[Openswan Users] Connecting VyOS 1.1.6 to EC2
Nick Howitt
nick at howitts.co.uk
Fri Feb 12 03:03:24 EST 2016
The tunnel is up. Check your firewall rules.
On 2016-02-11 23:13, Amos Shapira wrote:
> Hello,
>
> I'm trying to connect a VyOS 1.1.6, which comes with IPSec U4.5.2, to
> a Ubuntu 14.04 LTS EC2 instance running 2.6.38.
>
> I think I got the link up but I can't get any traffic over it. Here is
> a log of the startup from scratch:
>
> FEB 11 22:47:13 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #1: INITIATING MAIN MODE
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
> 203.191.19.3:4500 [1]: IGNORING UNKNOWN VENDOR ID PAYLOAD
> [882FE56D6FD20DBC2251613B2EBE5BEB]
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [CISCO-UNITY]
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [XAUTH]
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [DEAD PEER
> DETECTION]
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [RFC 3947] METHOD
> SET TO=115
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
> [DRAFT-IETF-IPSEC-NAT-T-IKE-03] METH=108, BUT ALREADY USING METHOD 115
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
> [DRAFT-IETF-IPSEC-NAT-T-IKE-02] METH=107, BUT ALREADY USING METHOD 115
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
> [DRAFT-IETF-IPSEC-NAT-T-IKE-02_N] METH=106, BUT ALREADY USING METHOD
> 115
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
> [DRAFT-IETF-IPSEC-NAT-T-IKE-00]
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: RESPONDING TO MAIN MODE
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R0
> TO STATE STATE_MAIN_R1
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R1: SENT MR1, EXPECTING
> MI2
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: NAT-TRAVERSAL: RESULT USING
> DRAFT-IETF-IPSEC-NAT-T-IKE (MACOS X): BOTH ARE NATED
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R1
> TO STATE STATE_MAIN_R2
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R2: SENT MR2, EXPECTING
> MI3
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: MAIN MODE PEER ID IS ID_IPV4_ADDR:
> '203.191.19.3'
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R2
> TO STATE STATE_MAIN_R3
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R3: SENT MR3, ISAKMP SA
> ESTABLISHED {AUTH=OAKLEY_PRESHARED_KEY CIPHER=AES_256 PRF=OAKLEY_SHA
> GROUP=MODP1024}
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: THE PEER PROPOSED: 172.22.0.0/16:0/0
> [2] -> 192.168.2.0/24:0/0 [3]
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: RESPONDING TO QUICK MODE PROPOSAL
> {MSGID:CD7B50CB}
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: US:
> 172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1 [4]
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: THEM:
> 203.191.19.3<203.191.19.3>===192.168.2.0/24 [5]
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: TRANSITION FROM STATE STATE_QUICK_R0
> TO STATE STATE_QUICK_R1
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: STATE_QUICK_R1: SENT QR1, INBOUND
> IPSEC SA INSTALLED, EXPECTING QI2
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: TRANSITION FROM STATE STATE_QUICK_R1
