[Openswan Users] EC2 <--> RoadWarrior routing problems

Richard Hurt rnhurt at gmail.com
Tue Nov 24 09:53:06 EST 2015


BTW: I also tried removing the disallowed subnet but it didn't seem to help

000 virtual_private (%priv):
000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!

Thanx!

Richard Hurt
<http://www.facebook.com/rnhurt>  <http://www.twitter.com/rnhurt>
<http://www.linkedin.com/in/rnhurt>  <http://github.com/rnhurt>

On Tue, Nov 24, 2015 at 9:50 AM, Richard Hurt <rnhurt at gmail.com> wrote:

> Well, I was trying to get a RoadWarrior VPN solution using native clients
> and not forcing the end user to install anything.  :/ However, it looks
> like that might be a pipe dream, and after looking at the OpenVPN clients,
> they don't seem so bad.
>
> As for searching for an answer, I've almost used up all of my Google-fu
> looking for solutions to this problem.  One issue I'm having is that there
> are lots of answers that aren't quite what I need; either they are for
> older versions of OpenSWAN, or for IPSec/LP2P configs, or they are for
> StrongSWAN / LibreSWAN which have different arguments, keywords, etc.
>  *sigh*
>
> Just for due diligence and maybe help someone else that is having the
> problem (possibly even myself in the future) I would like to make this work
> with OpenSWAN, even if I end up using OpenVPN.  To that end I will answer
> your questions as best I can.
>
> I confirmed that IP forwarding is enabled on the EC2 instance:
>
>   [ec2-user at ip-10-223-6-20 ~]$ cat /proc/sys/net/ipv4/ip_forward
>   1
>
> Interestingly, I *can* see traffic (ICMP) from my laptop to the EC2
> instance while the tunnel is up.  I starting pinging the EC2 instance from
> my laptop and, turned the tunnel on after 5-6 pings, let it ping some more,
> then turned the tunnel off again.  Here is the output I captured.
>
> My laptop terminal showed this:
> =======================================================
> 64 bytes from 52.91.120.247: icmp_seq=0 ttl=49 time=41.208 ms
> 64 bytes from 52.91.120.247: icmp_seq=1 ttl=49 time=37.734 ms
> 64 bytes from 52.91.120.247: icmp_seq=2 ttl=49 time=36.369 ms
> 64 bytes from 52.91.120.247: icmp_seq=3 ttl=49 time=36.782 ms
> 64 bytes from 52.91.120.247: icmp_seq=4 ttl=49 time=36.169 ms
> 64 bytes from 52.91.120.247: icmp_seq=5 ttl=49 time=37.556 ms
> 64 bytes from 52.91.120.247: icmp_seq=6 ttl=49 time=38.315 ms
> Request timeout for icmp_seq 7
> Request timeout for icmp_seq 8
> Request timeout for icmp_seq 9
> Request timeout for icmp_seq 10
> Request timeout for icmp_seq 11
> Request timeout for icmp_seq 12
> Request timeout for icmp_seq 13
> Request timeout for icmp_seq 14
> Request timeout for icmp_seq 15
> Request timeout for icmp_seq 16
> 64 bytes from 52.91.120.247: icmp_seq=17 ttl=49 time=36.393 ms
> 64 bytes from 52.91.120.247: icmp_seq=18 ttl=49 time=36.817 ms
> 64 bytes from 52.91.120.247: icmp_seq=19 ttl=49 time=36.426 ms
> 64 bytes from 52.91.120.247: icmp_seq=20 ttl=49 time=36.642 ms
> =======================================================
>
> tcpdump running on the EC2 server showed this:
> =======================================================
> 14:36:54.439756 IP h250.222.196.69.ip.windstream.net.38579 >
> ip-10-223-6-20.ec2.internal.ssh: Flags [.], ack 777025463, win 4094,
> options [nop,nop,TS val 359672833 ecr 81189522], length 0
> 14:36:54.451286 IP h250.222.196.69.ip.windstream.net.38579 >
> ip-10-223-6-20.ec2.internal.ssh: Flags [.], ack 101, win 4092, options
> [nop,nop,TS val 359672844 ecr 81189525], length 0
> 14:36:54.451371 IP h250.222.196.69.ip.windstream.net.38579 >
> ip-10-223-6-20.ec2.internal.ssh: Flags [.], ack 201, win 4089, options
> [nop,nop,TS val 359672844 ecr 81189525], length 0
> 14:36:58.109023 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 0, length 64
> 14:36:59.112374 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 1, length 64
> 14:37:00.115146 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 2, length 64
> 14:37:01.116225 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 3, length 64
> 14:37:02.117449 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 4, length 64
> 14:37:03.122333 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 5, length 64
> 14:37:03.984302 IP h250.222.196.69.ip.windstream.net.mumps >
> ip-10-223-6-20.ec2.internal.isakmp: isakmp: phase 1 I ident
> 14:37:04.022022 IP h250.222.196.69.ip.windstream.net.mumps >
> ip-10-223-6-20.ec2.internal.isakmp: isakmp: phase 1 I ident
> 14:37:04.073863 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I
> ident[E]
> 14:37:04.111414 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
> 2/others I #6[E]
> 14:37:04.126681 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 6, length 64
> 14:37:04.156728 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
> 2/others I #6[E]
> 14:37:04.156818 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
> 2/others I #6[E]
> 14:37:04.219067 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
