[Openswan Users] Connecting VyOS 1.1.6 to EC2
Daniel Cave
dan.cave at me.com
Fri Feb 12 15:02:20 EST 2016
AWS gremlins. 😔
Sent from my iPhone
> On 12 Feb 2016, at 19:44, Amos Shapira <amos.shapira at gmail.com> wrote:
>
> Thanks Daniel.
> I already have this checked off through the CloudFormation stack template I use to bring it up.
> Anyway, after bringing up another instance it started working.
>> On 13 Feb 2016 2:19 a.m., "Daniel Cave" <dan.cave at me.com> wrote:
>> Amos
>>
>> There is a setting In the network config /security menu in ec2 management that say something like "check source address" which means if you have it enabled the security policy that is applied to the instance will block any traffic from a network of its meant to pas through a device, especially on circumstances where you are using a an ec2 instance as a VPN server
>>
>> Disable it as this has caught me it a few times when using AWS.
>>
>> Sent from my iPhone
>>
>>> On 12 Feb 2016, at 09:19, Amos Shapira <amos.shapira at gmail.com> wrote:
>>>
>>> Thanks.
>>> I double check the firewall rules (and Security Group) and they are OK. This EC2 instance also talks fine with other destinations (a Virtual Gateway).
>>> I also saw traffic in both directions using tcpdump on both sides.
>>>
>>> BUT! After I sent this question and doing more tests I tried to just blow up this instance and let the automatic configuration (Autoscaling group) bring up a fresh EC2 instance and things started working again (I.e. I can ping hosts over the tunnel).
>>>
>>> I suspect that the enabling of nat-traversal on the VyOS side after a few attempts from this specific instance, which was the only change I made, somehow didn't register with the instance but once I switched to a fresh instance it worked.
>>>
>>> Cheers,
>>> Amos
>>>
>>>> On 12 Feb 2016 7:03 p.m., "Nick Howitt" <nick at howitts.co.uk> wrote:
>>>> The tunnel is up. Check your firewall rules.
>>>>
>>>>> On 2016-02-11 23:13, Amos Shapira wrote:
>>>>> Hello,
>>>>>
>>>>> I'm trying to connect a VyOS 1.1.6, which comes with IPSec U4.5.2, to
>>>>> a Ubuntu 14.04 LTS EC2 instance running 2.6.38.
>>>>>
>>>>> I think I got the link up but I can't get any traffic over it. Here is
>>>>> a log of the startup from scratch:
>>>>>
>>>>> FEB 11 22:47:13 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #1: INITIATING MAIN MODE
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>>>> 203.191.19.3:4500 [1]: IGNORING UNKNOWN VENDOR ID PAYLOAD
>>>>> [882FE56D6FD20DBC2251613B2EBE5BEB]
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [CISCO-UNITY]
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [XAUTH]
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [DEAD PEER
>>>>> DETECTION]
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD [RFC 3947] METHOD
>>>>> SET TO=115
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
>>>>> [DRAFT-IETF-IPSEC-NAT-T-IKE-03] METH=108, BUT ALREADY USING METHOD 115
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
>>>>> [DRAFT-IETF-IPSEC-NAT-T-IKE-02] METH=107, BUT ALREADY USING METHOD 115
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
>>>>> [DRAFT-IETF-IPSEC-NAT-T-IKE-02_N] METH=106, BUT ALREADY USING METHOD
>>>>> 115
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]: PACKET FROM
>>>>> 203.191.19.3:4500 [1]: RECEIVED VENDOR ID PAYLOAD
>>>>> [DRAFT-IETF-IPSEC-NAT-T-IKE-00]
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: RESPONDING TO MAIN MODE
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R0
>>>>> TO STATE STATE_MAIN_R1
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R1: SENT MR1, EXPECTING
>>>>> MI2
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: NAT-TRAVERSAL: RESULT USING
>>>>> DRAFT-IETF-IPSEC-NAT-T-IKE (MACOS X): BOTH ARE NATED
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R1
>>>>> TO STATE STATE_MAIN_R2
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R2: SENT MR2, EXPECTING
>>>>> MI3
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: MAIN MODE PEER ID IS ID_IPV4_ADDR:
>>>>> '203.191.19.3'
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: TRANSITION FROM STATE STATE_MAIN_R2
>>>>> TO STATE STATE_MAIN_R3