> TO STATE STATE_QUICK_R2
> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: STATE_QUICK_R2: IPSEC SA ESTABLISHED
> TUNNEL MODE {ESP/NAT=>0XCD5A1422 <0X9998C8E5 XFRM=AES_256-HMAC_SHA1
> NATOA=NONE NATD=203.191.19.3:4500 [1] DPD=NONE}
>
> And here is the output of "ipsec auto --status":
>
> 000 USING KERNEL INTERFACE: NETKEY
> 000 INTERFACE LO/LO ::1
> 000 INTERFACE LO/LO 127.0.0.1
> 000 INTERFACE LO/LO 127.0.0.1
> 000 INTERFACE ETH0/ETH0 172.22.0.207
> 000 INTERFACE ETH0/ETH0 172.22.0.207
> 000 INTERFACE ETH0/ETH0 52.63.20.251
> 000 INTERFACE ETH0/ETH0 52.63.20.251
> 000 %MYID = (NONE)
> 000 DEBUG NONE
> 000
> 000 VIRTUAL_PRIVATE (%PRIV):
> 000 - ALLOWED 6 SUBNETS: 10.0.0.0/8 [6], 192.168.0.0/16 [7],
> 172.16.0.0/12 [8], 25.0.0.0/8 [9], FD00::/8, FE80::/10
> 000 - DISALLOWED 1 SUBNET: 172.22.0.0/16 [10]
> 000
> 000 ALGORITHM ESP ENCRYPT: ID=2, NAME=ESP_DES, IVLEN=8, KEYSIZEMIN=64,
> KEYSIZEMAX=64
> 000 ALGORITHM ESP ENCRYPT: ID=3, NAME=ESP_3DES, IVLEN=8,
> KEYSIZEMIN=192, KEYSIZEMAX=192
> 000 ALGORITHM ESP ENCRYPT: ID=6, NAME=ESP_CAST, IVLEN=8,
> KEYSIZEMIN=40, KEYSIZEMAX=128
> 000 ALGORITHM ESP ENCRYPT: ID=7, NAME=ESP_BLOWFISH, IVLEN=8,
> KEYSIZEMIN=40, KEYSIZEMAX=448
> 000 ALGORITHM ESP ENCRYPT: ID=11, NAME=ESP_NULL, IVLEN=0,
> KEYSIZEMIN=0, KEYSIZEMAX=0
> 000 ALGORITHM ESP ENCRYPT: ID=12, NAME=ESP_AES, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP ENCRYPT: ID=13, NAME=ESP_AES_CTR, IVLEN=8,
> KEYSIZEMIN=160, KEYSIZEMAX=288
> 000 ALGORITHM ESP ENCRYPT: ID=14, NAME=ESP_AES_CCM_A, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP ENCRYPT: ID=15, NAME=ESP_AES_CCM_B, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP ENCRYPT: ID=16, NAME=ESP_AES_CCM_C, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP ENCRYPT: ID=18, NAME=ESP_AES_GCM_A, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP ENCRYPT: ID=19, NAME=ESP_AES_GCM_B, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP ENCRYPT: ID=20, NAME=ESP_AES_GCM_C, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP ENCRYPT: ID=22, NAME=ESP_CAMELLIA, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP ENCRYPT: ID=252, NAME=ESP_SERPENT, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP ENCRYPT: ID=253, NAME=ESP_TWOFISH, IVLEN=8,
> KEYSIZEMIN=128, KEYSIZEMAX=256
> 000 ALGORITHM ESP AUTH ATTR: ID=1, NAME=AUTH_ALGORITHM_HMAC_MD5,
> KEYSIZEMIN=128, KEYSIZEMAX=128
> 000 ALGORITHM ESP AUTH ATTR: ID=2, NAME=AUTH_ALGORITHM_HMAC_SHA1,
> KEYSIZEMIN=160, KEYSIZEMAX=160
> 000 ALGORITHM ESP AUTH ATTR: ID=5, NAME=AUTH_ALGORITHM_HMAC_SHA2_256,
> KEYSIZEMIN=256, KEYSIZEMAX=256
> 000 ALGORITHM ESP AUTH ATTR: ID=6, NAME=AUTH_ALGORITHM_HMAC_SHA2_384,
> KEYSIZEMIN=384, KEYSIZEMAX=384
> 000 ALGORITHM ESP AUTH ATTR: ID=7, NAME=AUTH_ALGORITHM_HMAC_SHA2_512,
> KEYSIZEMIN=512, KEYSIZEMAX=512
> 000 ALGORITHM ESP AUTH ATTR: ID=8, NAME=AUTH_ALGORITHM_HMAC_RIPEMD,
> KEYSIZEMIN=160, KEYSIZEMAX=160
> 000 ALGORITHM ESP AUTH ATTR: ID=9, NAME=AUTH_ALGORITHM_AES_CBC,
> KEYSIZEMIN=128, KEYSIZEMAX=128
> 000 ALGORITHM ESP AUTH ATTR: ID=251, NAME=AUTH_ALGORITHM_NULL_KAME,
> KEYSIZEMIN=0, KEYSIZEMAX=0
> 000