> 2/others I oakley-quick[E]
> 14:37:04.255946 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
> 2/others I oakley-quick[E]
> 14:37:04.551836 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x1), length 84
> 14:37:04.552245 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x2), length 84
> 14:37:04.552331 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x3), length 84
> 14:37:05.129169 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 7, length 64
> 14:37:05.647239 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x4), length 84
> 14:37:05.647295 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x5), length 84
> 14:37:05.647313 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x6), length 84
> 14:37:06.129422 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 8, length 64
> 14:37:06.737323 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x7), length 84
> 14:37:06.737416 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x8), length 84
> 14:37:06.737470 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x9), length 84
> 14:37:07.131034 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 9, length 64
> 14:37:07.826947 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0xa), length 84
> 14:37:07.827003 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0xb), length 84
> 14:37:07.827372 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0xc), length 84
> 14:37:08.132200 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 10, length 64
> 14:37:08.925846 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0xd), length 84
> 14:37:08.925901 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0xe), length 84
> 14:37:08.925997 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0xf), length 84
> 14:37:09.137240 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 11, length 64
> 14:37:10.022946 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x10), length 84
> 14:37:10.023001 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x11), length 84
> 14:37:10.023365 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x12), length 84
> 14:37:10.138907 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 12, length 64
> 14:37:11.117192 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x13), length 84
> 14:37:11.117651 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x14), length 84
> 14:37:11.117708 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x15), length 84
> 14:37:11.144060 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 13, length 64
> 14:37:12.146011 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 14, length 64
> 14:37:12.215087 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x16), length 84
> 14:37:12.215140 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x17), length 84
> 14:37:12.215342 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x18), length 84
> 14:37:13.147701 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 15, length 64
> 14:37:13.313867 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x19), length 84
> 14:37:13.313920 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x1a), length 84
> 14:37:13.313954 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x1b), length 84
> 14:37:14.148266 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 16, length 64
> 14:37:14.313849 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x1c), length 84
> 14:37:14.313903 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x1d), length 84
> 14:37:14.313921 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: UDP-encap:
> ESP(spi=0x96948f8d,seq=0x1e), length 84
> 14:37:14.838958 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
> 2/others I inf[E]
> 14:37:14.839303 IP h250.222.196.69.ip.windstream.net.22908 >
> ip-10-223-6-20.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: phase
> 2/others I inf[E]
> 14:37:15.150626 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 17, length 64
> 14:37:16.154236 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 18, length 64
> 14:37:17.155627 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 19, length 64
> 14:37:18.156524 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 20, length 64
> 14:37:19.160484 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 21, length 64
> 14:37:20.161891 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 22, length 64
> 14:37:21.166881 IP h250.222.196.69.ip.windstream.net >
> ip-10-223-6-20.ec2.internal: ICMP echo request, id 48122, seq 23, length 64
> =======================================================
>
>
> Richard Hurt
> <http://www.facebook.com/rnhurt>  <http://www.twitter.com/rnhurt>
> <http://www.linkedin.com/in/rnhurt>  <http://github.com/rnhurt>
>
> On Mon, Nov 23, 2015 at 4:07 PM, Daniel Cave <dan.cave at me.com> wrote:
>
>> Hmm ok. A couple of things to try a bit at a time
>>
>> Have you got ip_forwarding enabled on the ec2 instance?
