[Openswan Users] Ubuntu 14.04 (AWS VPC) IPSec Tunnel to Cisco

Ed Nitido ednitido at gmail.com
Wed Oct 21 13:46:44 EDT 2015


Hello all,

I've been trying to set up a server-to-server IPSec VPN tunnel from a
Ubuntu 14.04 server hosted in Amazon to a clients Cisco (the logs say it's
a Cisco VPN 3000 Series).

I am new to IPSec so to test, i created 2 VPCs in amazon following this
guide http://aws.amazon.com/articles/5472675506466066. It worked, when I
checked ipsec status, it said I had 2 tunnels up.

Now, when I connect to the client, I get some weird messages in my pluto
log.


"net2net" #1: received Vendor ID payload [Cisco-Unity]
"net2net" #1: received Vendor ID payload [XAUTH]
"net2net" #1: received Vendor ID payload [Dead Peer Detection]
"net2net" #1: received Vendor ID payload [RFC 3947] method set to=115
"net2net" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
"net2net" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
"net2net" #1: protocol/port in Phase 1 ID Payload MUST be 0/0 or 17/500 but
are 17/0 (attempting to continue)
"net2net" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '172.28.100.10'
| refine_connection: starting with net2net
| started looking for secret for MY_PUBLIC_IP->THIER_PUBLIC_IP of kind
PPK_PSK
| actually looking for secret for MY_PUBLIC_IP->THIER_PUBLIC_IP of kind
PPK_PSK
| line 2: key type PPK_PSK(MY_PUBLIC_IP) to type PPK_PSK
| 1: compared key THIER_PUBLIC_IP to MY_PUBLIC_IP / THIER_PUBLIC_IP -> 4
| 2: compared key MY_PUBLIC_IP to MY_PUBLIC_IP / THIER_PUBLIC_IP -> 12
| line 2: match=12
| best_match 0>12 best=0xb8829fb8 (line=2)
| concluding with best_match=12 best=0xb8829fb8 (lineno=2)
|    match_id a=172.28.100.10
|             b=THIER_PUBLIC_IP
|    results  fail
|   trusted_ca called with a=(empty) b=(empty)
| refine_connection: checking net2net against net2net, best=(none) with
match=0(id=0/ca=1/reqca=1)
| find_host_pair: comparing to 172.31.28.158:500 THIER_PUBLIC_IP:500
| find_host_pair_conn (refine_host_connection): 172.31.28.158:500 %any:500
-> hp:none
"net2net" #1: no suitable connection for peer '172.28.100.10'
"net2net" #1: initial Aggressive Mode packet claiming to be from
THIER_PUBLIC_IP on THIER_PUBLIC_IP but no connection has been authorized


Some questions:
1) The Payload MUST be 0/0 or 17/500 -- how do I fix that?
2) Aggressive mode peer ID is ID_IPV4_ADDR -- is that my end or their end?
172.28.100.10 doesn't match my internal network (172.31.x.x) or theirs
(172.17.x.x)
3) Do I need to set up any iptables? I configured routing tables in Amazon
(following the guide)

Here is my configuration

Linux Openswan U2.6.38/K3.13.0-65-generic


config setup
plutodebug=all
        plutostderrlog=/var/log/pluto.log
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
force_keepalive=yes
        keep_alive=60

include /etc/ipsec.d/*.conf


conn net2net
        left=%defaultroute
        leftid=MY_PUBLIC_IP
        leftnexthop=%defaultroute
        leftsubnet=172.31.16.0/20
  right=THEIR_PUBLIC_IP
  rightsubnet=172.17.2.0/24
    remote_peer_type=cisco

  forceencaps=yes

        type=tunnel
        authby=secret
        auto=start
        ## phase 1 ##
        keyexchange=ike
    keyingtries=%forever
        ike=aes256-sha1;modp1536!
        ikelifetime=86400s
        aggrmode=yes
        ## phase 2 ##
        phase2alg=aes256-sha1;modp1536
        keylife=3600s
        pfs=no

    dpddelay=10
    dpdtimeout=3600
    dpdaction=restart


/etc/ipsec.secrets
include /var/lib/openswan/ipsec.secrets.inc
MY_PUBLIC_IP THEIR_PUBLIC_IP : PSK "secret"


Thanks for any assistance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20151021/42ee8ff6/attachment.html>


More information about the Users mailing list