> 000 ALGORITHM IKE ENCRYPT: ID=0, NAME=(NULL), BLOCKSIZE=16,
> KEYDEFLEN=131
> 000 ALGORITHM IKE ENCRYPT: ID=5, NAME=OAKLEY_3DES_CBC, BLOCKSIZE=8,
> KEYDEFLEN=192
> 000 ALGORITHM IKE ENCRYPT: ID=7, NAME=OAKLEY_AES_CBC, BLOCKSIZE=16,
> KEYDEFLEN=128
> 000 ALGORITHM IKE HASH: ID=1, NAME=OAKLEY_MD5, HASHSIZE=16
> 000 ALGORITHM IKE HASH: ID=2, NAME=OAKLEY_SHA1, HASHSIZE=20
> 000 ALGORITHM IKE HASH: ID=4, NAME=OAKLEY_SHA2_256, HASHSIZE=32
> 000 ALGORITHM IKE HASH: ID=6, NAME=OAKLEY_SHA2_512, HASHSIZE=64
> 000 ALGORITHM IKE DH GROUP: ID=2, NAME=OAKLEY_GROUP_MODP1024,
> BITS=1024
> 000 ALGORITHM IKE DH GROUP: ID=5, NAME=OAKLEY_GROUP_MODP1536,
> BITS=1536
> 000 ALGORITHM IKE DH GROUP: ID=14, NAME=OAKLEY_GROUP_MODP2048,
> BITS=2048
> 000 ALGORITHM IKE DH GROUP: ID=15, NAME=OAKLEY_GROUP_MODP3072,
> BITS=3072
> 000 ALGORITHM IKE DH GROUP: ID=16, NAME=OAKLEY_GROUP_MODP4096,
> BITS=4096
> 000 ALGORITHM IKE DH GROUP: ID=17, NAME=OAKLEY_GROUP_MODP6144,
> BITS=6144
> 000 ALGORITHM IKE DH GROUP: ID=18, NAME=OAKLEY_GROUP_MODP8192,
> BITS=8192
> 000 ALGORITHM IKE DH GROUP: ID=22, NAME=OAKLEY_GROUP_DH22, BITS=1024
> 000 ALGORITHM IKE DH GROUP: ID=23, NAME=OAKLEY_GROUP_DH23, BITS=2048
> 000 ALGORITHM IKE DH GROUP: ID=24, NAME=OAKLEY_GROUP_DH24, BITS=2048
> 000
> 000 STATS DB_OPS: {CURR_CNT, TOTAL_CNT, MAXSZ} :CONTEXT={0,0,0}
> TRANS={0,0,0} ATTRS={0,0,0}
> 000
> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1":
> 172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3
> [11]<203.191.19.3>===192.168.2.0/24 [5]; EROUTED; EROUTE OWNER: #3
> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": MYIP=52.63.20.251; HISIP=UNSET;
> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": IKE_LIFE: 3600S; IPSEC_LIFE:
> 28800S; REKEY_MARGIN: 540S; REKEY_FUZZ: 100%; KEYINGTRIES: 0
> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": POLICY:
> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2ALLOW+SAREFTRACK+LKOD+RKOD; PRIO:
> 16,24; INTERFACE: ETH0;
> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": NEWEST ISAKMP SA: #2; NEWEST IPSEC
> SA: #3;
> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": IKE ALGORITHM NEWEST:
> AES_CBC_256-SHA1-MODP1024
> 000
> 000 #3: "SYDNEY-HUB-SYDNEY-OFFICE-1":4500 STATE_QUICK_R2 (IPSEC SA
> ESTABLISHED); EVENT_SA_REPLACE IN 3237S; NEWEST IPSEC; EROUTE OWNER;
> ISAKMP#2; IDLE; IMPORT:NOT SET
> 000 #3: "SYDNEY-HUB-SYDNEY-OFFICE-1" ESP.CD5A1422 at 203.191.19.3
> ESP.9998C8E5 at 172.22.0.207 TUN.0 at 203.191.19.3 TUN.0 at 172.22.0.207 REF=0
> REFHIM=4294901761
> 000 #2: "SYDNEY-HUB-SYDNEY-OFFICE-1":4500 STATE_MAIN_R3 (SENT MR3,
> ISAKMP SA ESTABLISHED); EVENT_SA_REPLACE IN 3237S; NEWEST ISAKMP;
> LASTDPD=-1S(SEQ IN:0 OUT:0); IDLE; IMPORT:NOT SET
> 000 #1: "SYDNEY-HUB-SYDNEY-OFFICE-1":500 STATE_MAIN_I1 (SENT MI1,
> EXPECTING MR1); EVENT_RETRANSMIT IN 21S; NODPD; IDLE; IMPORT:ADMIN
> INITIATE
> 000 #1: PENDING PHASE 2 FOR "SYDNEY-HUB-SYDNEY-OFFICE-1" REPLACING #0
> 000
>
> But ping to the address of the VyOS host (or any host on the other
> side) doesn't get any response. I verified that ping from other IPSec
> tunnels (which use either Vyatta or AWS Virtual Gateway) works fine.