>>
>> Can you see the traffic coming from your client through the ec2 instance
>> using tcpdump?
>>
>> Like.  tcpdump -li eth0 <yourClientIp>
>>
>> And try a ping test
>>
>> 2. I noticed that the output of the IPSec status it says it's disallowed
>> your ec2 client subnet.. You don't normally see that. What happens if you
>> allow it, do t forget you have to restart IPSec if you make Conf changes
>>
>> Fwiw I usually use openVpn Ssl UDP tunnelling instead of IPSec as its so
>> problematic to setup for road warriors
>>
>> Try googling for IPSec road warrior using aws of you get stuck.
>>
>> Sent from my iPhone
>>
>> > On 23 Nov 2015, at 20:57, Richard Hurt <rnhurt at gmail.com> wrote:
>> >
>> > Neither the server nor my laptop have a firewall enabled and the EC2
>> > security group is set to allow all traffic from 0.0.0.0/0 (while
>> > testing :)  Also, at some point in the past 3 days of trying things I
>> > *was* able to ping the server from my laptop, however I couldn't ping
>> > anything else.  :/
>> >
>> >
>> > Below is the output of "ipsec auto status" while the tunnel is running
>> > and my computer is connected.  This part looks interesting, but I
>> > don't know how to decode it:
>> >
>> > 000 "roadwarrior"[6]:
>> > 10.223.0.0/16===10.223.6.20
>> <10.223.6.20>[MS+XS+S=C]...69.196.222.250[192.168.59.26,+MC+XC+S=C];
>> > erouted; eroute owner: #6
>> >
>> > =================================================
>> > 000 using kernel interface: netkey
>> > 000 interface lo/lo ::1
>> > 000 interface lo/lo 127.0.0.1
>> > 000 interface lo/lo 127.0.0.1
>> > 000 interface eth0/eth0 10.223.6.20
>> > 000 interface eth0/eth0 10.223.6.20
>> > 000 %myid = (none)
>> > 000 debug none
>> > 000
>> > 000 virtual_private (%priv):
>> > 000 - allowed 3 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12
>> > 000 - disallowed 1 subnet: 10.223.0.0/16
>> > 000
>> > 000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
>> > keysizemax=64
>> > 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8,
>> > keysizemin=192, keysizemax=192
>> > 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8,
>> > keysizemin=40, keysizemax=128
>> > 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
>> > keysizemin=40, keysizemax=448
>> > 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0,
>> > keysizemin=0, keysizemax=0
>> > 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
>> > keysizemin=160, keysizemax=288
>> > 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
>> > keysizemin=128, keysizemax=256
>> > 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
>> > keysizemin=128, keysizemax=128
>> > 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
>> > keysizemin=160, keysizemax=160
>> > 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
>> > keysizemin=256, keysizemax=256
>> > 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
>> > keysizemin=384, keysizemax=384
>> > 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
>> > keysizemin=512, keysizemax=512
>> > 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
>> > keysizemin=160, keysizemax=160
>> > 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
>> > keysizemin=128, keysizemax=128
>> > 000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0,
>> keysizemax=0
>> > 000
>> > 000 algorithm IKE encrypt: id=0, name=(null), blocksize=16,
