[Openswan Users] EC2 <--> RoadWarrior routing problems
Richard Hurt
rnhurt at gmail.com
Tue Nov 24 09:50:20 EST 2015
Well, I was trying to get a RoadWarrior VPN solution using native clients
and not forcing the end user to install anything. :/ However, it looks
like that might be a pipe dream, and after looking at the OpenVPN clients,
they don't seem so bad.
As for searching for an answer, I've almost used up all of my Google-fu
looking for solutions to this problem. One issue I'm having is that there
are lots of answers that aren't quite what I need; either they are for
older versions of OpenSWAN, or for IPSec/LP2P configs, or they are for
StrongSWAN / LibreSWAN which have different arguments, keywords, etc.
*sigh*
Just for due diligence and maybe help someone else that is having the
problem (possibly even myself in the future) I would like to make this work
with OpenSWAN, even if I end up using OpenVPN. To that end I will answer
your questions as best I can.
I confirmed that IP forwarding is enabled on the EC2 instance:
[ec2-user at ip-10-223-6-20 ~]$ cat /proc/sys/net/ipv4/ip_forward
1
Interestingly, I *can* see traffic (ICMP) from my laptop to the EC2
instance while the tunnel is up. I starting pinging the EC2 instance from
my laptop and, turned the tunnel on after 5-6 pings, let it ping some more,
then turned the tunnel off again. Here is the output I captured.
My laptop terminal showed this:
=======================================================
64 bytes from 52.91.120.247: icmp_seq=0 ttl=49 time=41.208 ms
64 bytes from 52.91.120.247: icmp_seq=1 ttl=49 time=37.734 ms
64 bytes from 52.91.120.247: icmp_seq=2 ttl=49 time=36.369 ms
64 bytes from 52.91.120.247: icmp_seq=3 ttl=49 time=36.782 ms
64 bytes from 52.91.120.247: icmp_seq=4 ttl=49 time=36.169 ms
64 bytes from 52.91.120.247: icmp_seq=5 ttl=49 time=37.556 ms
64 bytes from 52.91.120.247: icmp_seq=6 ttl=49 time=38.315 ms
Request timeout for icmp_seq 7
Request timeout for icmp_seq 8
Request timeout for icmp_seq 9
Request timeout for icmp_seq 10
Request timeout for icmp_seq 11
Request timeout for icmp_seq 12
Request timeout for icmp_seq 13
Request timeout for icmp_seq 14
Request timeout for icmp_seq 15
Request timeout for icmp_seq 16
64 bytes from 52.91.120.247: icmp_seq=17 ttl=49 time=36.393 ms
64 bytes from 52.91.120.247: icmp_seq=18 ttl=49 time=36.817 ms
64 bytes from 52.91.120.247: icmp_seq=19 ttl=49 time=36.426 ms
64 bytes from 52.91.120.247: icmp_seq=20 ttl=49 time=36.642 ms
=======================================================
tcpdump running on the EC2 server showed this:
=======================================================
14:36:54.439756 IP h250.222.196.69.ip.windstream.net.38579 >
ip-10-223-6-20.ec2.internal.ssh: Flags [.], ack 777025463, win 4094,
options [nop,nop,TS val 359672833 ecr 81189522], length 0
14:36:54.451286 IP h250.222.196.69.ip.windstream.net.38579 >
ip-10-223-6-20.ec2.internal.ssh: Flags [.], ack 101, win 4092, options
[nop,nop,TS val 359672844 ecr 81189525], length 0
14:36:54.451371 IP h250.222.196.69.ip.windstream.net.38579 >
ip-10-223-6-20.ec2.internal.ssh: Flags [.], ack 201, win 4089, options
[nop,nop,TS val 359672844 ecr 81189525], length 0
14:36:58.109023 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 0, length 64
14:36:59.112374 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 1, length 64
14:37:00.115146 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 2, length 64
14:37:01.116225 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 3, length 64
14:37:02.117449 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 4, length 64
14:37:03.122333 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 5, length 64
14:37:03.984302 IP h250.222.196.69.ip.windstream.net.mumps >
ip-10-223-6-20.ec2.internal.isakmp: isakmp: phase 1 I ident
14:37:04.022022 IP h250.222.196.69.ip.windstream.net.mumps >
ip-10-223-6-20.ec2.internal.isakmp: isakmp: phase 1 I ident
14:37:04.073863 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I
ident[E]
14:37:04.111414 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
2/others I #6[E]
14:37:04.126681 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 6, length 64
14:37:04.156728 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
2/others I #6[E]
14:37:04.156818 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
2/others I #6[E]
14:37:04.219067 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
2/others I oakley-quick[E]
14:37:04.255946 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
2/others I oakley-quick[E]
14:37:04.551836 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x1), length 84
14:37:04.552245 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x2), length 84
14:37:04.552331 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x3), length 84
14:37:05.129169 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 7, length 64
