[Openswan Users] Connecting VyOS 1.1.6 to EC2

Amos Shapira amos.shapira at gmail.com
Thu Feb 11 18:13:16 EST 2016


Hello,

I'm trying to connect a VyOS 1.1.6, which comes with IPSec U4.5.2, to a
Ubuntu 14.04 LTS EC2 instance running 2.6.38.

I think I got the link up but I can't get any traffic over it. Here is a
log of the startup from scratch:

*Feb 11 22:47:13 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#1: initiating Main Mode*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from
203.191.19.3:4500 <http://203.191.19.3:4500>: ignoring unknown Vendor ID
payload [882fe56d6fd20dbc2251613b2ebe5beb]*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from
203.191.19.3:4500 <http://203.191.19.3:4500>: received Vendor ID payload
[Cisco-Unity]*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from
203.191.19.3:4500 <http://203.191.19.3:4500>: received Vendor ID payload
[XAUTH]*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from
203.191.19.3:4500 <http://203.191.19.3:4500>: received Vendor ID payload
[Dead Peer Detection]*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from
203.191.19.3:4500 <http://203.191.19.3:4500>: received Vendor ID payload
[RFC 3947] method set to=115*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from
203.191.19.3:4500 <http://203.191.19.3:4500>: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from
203.191.19.3:4500 <http://203.191.19.3:4500>: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from
203.191.19.3:4500 <http://203.191.19.3:4500>: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: packet from
203.191.19.3:4500 <http://203.191.19.3:4500>: received Vendor ID payload
[draft-ietf-ipsec-nat-t-ike-00]*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: responding to Main Mode*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: STATE_MAIN_R1: sent MR1, expecting MI2*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both
are NATed*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: STATE_MAIN_R2: sent MR2, expecting MI3*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: Main mode peer ID is ID_IPV4_ADDR: '203.191.19.3'*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: STATE_MAIN_R3: sent MR3, ISAKMP SA established
{auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#2: the peer proposed: 172.22.0.0/16:0/0 <http://172.22.0.0/16:0/0> ->
192.168.2.0/24:0/0 <http://192.168.2.0/24:0/0>*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#3: responding to Quick Mode proposal {msgid:cd7b50cb}*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#3:     us: 172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1
<http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1>*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#3:   them: 203.191.19.3<203.191.19.3>===192.168.2.0/24
<http://192.168.2.0/24>*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2*
*Feb 11 22:47:49 ip-172-22-0-207 pluto[19672]: "sydney-hub-sydney-office-1"
#3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0xcd5a1422
<0x9998c8e5 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=203.191.19.3:4500
<http://203.191.19.3:4500> DPD=none}*

And here is the output of "ipsec auto --status":

*000 using kernel interface: netkey*
*000 interface lo/lo ::1*
*000 interface lo/lo 127.0.0.1*
*000 interface lo/lo 127.0.0.1*
*000 interface eth0/eth0 172.22.0.207*
*000 interface eth0/eth0 172.22.0.207*
*000 interface eth0/eth0 52.63.20.251*
*000 interface eth0/eth0 52.63.20.251*
*000 %myid = (none)*
*000 debug none*
*000*
*000 virtual_private (%priv):*
*000 - allowed 6 subnets: 10.0.0.0/8 <http://10.0.0.0/8>, 192.168.0.0/16
<http://192.168.0.0/16>, 172.16.0.0/12 <http://172.16.0.0/12>, 25.0.0.0/8
<http://25.0.0.0/8>, fd00::/8, fe80::/10*
*000 - disallowed 1 subnet: 172.22.0.0/16 <http://172.22.0.0/16>*
*000*
*000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64,
keysizemax=64*
*000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192*
*000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40,
keysizemax=128*
*000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8,
keysizemin=40, keysizemax=448*
*000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0*
*000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256*
*000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=160, keysizemax=288*
*000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256*
*000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256*
*000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256*
*000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256*
*000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8,
keysizemin=128, keysizemax=256*
*000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8,
keysizemin=128, keysizemax=256*
*000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256*
*000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256*
*000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256*
*000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128*
*000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160*
*000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256*
*000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384*
*000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512*
*000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160*
*000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC,
keysizemin=128, keysizemax=128*
*000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0*
*000*
*000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131*
*000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8,
keydeflen=192*
*000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16,
keydeflen=128*
*000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16*
*000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20*
*000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32*
*000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64*
*000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024*
*000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536*
*000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048*
*000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072*
*000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096*
*000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144*
*000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192*
*000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024*
*000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048*
*000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048*
*000*
*000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0}
trans={0,0,0} attrs={0,0,0}*
*000*
*000 "sydney-hub-sydney-office-1":
172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3
<http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3><203.191.19.3>===192.168.2.0/24
<http://192.168.2.0/24>; erouted; eroute owner: #3*
*000 "sydney-hub-sydney-office-1":     myip=52.63.20.251; hisip=unset;*
*000 "sydney-hub-sydney-office-1":   ike_life: 3600s; ipsec_life: 28800s;
rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0*
*000 "sydney-hub-sydney-office-1":   policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24;
interface: eth0;*
*000 "sydney-hub-sydney-office-1":   newest ISAKMP SA: #2; newest IPsec SA:
#3;*
*000 "sydney-hub-sydney-office-1":   IKE algorithm newest:
AES_CBC_256-SHA1-MODP1024*
*000*
*000 #3: "sydney-hub-sydney-office-1":4500 STATE_QUICK_R2 (IPsec SA
established); EVENT_SA_REPLACE in 3237s; newest IPSEC; eroute owner;
isakmp#2; idle; import:not set*
*000 #3: "sydney-hub-sydney-office-1" esp.cd5a1422 at 203.191.19.3
<esp.cd5a1422 at 203.191.19.3> esp.9998c8e5 at 172.22.0.207
<esp.9998c8e5 at 172.22.0.207> tun.0 at 203.191.19.3 <tun.0 at 203.191.19.3>
tun.0 at 172.22.0.207 <tun.0 at 172.22.0.207> ref=0 refhim=4294901761*
*000 #2: "sydney-hub-sydney-office-1":4500 STATE_MAIN_R3 (sent MR3, ISAKMP
SA established); EVENT_SA_REPLACE in 3237s; newest ISAKMP; lastdpd=-1s(seq
in:0 out:0); idle; import:not set*
*000 #1: "sydney-hub-sydney-office-1":500 STATE_MAIN_I1 (sent MI1,
expecting MR1); EVENT_RETRANSMIT in 21s; nodpd; idle; import:admin initiate*
*000 #1: pending Phase 2 for "sydney-hub-sydney-office-1" replacing #0*
*000*