>> keydeflen=131
>> > 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
>> > keydeflen=192
>> > 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
>> > keydeflen=128
>> > 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
>> > 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
>> > 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
>> > 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
>> > 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
>> > 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
>> > 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
>> > 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
>> > 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
>> > 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
>> > 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
>> > 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
>> > 000
>> > 000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
>> > trans={0,0,0} attrs={0,0,0}
>> > 000
>> > 000 "roadwarrior":
>> > 10.223.0.0/16===10.223.6.20
>> <10.223.6.20>[MS+XS+S=C]...%virtual[+MC+XC+S=C]===?;
>> > unrouted; eroute owner: #0
>> > 000 "roadwarrior":     myip=unset; hisip=unset;
>> > 000 "roadwarrior":   ike_life: 3600s; ipsec_life: 28800s;
>> > rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> > 000 "roadwarrior":   policy:
>> >
>> PSK+ENCRYPT+TUNNEL+DONTREKEY+MODECFGPULL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
>> > prio: 16,32; interface: eth0;
>> > 000 "roadwarrior":   newest ISAKMP SA: #0; newest IPsec SA: #0;
>> > 000 "roadwarrior"[6]:
>> > 10.223.0.0/16===10.223.6.20
>> <10.223.6.20>[MS+XS+S=C]...69.196.222.250[192.168.59.26,+MC+XC+S=C];
>> > erouted; eroute owner: #6
>> > 000 "roadwarrior"[6]:     myip=unset; hisip=unset;
>> > 000 "roadwarrior"[6]:   ike_life: 3600s; ipsec_life: 28800s;
>> > rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
>> > 000 "roadwarrior"[6]:   policy:
>> >
>> PSK+ENCRYPT+TUNNEL+DONTREKEY+MODECFGPULL+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;
>> > prio: 16,32; interface: eth0;
>> > 000 "roadwarrior"[6]:   newest ISAKMP SA: #5; newest IPsec SA: #6;
>> > 000 "roadwarrior"[6]:   IKE algorithm newest: AES_CBC_256-SHA1-MODP1024
>> > 000
>> > 000 #6: "roadwarrior"[6] 69.196.222.250:61652 STATE_QUICK_R2 (IPsec SA
>> > established); EVENT_SA_EXPIRE in 3573s; newest IPSEC; eroute owner;
>> > isakmp#5; idle; imp
>> > ort:not set
>> > 000 #6: "roadwarrior"[6] 69.196.222.250 esp.52c66d2 at 69.196.222.250
>> > esp.cacb569a at 10.223.6.20 tun.0 at 69.196.222.250 tun.0 at 10.223.6.20 ref=0
>> > refhim=4294901761
>> > 000 #5: "roadwarrior"[6] 69.196.222.250:61652 STATE_MODE_CFG_R1
>> > (ModeCfg Set sent, expecting Ack); EVENT_SA_REPLACE in 28502s; newest
>> > ISAKMP; lastdpd=8s(seq i
>> > n:0 out:0); idle; import:not set
>> > 000
>> > =================================================
>> > Richard Hurt
>> >
>> >
>> >
>> >> On Mon, Nov 23, 2015 at 3:46 PM, Daniel Cave <dan.cave at me.com> wrote:
>> >> If you run. IPSec auto status on the ec2 instance when your tunnel is
>> up what does it say?
>> >>
>> >> Have you got rules in your security groups to allow routing between
>> your client and the host and rest of the traffic as well as rules on the
>> ec2 Linux instances that are blocking traffic going through the box ??
