[Openswan Users] Connecting VyOS 1.1.6 to EC2
Amos Shapira
amos.shapira at gmail.com
Fri Feb 12 14:44:41 EST 2016
Thanks Daniel.
I already have this checked off through the CloudFormation stack template I
use to bring it up.
Anyway, after bringing up another instance it started working.
On 13 Feb 2016 2:19 a.m., "Daniel Cave" <dan.cave at me.com> wrote:
> Amos
>
> There is a setting In the network config /security menu in ec2 management
> that say something like "check source address" which means if you have it
> enabled the security policy that is applied to the instance will block any
> traffic from a network of its meant to pas through a device, especially on
> circumstances where you are using a an ec2 instance as a VPN server
>
> Disable it as this has caught me it a few times when using AWS.
>
> Sent from my iPhone
>
> On 12 Feb 2016, at 09:19, Amos Shapira <amos.shapira at gmail.com> wrote:
>
> Thanks.
> I double check the firewall rules (and Security Group) and they are OK.
> This EC2 instance also talks fine with other destinations (a Virtual
> Gateway).
> I also saw traffic in both directions using tcpdump on both sides.
>
> BUT! After I sent this question and doing more tests I tried to just blow
> up this instance and let the automatic configuration (Autoscaling group)
> bring up a fresh EC2 instance and things started working again (I.e. I can
> ping hosts over the tunnel).
>
> I suspect that the enabling of nat-traversal on the VyOS side after a few
> attempts from this specific instance, which was the only change I made,
> somehow didn't register with the instance but once I switched to a fresh
> instance it worked.
>
> Cheers,
> Amos
> On 12 Feb 2016 7:03 p.m., "Nick Howitt" <nick at howitts.co.uk> wrote:
>
>> The tunnel is up. Check your firewall rules.
>>
>> On 2016-02-11 23:13, Amos Shapira wrote:
>>
>>> Hello,
>>>
>>> I'm trying to connect a VyOS 1.1.6, which comes with IPSec U4.5.2, to
>>> a Ubuntu 14.04 LTS EC2 instance running 2.6.38.
>>>
>>> I think I got the link up but I can't get any traffic over it. Here is
>>> a log of the startup from scratch:
>>>
>>> FEB 11 22:47:13 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #1: INITIATING MAIN MODE
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>> 203.191.19.3:4500 [1]: IGNORING UNKNOWN VENDOR ID PAYLOAD
>>> [882FE56D6FD20DBC2251613B2EBE5BEB]
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [CISCO-UNITY]
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [XAUTH]
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [DEAD PEER
>>> DETECTION]
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [RFC 3947] METHOD
>>> SET TO=115
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
>>> [DRAFT-IETF-IPSEC-NAT-T-IKE-03] METH=108, BUT ALREADY USING METHOD 115
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