14:37:05.647239 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x4), length 84
14:37:05.647295 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x5), length 84
14:37:05.647313 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x6), length 84
14:37:06.129422 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 8, length 64
14:37:06.737323 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x7), length 84
14:37:06.737416 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x8), length 84
14:37:06.737470 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x9), length 84
14:37:07.131034 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 9, length 64
14:37:07.826947 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0xa), length 84
14:37:07.827003 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0xb), length 84
14:37:07.827372 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0xc), length 84
14:37:08.132200 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 10, length 64
14:37:08.925846 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0xd), length 84
14:37:08.925901 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0xe), length 84
14:37:08.925997 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0xf), length 84
14:37:09.137240 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 11, length 64
14:37:10.022946 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x10), length 84
14:37:10.023001 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x11), length 84
14:37:10.023365 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x12), length 84
14:37:10.138907 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 12, length 64
14:37:11.117192 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x13), length 84
14:37:11.117651 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x14), length 84
14:37:11.117708 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x15), length 84
14:37:11.144060 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 13, length 64
14:37:12.146011 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 14, length 64
14:37:12.215087 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x16), length 84
14:37:12.215140 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x17), length 84
14:37:12.215342 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x18), length 84
14:37:13.147701 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 15, length 64
14:37:13.313867 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x19), length 84
14:37:13.313920 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x1a), length 84
14:37:13.313954 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x1b), length 84
14:37:14.148266 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 16, length 64
14:37:14.313849 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x1c), length 84
14:37:14.313903 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x1d), length 84
14:37:14.313921 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
ESP(spi=0x96948f8d,seq=0x1e), length 84
14:37:14.838958 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
2/others I inf[E]
14:37:14.839303 IP h250.222.196.69.ip.windstream.net.22908 >
ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
2/others I inf[E]
14:37:15.150626 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 17, length 64
14:37:16.154236 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 18, length 64
14:37:17.155627 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 19, length 64
14:37:18.156524 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 20, length 64
14:37:19.160484 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 21, length 64
14:37:20.161891 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 22, length 64
14:37:21.166881 IP h250.222.196.69.ip.windstream.net >
ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 23, length 64
=======================================================
Richard Hurt
<http://www.facebook.com/rnhurt> <http://www.twitter.com/rnhurt>
<http://www.linkedin.com/in/rnhurt> <http://github.com/rnhurt>
On Mon, Nov 23, 2015 at 4:07 PM, Daniel Cave <dan.cave at me.com> wrote:
> Hmm ok. A couple of things to try a bit at a time
>
> Have you got ip_forwarding enabled on the ec2 instance?
>
> Can you see the traffic coming from your client through the ec2 instance
> using tcpdump?
>
> Like. tcpdump -li eth0 <yourClientIp>
>
> And try a ping test
>
> 2. I noticed that the output of the IPSec status it says it's disallowed
> your ec2 client subnet.. You don't normally see that. What happens if you
> allow it, do t forget you have to restart IPSec if you make Conf changes
>
> Fwiw I usually use openVpn Ssl UDP tunnelling instead of IPSec as its so
> problematic to setup for road warriors
>
> Try googling for IPSec road warrior using aws of you get stuck.