But ping to the address of the VyOS host (or any host on the other side)
doesn't get any response. I verified that ping from other IPSec tunnels
(which use either Vyatta or AWS Virtual Gateway) works fine.

Here is the configuration of the tunnel from the EC2 side:

*version 2.0*
*config setup*
* dumpdir=/var/run/pluto/*
* nat_traversal=yes*
*
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.22.0.0/16*
* oe=off*
* protostack=netkey*
* interfaces=%defaultroute*

*conn sydney-hub-sydney-office-1*
*    type=tunnel*
*    authby=secret*
*    forceencaps=yes*
*    auto=start*
*    left=%defaultroute*
*    leftid=52.63.20.251*
*    leftsourceip=52.63.20.251*
*    leftnexthop=%defaultroute*
*    leftsubnet=172.22.0.0/16 <http://172.22.0.0/16>*
*    right=203.191.19.3*
*    rightid=203.191.19.3*
*    rightsubnet=192.168.2.0/24 <http://192.168.2.0/24>*


And here it is from the VyOS side (I tried to include all relevant global
settings too):

*version 2.0*
*config setup*
*        charonstart=yes*
*        interfaces="%none"*
*        nat_traversal=yes*

*conn peer-52.63.20.251-tunnel-1*
*        left=203.191.19.3*
*        right=52.63.20.251*
*        leftsubnet=192.168.2.0/24 <http://192.168.2.0/24>*
*        rightsubnet=172.22.0.0/16 <http://172.22.0.0/16>*
*        leftsourceip=192.168.2.254*
*        ike=aes256-sha1-modp1024!*
*        keyexchange=ikev1*
*        ikelifetime=86400s*
*        esp=aes256-sha1,3des-md5!*
*        keylife=3600s*
*        rekeymargin=540s*
*        type=tunnel*
*        pfs=yes*
*        compress=no*
*        authby=secret*
*        auto=start*
*        keyingtries=%forever*

Here is the "ipsec status" output from the VyOS side for that link (I left
out other links):

*000 "peer-52.63.20.251-tunnel-1":
192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16
<http://192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16>;
erouted; eroute owner: #265*
*000 "peer-52.63.20.251-tunnel-1":   newest ISAKMP SA: #263; newest IPsec
SA: #265;*
*...*
*000 #265: "peer-52.63.20.251-tunnel-1" STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 2420s; newest IPSEC; eroute owner*
*000 #265: "peer-52.63.20.251-tunnel-1" esp.9998c8e5 at 52.63.20.251
<esp.9998c8e5 at 52.63.20.251> (0 bytes) esp.cd5a1422 at 203.191.19.3
<esp.cd5a1422 at 203.191.19.3> (0 bytes); tunnel*
*000 #263: "peer-52.63.20.251-tunnel-1" STATE_MAIN_I4 (ISAKMP SA
established); EVENT_SA_REPLACE in 84976s; newest ISAKMP*
*000*
*Security Associations:*
*  none*

Can anyone see what am I doing wrong?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160212/65778fcb/attachment-0001.html>


More information about the Users mailing list