>>> [DRAFT-IETF-IPSEC-NAT-T-IKE-02] METH=107, BUT ALREADY USING METHOD 115
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
>>> [DRAFT-IETF-IPSEC-NAT-T-IKE-02_N] METH=106, BUT ALREADY USING METHOD
>>> 115
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
>>> [DRAFT-IETF-IPSEC-NAT-T-IKE-00]
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: RESPONDING TO MAIN MODE
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R0
>>> TO STATE STATE_MAIN_R1
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R1: SENT MR1, EXPECTING
>>> MI2
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: NAT-TRAVERSAL: RESULT USING
>>> DRAFT-IETF-IPSEC-NAT-T-IKE (MACOS X): BOTH ARE NATED
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R1
>>> TO STATE STATE_MAIN_R2
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R2: SENT MR2, EXPECTING
>>> MI3
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: MAIN MODE PEER ID IS ID_IPV4_ADDR:
>>> '203.191.19.3'
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R2
>>> TO STATE STATE_MAIN_R3
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R3: SENT MR3, ISAKMP SA
>>> ESTABLISHED {AUTH=OAKLEY_PRESHARED_KEY CIPHER=AES_256 PRF=OAKLEY_SHA
>>> GROUP=MODP1024}
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: THE PEER PROPOSED: 172.22.0.0/16:0/0
>>> [2] -> 192.168.2.0/24:0/0 [3]
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: RESPONDING TO QUICK MODE PROPOSAL
>>> {MSGID:CD7B50CB}
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: US:
>>> 172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1
>>> <http://172.22.0.0/16===172.22.0.207%5B52.63.20.251%5D---172.22.0.1> [4]
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: THEM:
>>> 203.191.19.3<203.191.19.3>===192.168.2.0/24 [5]
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: TRANSITION FROM STATE STATE_QUICK_R0
>>> TO STATE STATE_QUICK_R1
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: STATE_QUICK_R1: SENT QR1, INBOUND
>>> IPSEC SA INSTALLED, EXPECTING QI2
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: TRANSITION FROM STATE STATE_QUICK_R1
>>> TO STATE STATE_QUICK_R2
>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: STATE_QUICK_R2: IPSEC SA ESTABLISHED
>>> TUNNEL MODE {ESP/NAT=>0XCD5A1422 <0X9998C8E5 XFRM=AES_256-HMAC_SHA1
>>> NATOA=NONE NATD=203.191.19.3:4500 [1] DPD=NONE}
>>>
>>> And here is the output of "ipsec auto --status":
>>>
>>> 000 USING KERNEL INTERFACE: NETKEY
>>> 000 INTERFACE LO/LO ::1
>>> 000 INTERFACE LO/LO 127.0.0.1
>>> 000 INTERFACE LO/LO 127.0.0.1
>>> 000 INTERFACE ETH0/ETH0 172.22.0.207
>>> 000 INTERFACE ETH0/ETH0 172.22.0.207
>>> 000 INTERFACE ETH0/ETH0 52.63.20.251
>>> 000 INTERFACE ETH0/ETH0 52.63.20.251
>>> 000 %MYID = (NONE)
>>> 000 DEBUG NONE
>>> 000
>>> 000 VIRTUAL_PRIVATE (%PRIV):
>>> 000 - ALLOWED 6 SUBNETS: 10.0.0.0/8 [6], 192.168.0.0/16 [7],
>>> 172.16.0.0/12 [8], 25.0.0.0/8 [9], FD00::/8, FE80::/10