>
> Sent from my iPhone
>
> > On 23 Nov 2015, at 20:57, Richard Hurt <rnhurt at gmail.com> wrote:
> >
> > Neither the server nor my laptop have a firewall enabled and the EC2
> > security group is set to allow all traffic from 0.0.0.0/0 (while
> > testing :) Also, at some point in the past 3 days of trying things I
> > *was* able to ping the server from my laptop, however I couldn't ping
> > anything else. :/
> >
> >
> > Below is the output of "ipsec auto status" while the tunnel is running
> > and my computer is connected. This part looks interesting, but I
> > don't know how to decode it:
> >
> > 000 "roadwarrior"[6]:
> > 10.223.0.0/16===10.223.6.20
> <10.223.6.20>[MS+XS+S=C]...69.196.222.250[192.168.59.26,+MC+XC+S=C];
> > erouted; eroute owner: #6
> >
> > =================================================
> > 000 using kernel interface: netkey
> > 000 interface lo/lo ::1
> > 000 interface lo/lo 127.0.0.1
> > 000 interface lo/lo 127.0.0.1
> > 000 interface eth0/eth0 10.223.6.20
> > 000 interface eth0/eth0 10.223.6.20
> > 000 %myid = (none)
> > 000 debug none
> > 000
> > 000 virtual_private (%priv):
> > 000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
> > 000 - disallowed 1 subnet: 10.223.0.0/16
> > 000
> > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
> > keysizemax=64
> > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
> > keysizemin=192, keysizemax=192
> > 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
> > keysizemin=40, keysizemax=128
> > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
> > keysizemin=40, keysizemax=448
> > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
> > keysizemin=0, keysizemax=0
> > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
> > keysizemin=160, keysizemax=288
> > 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
> > keysizemin=128, keysizemax=256
> > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
> > keysizemin=160, keysizemax=160
> > 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
> > keysizemin=256, keysizemax=256
> > 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
> > keysizemin=384, keysizemax=384
> > 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
> > keysizemin=512, keysizemax=512
> > 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
> > keysizemin=160, keysizemax=160
> > 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
> > keysizemin=128, keysizemax=128
> > 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
> keysizemax=0
> > 000
> > 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
> > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
> > keydeflen=192
> > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
> > keydeflen=128
> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
> > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
> > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
> > 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
> > 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
> > 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
> > 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
> > 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
> > 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
> > 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
> > 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
> > 000
> > 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
> > trans={0,0,0} attrs={0,0,0}
> > 000
> > 000 "roadwarrior":
> > 10.223.0.0/16===10.223.6.20
> <10.223.6.20>[MS+XS+S=C]...%virtual[+MC+XC+S=C]===?;
> > unrouted; eroute owner: #0
> > 000 "roadwarrior": myip=unset; hisip=unset;
> > 000 "roadwarrior": ike_life: 3600s; ipsec_life: 28800s;
> > rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> > 000 "roadwarrior": policy:
> > PSK+ENCRYPT+TUNNEL+DONTREKEY+MODECFGPULL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
> > prio: 16,32; interface: eth0;
> > 000 "roadwarrior": newest ISAKMP SA: #0; newest IPsec SA: #0;
> > 000 "roadwarrior"[6]:
> > 10.223.0.0/16===10.223.6.20
> <10.223.6.20>[MS+XS+S=C]...69.196.222.250[192.168.59.26,+MC+XC+S=C];
> > erouted; eroute owner: #6