>
> Here is the configuration of the tunnel from the EC2 side:
>
> VERSION 2.0
> CONFIG SETUP
> DUMPDIR=/VAR/RUN/PLUTO/
> NAT_TRAVERSAL=YES
>
> VIRTUAL_PRIVATE=%V4:10.0.0.0/8,%V4:192.168.0.0/16,%V4:172.16.0.0/12,%V4:25.0.0.0/8,%V6:FD00::/8,%V6:FE80::/10,%V4:!172.22.0.0/16
> [12]
> OE=OFF
> PROTOSTACK=NETKEY
> INTERFACES=%DEFAULTROUTE
>
> CONN SYDNEY-HUB-SYDNEY-OFFICE-1
>
> TYPE=TUNNEL
> AUTHBY=SECRET
> FORCEENCAPS=YES
> AUTO=START
> LEFT=%DEFAULTROUTE
> LEFTID=52.63.20.251
> LEFTSOURCEIP=52.63.20.251
> LEFTNEXTHOP=%DEFAULTROUTE
> LEFTSUBNET=172.22.0.0/16 [10]
> RIGHT=203.191.19.3
> RIGHTID=203.191.19.3
> RIGHTSUBNET=192.168.2.0/24 [5]
>
> And here it is from the VyOS side (I tried to include all relevant
> global settings too):
>
> VERSION 2.0
> CONFIG SETUP
>
> CHARONSTART=YES
> INTERFACES="%NONE"
> NAT_TRAVERSAL=YES
>
> CONN PEER-52.63.20.251-TUNNEL-1
> LEFT=203.191.19.3
> RIGHT=52.63.20.251
> LEFTSUBNET=192.168.2.0/24 [5]
> RIGHTSUBNET=172.22.0.0/16 [10]
> LEFTSOURCEIP=192.168.2.254
> IKE=AES256-SHA1-MODP1024!
> KEYEXCHANGE=IKEV1
> IKELIFETIME=86400S
> ESP=AES256-SHA1,3DES-MD5!
> KEYLIFE=3600S
> REKEYMARGIN=540S
> TYPE=TUNNEL
> PFS=YES
> COMPRESS=NO
> AUTHBY=SECRET
> AUTO=START
> KEYINGTRIES=%FOREVER
>
> Here is the "ipsec status" output from the VyOS side for that link (I
> left out other links):
>
> 000 "PEER-52.63.20.251-TUNNEL-1":
> 192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16
> [13]; EROUTED; EROUTE OWNER: #265
> 000 "PEER-52.63.20.251-TUNNEL-1": NEWEST ISAKMP SA: #263; NEWEST
> IPSEC SA: #265;
> ...
>
> 000 #265: "PEER-52.63.20.251-TUNNEL-1" STATE_QUICK_I2 (SENT QI2, IPSEC
> SA ESTABLISHED); EVENT_SA_REPLACE IN 2420S; NEWEST IPSEC; EROUTE OWNER
> 000 #265: "PEER-52.63.20.251-TUNNEL-1" ESP.9998C8E5 at 52.63.20.251 (0
> BYTES) ESP.CD5A1422 at 203.191.19.3 (0 BYTES); TUNNEL
> 000 #263: "PEER-52.63.20.251-TUNNEL-1" STATE_MAIN_I4 (ISAKMP SA
> ESTABLISHED); EVENT_SA_REPLACE IN 84976S; NEWEST ISAKMP
> 000
> SECURITY ASSOCIATIONS:
> NONE
>
> Can anyone see what am I doing wrong?
>
> Thanks.
>
> Links:
> ------
> [1] http://203.191.19.3:4500
> [2] http://172.22.0.0/16:0/0
> [3] http://192.168.2.0/24:0/0
> [4] http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1
> [5] http://192.168.2.0/24
> [6] http://10.0.0.0/8
> [7] http://192.168.0.0/16
> [8] http://172.16.0.0/12
> [9] http://25.0.0.0/8
> [10] http://172.22.0.0/16
> [11]
> http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3
> [12]
> http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.22.0.0/16
> [13]
> http://192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list