IPSec
> Cisco VPN client causes all packets to stop flowing everywhere.
> Playing around with the IPSec settings on the server I was able to get
> packets to flow to the server from my laptop but everything else was
> blocked (DNS, ping, etc.)
> 
> Basically, I want everything to stay out of the VPN except for traffic
> to 10.223.0.0/16.  What am I doing wrong?  One thing that looks really
> weird to me is that when I bring the tunnel up I see this in my
> ifconfig (0.2.0.4 doesn't look like a valid IP address to me):
> 
> utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>   inet 0.2.0.4 --> 0.2.0.4 netmask 0xffffffff
>   nd6 options=1<PERFORMNUD>
> 
> ===============================================
> # /etc/ipsec.conf
> version 2.0
> config setup
>  protostack=netkey
>  nat_traversal=yes
>  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.223.0.0/16
>  oe=off
> 
> include /etc/ipsec.d/*.conf
> ===============================================
> 
> 
> ===============================================
> # /etc/ipsec.d/roadwarrior.conf
> conn roadwarrior
>  type=tunnel
>  authby=secret
>  auto=add
>  rekey=no
>  pfs=no
>  forceencaps=yes
> 
>  # Setup local side
>  left=10.223.6.20
>  leftsubnet=10.223.0.0/16
>  leftxauthserver=yes
>  leftmodecfgserver=yes
> 
>  # Setup remote side
>  right=%any
>  rightsubnet=vhost:%priv,%no
>  rightxauthclient=yes
>  rightmodecfgclient=yes
> 
>  # Config MODE
>  modecfgpull=yes
>  modecfgdns1=8.8.8.8
>  modecfgdns2=8.8.4.4
> ===============================================
> 
> 
> ===============================================
> Nov 23 17:15:24 ip-10-223-6-20 ipsec__plutorun: Starting Pluto subsystem...
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: nss directory plutomain:
> /etc/ipsec.d
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS Initialized
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
> /proc/sys/crypto/fips_enabled
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Starting Pluto (Openswan
> Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:15882
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
> /proc/sys/crypto/fips_enabled
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: LEAK_DETECTIVE support [disabled]
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: OCF support for IKE [disabled]
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAref support [disabled]:
> Protocol not available
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAbind support
> [disabled]: Protocol not available
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS support [enabled]
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: HAVE_STATSD notification
> support not compiled in
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Setting NAT-Traversal
> port-4500 floating to on
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]:    port floating
> activation criteria nat_t=1/port_float=1
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]:    NAT-Traversal support  [enabled]
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> Activating OAKLEY_AES_CBC: Ok (ret=0)
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: starting up 1 cryptographic helpers
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: started helper (thread)
> pid=140240508929792 (fd:8)
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Using Linux 2.6 IPsec
> interface code on 4.1.10-17.31.amzn1.x86_64 (experimental code)
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> Activating aes_ccm_8: Ok (ret=0)
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> Algorithm already exists
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> Activating aes_ccm_12: FAILED (ret=-17)
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> Algorithm already exists
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> Activating aes_ccm_16: FAILED (ret=-17)
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> Algorithm already exists
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> Activating aes_gcm_8: FAILED (ret=-17)
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> Algorithm already exists
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> Activating aes_gcm_12: FAILED (ret=-17)
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> Algorithm already exists
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> Activating aes_gcm_16: FAILED (ret=-17)
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
> directory '/etc/ipsec.d/cacerts': /
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
> directory '/etc/ipsec.d/aacerts': /
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
> directory '/etc/ipsec.d/ocspcerts': /
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
> directory '/etc/ipsec.d/crls'
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: added connection
> description "roadwarrior"
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: listening for IKE messages
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
> eth0/eth0 10.223.6.20:500
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
> eth0/eth0 10.223.6.20:4500
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
> 127.0.0.1:500
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
> 127.0.0.1:4500
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo ::1:500
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
> "/etc/ipsec.secrets"
> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
> "/etc/ipsec.d/road-warrior.secrets"
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: received Vendor ID payload [RFC 3947] method set
> to=109
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike] method set to=110
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: ignoring unknown Vendor ID payload
> [8f8d83826d246b6fc7a8a6a428c11de8]
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: ignoring unknown Vendor ID payload