> > 000 "roadwarrior"[6]: myip=unset; hisip=unset;
> > 000 "roadwarrior"[6]: ike_life: 3600s; ipsec_life: 28800s;
> > rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
> > 000 "roadwarrior"[6]: policy:
> > PSK+ENCRYPT+TUNNEL+DONTREKEY+MODECFGPULL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
> > prio: 16,32; interface: eth0;
> > 000 "roadwarrior"[6]: newest ISAKMP SA: #5; newest IPsec SA: #6;
> > 000 "roadwarrior"[6]: IKE algorithm newest: AES_CBC_256-SHA1-MODP1024
> > 000
> > 000 #6: "roadwarrior"[6] 69.196.222.250:61652 STATE_QUICK_R2 (IPsec SA
> > established); EVENT_SA_EXPIRE in 3573s; newest IPSEC; eroute owner;
> > isakmp#5; idle; imp
> > ort:not set
> > 000 #6: "roadwarrior"[6] 69.196.222.250 esp.52c66d2 at 69.196.222.250
> > esp.cacb569a at 10.223.6.20 tun.0 at 69.196.222.250 tun.0 at 10.223.6.20 ref=0
> > refhim=4294901761
> > 000 #5: "roadwarrior"[6] 69.196.222.250:61652 STATE_MODE_CFG_R1
> > (ModeCfg Set sent, expecting Ack); EVENT_SA_REPLACE in 28502s; newest
> > ISAKMP; lastdpd=8s(seq i
> > n:0 out:0); idle; import:not set
> > 000
> > =================================================
> > Richard Hurt
> >
> >
> >
> >> On Mon, Nov 23, 2015 at 3:46 PM, Daniel Cave <dan.cave at me.com> wrote:
> >> If you run. IPSec auto status on the ec2 instance when your tunnel is
> up what does it say?
> >>
> >> Have you got rules in your security groups to allow routing between
> your client and the host and rest of the traffic as well as rules on the
> ec2 Linux instances that are blocking traffic going through the box ??
> >>
> >> Sent from my iPhone
> >>
> >>> On 23 Nov 2015, at 17:29, Richard Hurt <rnhurt at gmail.com> wrote:
> >>>
> >>> I'm trying to use OpenSwan (Linux Openswan
> >>> U2.6.37/K4.1.10-17.31.amzn1.x86_64 (netkey)) to build a VPN between an
> >>> EC2 VPC and my laptop. It seems to almost work (authentication works,
> >>> not logging any errors, etc.) but the routing is just not happing
> >>> properly. The EC2 server is in the 10.223.0.0/16 block (10.223.6.20
> >>> in this case) and my local machine is behind a NAT in the
> >>> 192.168.0.0/16 block (192.168.59.26 in this case). I'm running Mac OS
> >>> X 10.11 and bringing the VPN connection up using the native IPSec
> >>> Cisco VPN client causes all packets to stop flowing everywhere.
> >>> Playing around with the IPSec settings on the server I was able to get
> >>> packets to flow to the server from my laptop but everything else was
> >>> blocked (DNS, ping, etc.)
> >>>
> >>> Basically, I want everything to stay out of the VPN except for traffic
> >>> to 10.223.0.0/16. What am I doing wrong? One thing that looks really
> >>> weird to me is that when I bring the tunnel up I see this in my
> >>> ifconfig (0.2.0.4 doesn't look like a valid IP address to me):
> >>>
> >>> utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
> >>> inet 0.2.0.4 --> 0.2.0.4 netmask 0xffffffff
> >>> nd6 options=1<PERFORMNUD>
> >>>
> >>> ===============================================
> >>> # /etc/ipsec.conf
> >>> version 2.0
> >>> config setup
> >>> protostack=netkey
> >>> nat_traversal=yes
> >>> virtual_private=%v4:
> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.223.0.0/16
> >>> oe=off
> >>>
> >>> include /etc/ipsec.d/*.conf
> >>> ===============================================
> >>>
> >>>
> >>> ===============================================
> >>> # /etc/ipsec.d/roadwarrior.conf
> >>> conn roadwarrior
> >>> type=tunnel
> >>> authby=secret
> >>> auto=add
> >>> rekey=no
> >>> pfs=no
> >>> forceencaps=yes
> >>>
> >>> # Setup local side
> >>> left=10.223.6.20
> >>> leftsubnet=10.223.0.0/16
> >>> leftxauthserver=yes
> >>> leftmodecfgserver=yes
> >>>
> >>> # Setup remote side
> >>> right=%any
> >>> rightsubnet=vhost:%priv,%no
> >>> rightxauthclient=yes
> >>> rightmodecfgclient=yes
> >>>
> >>> # Config MODE
> >>> modecfgpull=yes
> >>> modecfgdns1=8.8.8.8
> >>> modecfgdns2=8.8.4.4
> >>> ===============================================
> >>>
> >>>
> >>> ===============================================
> >>> Nov 23 17:15:24 ip-10-223-6-20 ipsec__plutorun: Starting Pluto
> subsystem...