>>> 000 - DISALLOWED 1 SUBNET: 172.22.0.0/16 [10]
>>> 000
>>> 000 ALGORITHM ESP ENCRYPT: ID=2, NAME=ESP_DES, IVLEN=8, KEYSIZEMIN=64,
>>> KEYSIZEMAX=64
>>> 000 ALGORITHM ESP ENCRYPT: ID=3, NAME=ESP_3DES, IVLEN=8,
>>> KEYSIZEMIN=192, KEYSIZEMAX=192
>>> 000 ALGORITHM ESP ENCRYPT: ID=6, NAME=ESP_CAST, IVLEN=8,
>>> KEYSIZEMIN=40, KEYSIZEMAX=128
>>> 000 ALGORITHM ESP ENCRYPT: ID=7, NAME=ESP_BLOWFISH, IVLEN=8,
>>> KEYSIZEMIN=40, KEYSIZEMAX=448
>>> 000 ALGORITHM ESP ENCRYPT: ID=11, NAME=ESP_NULL, IVLEN=0,
>>> KEYSIZEMIN=0, KEYSIZEMAX=0
>>> 000 ALGORITHM ESP ENCRYPT: ID=12, NAME=ESP_AES, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP ENCRYPT: ID=13, NAME=ESP_AES_CTR, IVLEN=8,
>>> KEYSIZEMIN=160, KEYSIZEMAX=288
>>> 000 ALGORITHM ESP ENCRYPT: ID=14, NAME=ESP_AES_CCM_A, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP ENCRYPT: ID=15, NAME=ESP_AES_CCM_B, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP ENCRYPT: ID=16, NAME=ESP_AES_CCM_C, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP ENCRYPT: ID=18, NAME=ESP_AES_GCM_A, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP ENCRYPT: ID=19, NAME=ESP_AES_GCM_B, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP ENCRYPT: ID=20, NAME=ESP_AES_GCM_C, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP ENCRYPT: ID=22, NAME=ESP_CAMELLIA, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP ENCRYPT: ID=252, NAME=ESP_SERPENT, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP ENCRYPT: ID=253, NAME=ESP_TWOFISH, IVLEN=8,
>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP AUTH ATTR: ID=1, NAME=AUTH_ALGORITHM_HMAC_MD5,
>>> KEYSIZEMIN=128, KEYSIZEMAX=128
>>> 000 ALGORITHM ESP AUTH ATTR: ID=2, NAME=AUTH_ALGORITHM_HMAC_SHA1,
>>> KEYSIZEMIN=160, KEYSIZEMAX=160
>>> 000 ALGORITHM ESP AUTH ATTR: ID=5, NAME=AUTH_ALGORITHM_HMAC_SHA2_256,
>>> KEYSIZEMIN=256, KEYSIZEMAX=256
>>> 000 ALGORITHM ESP AUTH ATTR: ID=6, NAME=AUTH_ALGORITHM_HMAC_SHA2_384,
>>> KEYSIZEMIN=384, KEYSIZEMAX=384
>>> 000 ALGORITHM ESP AUTH ATTR: ID=7, NAME=AUTH_ALGORITHM_HMAC_SHA2_512,
>>> KEYSIZEMIN=512, KEYSIZEMAX=512
>>> 000 ALGORITHM ESP AUTH ATTR: ID=8, NAME=AUTH_ALGORITHM_HMAC_RIPEMD,
>>> KEYSIZEMIN=160, KEYSIZEMAX=160
>>> 000 ALGORITHM ESP AUTH ATTR: ID=9, NAME=AUTH_ALGORITHM_AES_CBC,
>>> KEYSIZEMIN=128, KEYSIZEMAX=128
>>> 000 ALGORITHM ESP AUTH ATTR: ID=251, NAME=AUTH_ALGORITHM_NULL_KAME,
>>> KEYSIZEMIN=0, KEYSIZEMAX=0
>>> 000
>>> 000 ALGORITHM IKE ENCRYPT: ID=0, NAME=(NULL), BLOCKSIZE=16,
>>> KEYDEFLEN=131
>>> 000 ALGORITHM IKE ENCRYPT: ID=5, NAME=OAKLEY_3DES_CBC, BLOCKSIZE=8,
>>> KEYDEFLEN=192
>>> 000 ALGORITHM IKE ENCRYPT: ID=7, NAME=OAKLEY_AES_CBC, BLOCKSIZE=16,
>>> KEYDEFLEN=128
>>> 000 ALGORITHM IKE HASH: ID=1, NAME=OAKLEY_MD5, HASHSIZE=16
>>> 000 ALGORITHM IKE HASH: ID=2, NAME=OAKLEY_SHA1, HASHSIZE=20
>>> 000 ALGORITHM IKE HASH: ID=4, NAME=OAKLEY_SHA2_256, HASHSIZE=32
