[Openswan Users] Ubuntu 14.04 (AWS VPC) IPSec Tunnel to Cisco
Neal P. Murphy
neal.p.murphy at alum.wpi.edu
Thu Oct 22 18:43:53 EDT 2015
On Thu, 22 Oct 2015 18:15:17 -0400
Ed Nitido <ednitido at gmail.com> wrote:
> Thanks for the reply Neal, I do get further when aggressive mode is off
>
> | find_host_connection2 called from aggr_inI1_outR1_common, me=
> 172.31.28.158:500 him=%any:500 policy=PSK+AGGRESSIVE
> | find_host_pair: comparing to 172.31.28.158:500 THEIR_PUBLIC_IP:500
> | find_host_pair_conn (find_host_connection2): 172.31.28.158:500 %any:500
> -> hp:none
> | searching for connection with policy = PSK+AGGRESSIVE
> | find_host_connection2 returns empty
> packet from MY_PUBLIC_IP:500: initial Aggressive Mode message from
> MY_PUBLIC_IP but no (wildcard) connection has been configured with
> policy=PSK+AGGRESSIVE
> | complete state transition with STF_IGNORE
> | * processed 0 messages from cryptographic helpers
> | next event EVENT_PENDING_DDNS in 34 seconds
> | next event EVENT_PENDING_DDNS in 34 seconds
>
>
> however, the client requires that Aggressive Mode is on
From the ipsec.conf man page:
"Aggressive Mode is less secure, and vulnerable to Denial Of Service attacks. It is also vulnerable to brute force attacks with software such as ikecrack. It should not be used, and it should especially not be used with XAUTH and group secrets (PSK). If the remote system administrator insists on staying irresponsible, enable this option."
Sounds like aggressive mode is strongly contra-indicated.
>
> Also in the logs when Aggressive Mode was off, I see
>
>
> "net2net" #1: Main mode peer ID is ID_IPV4_ADDR: '172.28.100.10'
> "net2net" #1: we require peer to have ID 'THEIR_PUBLIC_IP', but peer
> declares '172.28.100.10'
>
> That means 172.28.100.10 is coming from their end no?
'We' is the Amazon end and 'peer' is the Cisco end?
'ID'. Peer ID's must match. Ensure that the leftid and rightid parameters are set the same, respectively, at each end.
N
>
>
> On Wed, Oct 21, 2015 at 5:12 PM, Neal P. Murphy <neal.p.murphy at alum.wpi.edu>
> wrote:
>
> > On Wed, 21 Oct 2015 13:46:44 -0400
> > Ed Nitido <ednitido at gmail.com> wrote:
> >
> > > Hello all,
> > >
> > > I've been trying to set up a server-to-server IPSec VPN tunnel from a
> > > Ubuntu 14.04 server hosted in Amazon to a clients Cisco (the logs say
> > it's
> > > a Cisco VPN 3000 Series).
> > >
> > > I am new to IPSec so to test, i created 2 VPCs in amazon following this
> > > guide http://aws.amazon.com/articles/5472675506466066. It worked, when I
> > > checked ipsec status, it said I had 2 tunnels up.
> > >
> > > Now, when I connect to the client, I get some weird messages in my pluto
> > > log.
> > >
> > >
> > > "net2net" #1: received Vendor ID payload [Cisco-Unity]
> > > "net2net" #1: received Vendor ID payload [XAUTH]
> > > "net2net" #1: received Vendor ID payload [Dead Peer Detection]
> > > "net2net" #1: received Vendor ID payload [RFC 3947] method set to=115
> > > "net2net" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
> > > "net2net" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
> > > "net2net" #1: protocol/port in Phase 1 ID Payload MUST be 0/0 or 17/500
> > but
> > > are 17/0 (attempting to continue)
> > > "net2net" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '172.28.100.10'
> >
> > My suggestion: turn off aggressive mode; see if that makes things smoother.
> >
> > N
> > _______________________________________________
> > Users at lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
> >
More information about the Users
mailing list