>> >>
>> >> Sent from my iPhone
>> >>
>> >>> On 23 Nov 2015, at 17:29, Richard Hurt <rnhurt at gmail.com> wrote:
>> >>>
>> >>> I'm trying to use OpenSwan (Linux Openswan
>> >>> U2.6.37/K4.1.10-17.31.amzn1.x86_64 (netkey)) to build a VPN between an
>> >>> EC2 VPC and my laptop.  It seems to almost work (authentication works,
>> >>> not logging any errors, etc.) but the routing is just not happing
>> >>> properly.  The EC2 server is in the 10.223.0.0/16 block (10.223.6.20
>> >>> in this case) and my local machine is behind a NAT in the
>> >>> 192.168.0.0/16 block (192.168.59.26 in this case).  I'm running Mac
>> OS
>> >>> X 10.11 and bringing the VPN connection up using the native IPSec
>> >>> Cisco VPN client causes all packets to stop flowing everywhere.
>> >>> Playing around with the IPSec settings on the server I was able to get
>> >>> packets to flow to the server from my laptop but everything else was
>> >>> blocked (DNS, ping, etc.)
>> >>>
>> >>> Basically, I want everything to stay out of the VPN except for traffic
>> >>> to 10.223.0.0/16.  What am I doing wrong?  One thing that looks
>> really
>> >>> weird to me is that when I bring the tunnel up I see this in my
>> >>> ifconfig (0.2.0.4 doesn't look like a valid IP address to me):
>> >>>
>> >>> utun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
>> >>>  inet 0.2.0.4 --> 0.2.0.4 netmask 0xffffffff
>> >>>  nd6 options=1<PERFORMNUD>
>> >>>
>> >>> ===============================================
>> >>> # /etc/ipsec.conf
>> >>> version 2.0
>> >>> config setup
>> >>> protostack=netkey
>> >>> nat_traversal=yes
>> >>> virtual_private=%v4:
>> 10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!10.223.0.0/16
>> >>> oe=off
>> >>>
>> >>> include /etc/ipsec.d/*.conf
>> >>> ===============================================
>> >>>
>> >>>
>> >>> ===============================================
>> >>> # /etc/ipsec.d/roadwarrior.conf
>> >>> conn roadwarrior
>> >>> type=tunnel
>> >>> authby=secret
>> >>> auto=add
>> >>> rekey=no
>> >>> pfs=no
>> >>> forceencaps=yes
>> >>>
>> >>> # Setup local side
>> >>> left=10.223.6.20
>> >>> leftsubnet=10.223.0.0/16
>> >>> leftxauthserver=yes
>> >>> leftmodecfgserver=yes
>> >>>
>> >>> # Setup remote side
>> >>> right=%any
>> >>> rightsubnet=vhost:%priv,%no
>> >>> rightxauthclient=yes
>> >>> rightmodecfgclient=yes
>> >>>
>> >>> # Config MODE
>> >>> modecfgpull=yes
>> >>> modecfgdns1=8.8.8.8
>> >>> modecfgdns2=8.8.4.4
>> >>> ===============================================
>> >>>
>> >>>
>> >>> ===============================================
>> >>> Nov 23 17:15:24 ip-10-223-6-20 ipsec__plutorun: Starting Pluto
>> subsystem...