>>> 000 ALGORITHM IKE HASH: ID=6, NAME=OAKLEY_SHA2_512, HASHSIZE=64
>>> 000 ALGORITHM IKE DH GROUP: ID=2, NAME=OAKLEY_GROUP_MODP1024,
>>> BITS=1024
>>> 000 ALGORITHM IKE DH GROUP: ID=5, NAME=OAKLEY_GROUP_MODP1536,
>>> BITS=1536
>>> 000 ALGORITHM IKE DH GROUP: ID=14, NAME=OAKLEY_GROUP_MODP2048,
>>> BITS=2048
>>> 000 ALGORITHM IKE DH GROUP: ID=15, NAME=OAKLEY_GROUP_MODP3072,
>>> BITS=3072
>>> 000 ALGORITHM IKE DH GROUP: ID=16, NAME=OAKLEY_GROUP_MODP4096,
>>> BITS=4096
>>> 000 ALGORITHM IKE DH GROUP: ID=17, NAME=OAKLEY_GROUP_MODP6144,
>>> BITS=6144
>>> 000 ALGORITHM IKE DH GROUP: ID=18, NAME=OAKLEY_GROUP_MODP8192,
>>> BITS=8192
>>> 000 ALGORITHM IKE DH GROUP: ID=22, NAME=OAKLEY_GROUP_DH22, BITS=1024
>>> 000 ALGORITHM IKE DH GROUP: ID=23, NAME=OAKLEY_GROUP_DH23, BITS=2048
>>> 000 ALGORITHM IKE DH GROUP: ID=24, NAME=OAKLEY_GROUP_DH24, BITS=2048
>>> 000
>>> 000 STATS DB_OPS: {CURR_CNT, TOTAL_CNT, MAXSZ} :CONTEXT={0,0,0}
>>> TRANS={0,0,0} ATTRS={0,0,0}
>>> 000
>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1":
>>> 172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3
>>> <http://172.22.0.0/16===172.22.0.207%5B52.63.20.251%5D---172.22.0.1...203.191.19.3>
>>> [11]<203.191.19.3>===192.168.2.0/24 [5]; EROUTED; EROUTE OWNER: #3
>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": MYIP=52.63.20.251; HISIP=UNSET;
>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": IKE_LIFE: 3600S; IPSEC_LIFE:
>>> 28800S; REKEY_MARGIN: 540S; REKEY_FUZZ: 100%; KEYINGTRIES: 0
>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": POLICY:
>>> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2ALLOW+SAREFTRACK+LKOD+RKOD; PRIO:
>>> 16,24; INTERFACE: ETH0;
>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": NEWEST ISAKMP SA: #2; NEWEST IPSEC
>>> SA: #3;
>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": IKE ALGORITHM NEWEST:
>>> AES_CBC_256-SHA1-MODP1024
>>> 000
>>> 000 #3: "SYDNEY-HUB-SYDNEY-OFFICE-1":4500 STATE_QUICK_R2 (IPSEC SA
>>> ESTABLISHED); EVENT_SA_REPLACE IN 3237S; NEWEST IPSEC; EROUTE OWNER;
>>> ISAKMP#2; IDLE; IMPORT:NOT SET
>>> 000 #3: "SYDNEY-HUB-SYDNEY-OFFICE-1" ESP.CD5A1422 at 203.191.19.3
>>> ESP.9998C8E5 at 172.22.0.207 TUN.0 at 203.191.19.3 TUN.0 at 172.22.0.207 REF=0
>>> REFHIM=4294901761
>>> 000 #2: "SYDNEY-HUB-SYDNEY-OFFICE-1":4500 STATE_MAIN_R3 (SENT MR3,
>>> ISAKMP SA ESTABLISHED); EVENT_SA_REPLACE IN 3237S; NEWEST ISAKMP;
>>> LASTDPD=-1S(SEQ IN:0 OUT:0); IDLE; IMPORT:NOT SET
>>> 000 #1: "SYDNEY-HUB-SYDNEY-OFFICE-1":500 STATE_MAIN_I1 (SENT MI1,
>>> EXPECTING MR1); EVENT_RETRANSMIT IN 21S; NODPD; IDLE; IMPORT:ADMIN
>>> INITIATE
>>> 000 #1: PENDING PHASE 2 FOR "SYDNEY-HUB-SYDNEY-OFFICE-1" REPLACING #0
>>> 000
>>>
>>> But ping to the address of the VyOS host (or any host on the other
>>> side) doesn't get any response. I verified that ping from other IPSec
>>> tunnels (which use either Vyatta or AWS Virtual Gateway) works fine.