> [439b59f8ba676c4c7737ae22eab8f582]
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: ignoring unknown Vendor ID payload
> [4d1e0e136deafa34c4f3ea9f02ec7285]
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: ignoring unknown Vendor ID payload
> [80d0bb3def54565ee84645d4c85ce3ee]
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: ignoring unknown Vendor ID payload
> [9909b64eed937c6573de52ace952fa6b]
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: received Vendor ID payload
> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> 110
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: received Vendor ID payload [XAUTH]
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: received Vendor ID payload [Cisco-Unity]
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: ignoring Vendor ID payload [FRAGMENTATION 80000000]
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:19: received Vendor ID payload [Dead Peer Detection]
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> 69.196.222.250 #1: responding to Main Mode from unknown peer
> 69.196.222.250
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> 69.196.222.250 #1: transition from state STATE_MAIN_R0 to state
> STATE_MAIN_R1
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> 69.196.222.250 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> 69.196.222.250 #1: NAT-Traversal: Result using
> draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> 69.196.222.250 #1: transition from state STATE_MAIN_R1 to state
> STATE_MAIN_R2
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> 69.196.222.250 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> 69.196.222.250 #1: ignoring informational payload, type
> IPSEC_INITIAL_CONTACT msgid=00000000
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> 69.196.222.250 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.59.26'
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> 69.196.222.250 #1: switched from "roadwarrior" to "roadwarrior"
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: deleting connection "roadwarrior" instance with
> peer 69.196.222.250 {isakmp=#0/ipsec=#0}
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: transition from state STATE_MAIN_R2 to state
> STATE_MAIN_R3
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: new NAT mapping for #1, was 69.196.222.250:19, now
> 69.196.222.250:1340
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
> group=modp1024}
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: Sending XAUTH Login/Password Request
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: User elison: Attempting to login
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: md5 authentication being called to
> authenticate user elison
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: nope
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: nope
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: User elison: Authentication Successful
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: XAUTH: xauth_inR1(STF_OK)
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: transition from state STATE_XAUTH_R1 to state
> STATE_MAIN_R3
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute
> INTERNAL_ADDRESS_EXPIRY received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute APPLICATION_VERSION
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_BANNER
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_DEF_DOMAIN
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_DNS
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_INC
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_UNKNOWN
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_DO_PFS
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SAVE_PW
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_FW_TYPE
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_BACKUP_SERVER
> received.
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: modecfg_inR0(STF_OK)
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: transition from state STATE_MODE_CFG_R0 to state
> STATE_MODE_CFG_R1
> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: Applying workaround for Mac OS X NAT-OA bug,
> ignoring proposed subnet
> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: the peer proposed: 0.0.0.0/0:0/0 ->
> 69.196.222.250/32:0/0
> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #2: responding to Quick Mode proposal {msgid:ba3b61a4}
> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #2:     us:
> 10.223.0.0/16===10.223.6.20<10.223.6.20>[MS+XS+S=C]
> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #2:   them: 69.196.222.250[192.168.59.26,+MC+XC+S=C]
> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #2: transition from state STATE_QUICK_R0 to state
> STATE_QUICK_R1
> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
> installed, expecting QI2
> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #2: transition from state STATE_QUICK_R1 to state
> STATE_QUICK_R2
> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
> {ESP=>0x0e95dea0 <0x397c4b2d xfrm=AES_256-HMAC_SHA1 NATOA=none
> NATD=69.196.222.250:1340 DPD=none}
> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: received Delete SA(0x0e95dea0) payload: deleting
> IPSEC State #2
> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: received and ignored informational message
> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250 #1: received Delete SA payload: deleting ISAKMP State
> #1
> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> 69.196.222.250: deleting connection "roadwarrior" instance with peer
> 69.196.222.250 {isakmp=#0/ipsec=#0}
> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: packet from
> 69.196.222.250:1340: received and ignored informational message
> 
> ===============================================
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155