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: nss directory plutomain:
>> >>> /etc/ipsec.d
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS Initialized
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
>> >>> /proc/sys/crypto/fips_enabled
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Starting Pluto (Openswan
>> >>> Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:15882
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Non-fips mode set in
>> >>> /proc/sys/crypto/fips_enabled
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: LEAK_DETECTIVE support
>> [disabled]
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: OCF support for IKE
>> [disabled]
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAref support [disabled]:
>> >>> Protocol not available
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: SAbind support
>> >>> [disabled]: Protocol not available
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: NSS support [enabled]
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: HAVE_STATSD notification
>> >>> support not compiled in
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Setting NAT-Traversal
>> >>> port-4500 floating to on
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]:    port floating
>> >>> activation criteria nat_t=1/port_float=1
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]:    NAT-Traversal
>> support  [enabled]
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>> >>> Activating OAKLEY_AES_CBC: Ok (ret=0)
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: starting up 1
>> cryptographic helpers
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: started helper (thread)
>> >>> pid=140240508929792 (fd:8)
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Using Linux 2.6 IPsec
>> >>> interface code on 4.1.10-17.31.amzn1.x86_64 (experimental code)
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>> >>> Activating aes_ccm_8: Ok (ret=0)
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>> >>> Algorithm already exists
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>> >>> Activating aes_ccm_12: FAILED (ret=-17)
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>> >>> Algorithm already exists
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>> >>> Activating aes_ccm_16: FAILED (ret=-17)
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>> >>> Algorithm already exists
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>> >>> Activating aes_gcm_8: FAILED (ret=-17)
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>> >>> Algorithm already exists
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>> >>> Activating aes_gcm_12: FAILED (ret=-17)
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_add(): ERROR:
>> >>> Algorithm already exists
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: ike_alg_register_enc():
>> >>> Activating aes_gcm_16: FAILED (ret=-17)
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
>> >>> directory '/etc/ipsec.d/cacerts': /
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
>> >>> directory '/etc/ipsec.d/aacerts': /
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
>> >>> directory '/etc/ipsec.d/ocspcerts': /
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: Could not change to
>> >>> directory '/etc/ipsec.d/crls'
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: added connection
>> >>> description "roadwarrior"
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: listening for IKE
>> messages
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
>> >>> eth0/eth0 10.223.6.20:500
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface
>> >>> eth0/eth0 10.223.6.20:4500
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
>> >>> 127.0.0.1:500
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
>> >>> 127.0.0.1:4500
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: adding interface lo/lo
>> ::1:500
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
>> >>> "/etc/ipsec.secrets"
>> >>> Nov 23 17:15:24 ip-10-223-6-20 pluto[15882]: loading secrets from
>> >>> "/etc/ipsec.d/road-warrior.secrets"
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: received Vendor ID payload [RFC 3947] method set
>> >>> to=109
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: received Vendor ID payload
>> >>> [draft-ietf-ipsec-nat-t-ike] method set to=110
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>> >>> [8f8d83826d246b6fc7a8a6a428c11de8]
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>> >>> [439b59f8ba676c4c7737ae22eab8f582]
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>> >>> [4d1e0e136deafa34c4f3ea9f02ec7285]
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>> >>> [80d0bb3def54565ee84645d4c85ce3ee]
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: ignoring unknown Vendor ID payload
>> >>> [9909b64eed937c6573de52ace952fa6b]
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: received Vendor ID payload
>> >>> [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: received Vendor ID payload
>> >>> [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: received Vendor ID payload
>> >>> [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method
>> >>> 110
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: received Vendor ID payload [XAUTH]
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: received Vendor ID payload [Cisco-Unity]
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: ignoring Vendor ID payload [FRAGMENTATION
>> 80000000]
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:19: received Vendor ID payload [Dead Peer Detection]
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>> >>> 69.196.222.250 #1: responding to Main Mode from unknown peer
>> >>> 69.196.222.250
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>> >>> 69.196.222.250 #1: transition from state STATE_MAIN_R0 to state
>> >>> STATE_MAIN_R1