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: nss directory plutomain:
> >>> /etc/ipsec.d
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS Initialized
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
> >>> /proc/sys/crypto/fips_enabled
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Starting Pluto (Openswan
> >>> Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:15882
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
> >>> /proc/sys/crypto/fips_enabled
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: LEAK_DETECTIVE support
> [disabled]
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: OCF support for IKE
> [disabled]
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAref support [disabled]:
> >>> Protocol not available
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAbind support
> >>> [disabled]: Protocol not available
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS support [enabled]
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: HAVE_STATSD notification
> >>> support not compiled in
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Setting NAT-Traversal
> >>> port-4500 floating to on
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: port floating
> >>> activation criteria nat_t=1/port_float=1
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NAT-Traversal support
> [enabled]
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> >>> Activating OAKLEY_AES_CBC: Ok (ret=0)
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: starting up 1
> cryptographic helpers
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: started helper (thread)
> >>> pid=140240508929792 (fd:8)
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Using Linux 2.6 IPsec
> >>> interface code on 4.1.10-17.31.amzn1.x86_64 (experimental code)
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> >>> Activating aes_ccm_8: Ok (ret=0)
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> >>> Algorithm already exists
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> >>> Activating aes_ccm_12: FAILED (ret=-17)
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> >>> Algorithm already exists
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> >>> Activating aes_ccm_16: FAILED (ret=-17)
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> >>> Algorithm already exists
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> >>> Activating aes_gcm_8: FAILED (ret=-17)
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> >>> Algorithm already exists
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> >>> Activating aes_gcm_12: FAILED (ret=-17)
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
> >>> Algorithm already exists
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
> >>> Activating aes_gcm_16: FAILED (ret=-17)
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
> >>> directory '/etc/ipsec.d/cacerts': /
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
> >>> directory '/etc/ipsec.d/aacerts': /
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
> >>> directory '/etc/ipsec.d/ocspcerts': /
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
> >>> directory '/etc/ipsec.d/crls'
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: added connection
> >>> description "roadwarrior"
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: listening for IKE messages
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
> >>> eth0/eth0 10.223.6.20:500
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
> >>> eth0/eth0 10.223.6.20:4500
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
> >>> 127.0.0.1:500
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
> >>> 127.0.0.1:4500
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
> ::1:500
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
> >>> "/etc/ipsec.secrets"
> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
> >>> "/etc/ipsec.d/road-warrior.secrets"
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: received Vendor ID payload [RFC 3947] method set
> >>> to=109
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: received Vendor ID payload
> >>> [draft-ietf-ipsec-nat-t-ike] method set to=110
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
> >>> [8f8d83826d246b6fc7a8a6a428c11de8]
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
> >>> [439b59f8ba676c4c7737ae22eab8f582]
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
> >>> [4d1e0e136deafa34c4f3ea9f02ec7285]
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
> >>> [80d0bb3def54565ee84645d4c85ce3ee]
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
> >>> [9909b64eed937c6573de52ace952fa6b]
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: received Vendor ID payload
> >>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: received Vendor ID payload
> >>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: received Vendor ID payload
> >>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
> >>> 110
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: received Vendor ID payload [XAUTH]
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: received Vendor ID payload [Cisco-Unity]
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: ignoring Vendor ID payload [FRAGMENTATION 80000000]
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:19: received Vendor ID payload [Dead Peer Detection]
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> >>> 69.196.222.250 #1: responding to Main Mode from unknown peer