>>>
>>> Here is the configuration of the tunnel from the EC2 side:
>>>
>>> VERSION 2.0
>>> CONFIG SETUP
>>> DUMPDIR=/VAR/RUN/PLUTO/
>>> NAT_TRAVERSAL=YES
>>>
>>> VIRTUAL_PRIVATE=%V4:
>>> 10.0.0.0/8,%V4:192.168.0.0/16,%V4:172.16.0.0/12,%V4:25.0.0.0/8,%V6:FD00::/8,%V6:FE80::/10,%V4:!172.22.0.0/16
>>> [12]
>>> OE=OFF
>>> PROTOSTACK=NETKEY
>>> INTERFACES=%DEFAULTROUTE
>>>
>>> CONN SYDNEY-HUB-SYDNEY-OFFICE-1
>>>
>>> TYPE=TUNNEL
>>> AUTHBY=SECRET
>>> FORCEENCAPS=YES
>>> AUTO=START
>>> LEFT=%DEFAULTROUTE
>>> LEFTID=52.63.20.251
>>> LEFTSOURCEIP=52.63.20.251
>>> LEFTNEXTHOP=%DEFAULTROUTE
>>> LEFTSUBNET=172.22.0.0/16 [10]
>>> RIGHT=203.191.19.3
>>> RIGHTID=203.191.19.3
>>> RIGHTSUBNET=192.168.2.0/24 [5]
>>>
>>> And here it is from the VyOS side (I tried to include all relevant
>>> global settings too):
>>>
>>> VERSION 2.0
>>> CONFIG SETUP
>>>
>>> CHARONSTART=YES
>>> INTERFACES="%NONE"
>>> NAT_TRAVERSAL=YES
>>>
>>> CONN PEER-52.63.20.251-TUNNEL-1
>>> LEFT=203.191.19.3
>>> RIGHT=52.63.20.251
>>> LEFTSUBNET=192.168.2.0/24 [5]
>>> RIGHTSUBNET=172.22.0.0/16 [10]
>>> LEFTSOURCEIP=192.168.2.254
>>> IKE=AES256-SHA1-MODP1024!
>>> KEYEXCHANGE=IKEV1
>>> IKELIFETIME=86400S
>>> ESP=AES256-SHA1,3DES-MD5!
>>> KEYLIFE=3600S
>>> REKEYMARGIN=540S
>>> TYPE=TUNNEL
>>> PFS=YES
>>> COMPRESS=NO
>>> AUTHBY=SECRET
>>> AUTO=START
>>> KEYINGTRIES=%FOREVER
>>>
>>> Here is the "ipsec status" output from the VyOS side for that link (I
>>> left out other links):
>>>
>>> 000 "PEER-52.63.20.251-TUNNEL-1":
>>>
>>> 192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16
>>> <http://192.168.2.0/24===203.191.19.3:4500%5B203.191.19.3%5D...52.63.20.251:4500%5B52.63.20.251%5D===172.22.0.0/16>
>>> [13]; EROUTED; EROUTE OWNER: #265
>>> 000 "PEER-52.63.20.251-TUNNEL-1": NEWEST ISAKMP SA: #263; NEWEST
>>> IPSEC SA: #265;
>>> ...
>>>
>>> 000 #265: "PEER-52.63.20.251-TUNNEL-1" STATE_QUICK_I2 (SENT QI2, IPSEC
>>> SA ESTABLISHED); EVENT_SA_REPLACE IN 2420S; NEWEST IPSEC; EROUTE OWNER
>>> 000 #265: "PEER-52.63.20.251-TUNNEL-1" ESP.9998C8E5 at 52.63.20.251 (0
>>> BYTES) ESP.CD5A1422 at 203.191.19.3 (0 BYTES); TUNNEL
>>> 000 #263: "PEER-52.63.20.251-TUNNEL-1" STATE_MAIN_I4 (ISAKMP SA
>>> ESTABLISHED); EVENT_SA_REPLACE IN 84976S; NEWEST ISAKMP
>>> 000
>>> SECURITY ASSOCIATIONS:
>>> NONE
>>>
>>> Can anyone see what am I doing wrong?
>>>
>>> Thanks.
>>>
>>> Links:
>>> ------
>>> [1] http://203.191.19.3:4500
>>> [2] http://172.22.0.0/16:0/0
>>> [3] http://192.168.2.0/24:0/0
>>> [4] http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1
>>> [5] http://192.168.2.0/24
>>> [6] http://10.0.0.0/8
>>> [7] http://192.168.0.0/16
>>> [8] http://172.16.0.0/12
>>> [9] http://25.0.0.0/8
>>> [10] http://172.22.0.0/16
>>> [11]
>>>
>>> http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3
>>> [12]
>>>
>>> http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.22.0.0/16
>>> [13]
>>>
>>> http://192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16
>>>
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>>
>> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160213/afb9c83e/attachment-0001.html>
More information about the Users
mailing list