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>> >>> 69.196.222.250 #1: STATE_MAIN_R1: sent MR1, expecting MI2
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>> >>> 69.196.222.250 #1: NAT-Traversal: Result using
>> >>> draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>> >>> 69.196.222.250 #1: transition from state STATE_MAIN_R1 to state
>> >>> STATE_MAIN_R2
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>> >>> 69.196.222.250 #1: STATE_MAIN_R2: sent MR2, expecting MI3
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>> >>> 69.196.222.250 #1: ignoring informational payload, type
>> >>> IPSEC_INITIAL_CONTACT msgid=00000000
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>> >>> 69.196.222.250 #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.59.26'
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[1]
>> >>> 69.196.222.250 #1: switched from "roadwarrior" to "roadwarrior"
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: deleting connection "roadwarrior" instance with
>> >>> peer 69.196.222.250 {isakmp=#0/ipsec=#0}
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: transition from state STATE_MAIN_R2 to state
>> >>> STATE_MAIN_R3
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: new NAT mapping for #1, was 69.196.222.250:19, now
>> >>> 69.196.222.250:1340
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> >>> {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha
>> >>> group=modp1024}
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: Sending XAUTH Login/Password Request
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: Sending Username/Password request (XAUTH_R0)
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: User elison: Attempting to login
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: md5 authentication being called to
>> >>> authenticate user elison
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: password file (/etc/ipsec.d/passwd) open.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: nope
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: nope
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: checking user(elison:roadwarrior)
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: User elison: Authentication Successful
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: XAUTH: xauth_inR1(STF_OK)
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: transition from state STATE_XAUTH_R1 to state
>> >>> STATE_MAIN_R3
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute
>> >>> INTERNAL_ADDRESS_EXPIRY received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute APPLICATION_VERSION
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_BANNER
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_DEF_DOMAIN
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_DNS
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SPLIT_INC
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_UNKNOWN
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_DO_PFS
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_SAVE_PW
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_FW_TYPE
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: unsupported mode cfg attribute CISCO_BACKUP_SERVER
>> >>> received.
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: modecfg_inR0(STF_OK)
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: transition from state STATE_MODE_CFG_R0 to state
>> >>> STATE_MODE_CFG_R1
>> >>> Nov 23 17:15:30 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack
>> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: Applying workaround for Mac OS X NAT-OA bug,
>> >>> ignoring proposed subnet
>> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: the peer proposed: 0.0.0.0/0:0/0 ->
>> >>> 69.196.222.250/32:0/0
>> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #2: responding to Quick Mode proposal {msgid:ba3b61a4}
>> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #2:     us:
>> >>> 10.223.0.0/16===10.223.6.20<10.223.6.20>[MS+XS+S=C]
>> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #2:   them: 69.196.222.250[192.168.59.26,+MC+XC+S=C]
>> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #2: transition from state STATE_QUICK_R0 to state
>> >>> STATE_QUICK_R1
>> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #2: STATE_QUICK_R1: sent QR1, inbound IPsec SA
>> >>> installed, expecting QI2
>> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #2: transition from state STATE_QUICK_R1 to state
>> >>> STATE_QUICK_R2
>> >>> Nov 23 17:15:31 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #2: STATE_QUICK_R2: IPsec SA established tunnel mode
>> >>> {ESP=>0x0e95dea0 <0x397c4b2d xfrm=AES_256-HMAC_SHA1 NATOA=none
>> >>> NATD=69.196.222.250:1340 DPD=none}
>> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: received Delete SA(0x0e95dea0) payload: deleting
>> >>> IPSEC State #2
>> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: received and ignored informational message
>> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250 #1: received Delete SA payload: deleting ISAKMP State
>> >>> #1
>> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: "roadwarrior"[2]
>> >>> 69.196.222.250: deleting connection "roadwarrior" instance with peer
>> >>> 69.196.222.250 {isakmp=#0/ipsec=#0}
>> >>> Nov 23 17:16:03 ip-10-223-6-20 pluto[15882]: packet from
>> >>> 69.196.222.250:1340: received and ignored informational message
>> >>>
>> >>> ===============================================
>> >>> _______________________________________________
>> >>> Users at lists.openswan.org
>> >>> https://lists.openswan.org/mailman/listinfo/users
>> >>> Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> >>> Building and Integrating Virtual Private Networks with Openswan:
>> >>>
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20151124/13d4b802/attachment-0001.html>


More information about the Users mailing list