> >>> 69.196.222.250
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> >>> 69.196.222.250 #1: transition from state STATE_MAIN_R0 to state
> >>> STATE_MAIN_R1
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> >>> 69.196.222.250 #1: STATE_MAIN_R1: sent MR1, expecting MI2
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> >>> 69.196.222.250 #1: NAT-Traversal: Result using
> >>> draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> >>> 69.196.222.250 #1: transition from state STATE_MAIN_R1 to state
> >>> STATE_MAIN_R2
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> >>> 69.196.222.250 #1: STATE_MAIN_R2: sent MR2, expecting MI3
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> >>> 69.196.222.250 #1: ignoring informational payload, type
> >>> IPSEC_INITIAL_CONTACT msgid=00000000
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> >>> 69.196.222.250 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.59.26'
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
> >>> 69.196.222.250 #1: switched from "roadwarrior" to "roadwarrior"
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: deleting connection "roadwarrior" instance with
> >>> peer 69.196.222.250 {isakmp=#0/ipsec=#0}
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: transition from state STATE_MAIN_R2 to state
> >>> STATE_MAIN_R3
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: new NAT mapping for #1, was 69.196.222.250:19, now
> >>> 69.196.222.250:1340
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> >>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
> >>> group=modp1024}
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: Sending XAUTH Login/Password Request
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: User elison: Attempting to login
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: md5 authentication being called to
> >>> authenticate user elison
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: nope
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: nope
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: User elison: Authentication Successful
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: XAUTH: xauth_inR1(STF_OK)
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: transition from state STATE_XAUTH_R1 to state
> >>> STATE_MAIN_R3
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute
> >>> INTERNAL_ADDRESS_EXPIRY received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute APPLICATION_VERSION
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_BANNER
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_DEF_DOMAIN
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_DNS
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_INC
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_UNKNOWN
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_DO_PFS
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SAVE_PW
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_FW_TYPE
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_BACKUP_SERVER
> >>> received.
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: modecfg_inR0(STF_OK)
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: transition from state STATE_MODE_CFG_R0 to state
> >>> STATE_MODE_CFG_R1
> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: Applying workaround for Mac OS X NAT-OA bug,
> >>> ignoring proposed subnet
> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: the peer proposed: 0.0.0.0/0:0/0 ->
> >>> 69.196.222.250/32:0/0
> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #2: responding to Quick Mode proposal {msgid:ba3b61a4}
> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #2: us:
> >>> 10.223.0.0/16===10.223.6.20<10.223.6.20>[MS+XS+S=C]
> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #2: them: 69.196.222.250[192.168.59.26,+MC+XC+S=C]
> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #2: transition from state STATE_QUICK_R0 to state
> >>> STATE_QUICK_R1
> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
> >>> installed, expecting QI2
> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #2: transition from state STATE_QUICK_R1 to state
> >>> STATE_QUICK_R2
> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
> >>> {ESP=>0x0e95dea0 <0x397c4b2d xfrm=AES_256-HMAC_SHA1 NATOA=none
> >>> NATD=69.196.222.250:1340 DPD=none}
> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: received Delete SA(0x0e95dea0) payload: deleting
> >>> IPSEC State #2
> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: received and ignored informational message
> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250 #1: received Delete SA payload: deleting ISAKMP State
> >>> #1
> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
> >>> 69.196.222.250: deleting connection "roadwarrior" instance with peer
> >>> 69.196.222.250 {isakmp=#0/ipsec=#0}
> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: packet from
> >>> 69.196.222.250:1340: received and ignored informational message
> >>>
> >>> ===============================================
> >>> _______________________________________________
> >>> Users at lists.openswan.org
> >>> https://lists.openswan.org/mailman/listinfo/users
> >>> Micropayments:
> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> >>> Building and Integrating Virtual Private Networks with Openswan:
> >>>
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20151124/27052aed/attachment-0001.html>
More information about the Users
mailing list