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: STATE_MAIN_R3: SENT MR3, ISAKMP SA
>>>>> ESTABLISHED {AUTH=OAKLEY_PRESHARED_KEY CIPHER=AES_256 PRF=OAKLEY_SHA
>>>>> GROUP=MODP1024}
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #2: THE PEER PROPOSED: 172.22.0.0/16:0/0
>>>>> [2] -> 192.168.2.0/24:0/0 [3]
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: RESPONDING TO QUICK MODE PROPOSAL
>>>>> {MSGID:CD7B50CB}
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: US:
>>>>> 172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1 [4]
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: THEM:
>>>>> 203.191.19.3<203.191.19.3>===192.168.2.0/24 [5]
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: TRANSITION FROM STATE STATE_QUICK_R0
>>>>> TO STATE STATE_QUICK_R1
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: STATE_QUICK_R1: SENT QR1, INBOUND
>>>>> IPSEC SA INSTALLED, EXPECTING QI2
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: TRANSITION FROM STATE STATE_QUICK_R1
>>>>> TO STATE STATE_QUICK_R2
>>>>> FEB 11 22:47:49 IP-172-22-0-207 PLUTO[19672]:
>>>>> "SYDNEY-HUB-SYDNEY-OFFICE-1" #3: STATE_QUICK_R2: IPSEC SA ESTABLISHED
>>>>> TUNNEL MODE {ESP/NAT=>0XCD5A1422 <0X9998C8E5 XFRM=AES_256-HMAC_SHA1
>>>>> NATOA=NONE NATD=203.191.19.3:4500 [1] DPD=NONE}
>>>>>
>>>>> And here is the output of "ipsec auto --status":
>>>>>
>>>>> 000 USING KERNEL INTERFACE: NETKEY
>>>>> 000 INTERFACE LO/LO ::1
>>>>> 000 INTERFACE LO/LO 127.0.0.1
>>>>> 000 INTERFACE LO/LO 127.0.0.1
>>>>> 000 INTERFACE ETH0/ETH0 172.22.0.207
>>>>> 000 INTERFACE ETH0/ETH0 172.22.0.207
>>>>> 000 INTERFACE ETH0/ETH0 52.63.20.251
>>>>> 000 INTERFACE ETH0/ETH0 52.63.20.251
>>>>> 000 %MYID = (NONE)
>>>>> 000 DEBUG NONE
>>>>> 000
>>>>> 000 VIRTUAL_PRIVATE (%PRIV):
>>>>> 000 - ALLOWED 6 SUBNETS: 10.0.0.0/8 [6], 192.168.0.0/16 [7],
>>>>> 172.16.0.0/12 [8], 25.0.0.0/8 [9], FD00::/8, FE80::/10
>>>>> 000 - DISALLOWED 1 SUBNET: 172.22.0.0/16 [10]
>>>>> 000
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=2, NAME=ESP_DES, IVLEN=8, KEYSIZEMIN=64,
>>>>> KEYSIZEMAX=64
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=3, NAME=ESP_3DES, IVLEN=8,
>>>>> KEYSIZEMIN=192, KEYSIZEMAX=192
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=6, NAME=ESP_CAST, IVLEN=8,
>>>>> KEYSIZEMIN=40, KEYSIZEMAX=128
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=7, NAME=ESP_BLOWFISH, IVLEN=8,
>>>>> KEYSIZEMIN=40, KEYSIZEMAX=448
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=11, NAME=ESP_NULL, IVLEN=0,
>>>>> KEYSIZEMIN=0, KEYSIZEMAX=0
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=12, NAME=ESP_AES, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=13, NAME=ESP_AES_CTR, IVLEN=8,
>>>>> KEYSIZEMIN=160, KEYSIZEMAX=288
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=14, NAME=ESP_AES_CCM_A, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=15, NAME=ESP_AES_CCM_B, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=16, NAME=ESP_AES_CCM_C, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=18, NAME=ESP_AES_GCM_A, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=19, NAME=ESP_AES_GCM_B, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=20, NAME=ESP_AES_GCM_C, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=22, NAME=ESP_CAMELLIA, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=252, NAME=ESP_SERPENT, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP ENCRYPT: ID=253, NAME=ESP_TWOFISH, IVLEN=8,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP AUTH ATTR: ID=1, NAME=AUTH_ALGORITHM_HMAC_MD5,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=128
>>>>> 000 ALGORITHM ESP AUTH ATTR: ID=2, NAME=AUTH_ALGORITHM_HMAC_SHA1,
>>>>> KEYSIZEMIN=160, KEYSIZEMAX=160
>>>>> 000 ALGORITHM ESP AUTH ATTR: ID=5, NAME=AUTH_ALGORITHM_HMAC_SHA2_256,
>>>>> KEYSIZEMIN=256, KEYSIZEMAX=256
>>>>> 000 ALGORITHM ESP AUTH ATTR: ID=6, NAME=AUTH_ALGORITHM_HMAC_SHA2_384,
>>>>> KEYSIZEMIN=384, KEYSIZEMAX=384
>>>>> 000 ALGORITHM ESP AUTH ATTR: ID=7, NAME=AUTH_ALGORITHM_HMAC_SHA2_512,
>>>>> KEYSIZEMIN=512, KEYSIZEMAX=512
>>>>> 000 ALGORITHM ESP AUTH ATTR: ID=8, NAME=AUTH_ALGORITHM_HMAC_RIPEMD,
>>>>> KEYSIZEMIN=160, KEYSIZEMAX=160
>>>>> 000 ALGORITHM ESP AUTH ATTR: ID=9, NAME=AUTH_ALGORITHM_AES_CBC,
>>>>> KEYSIZEMIN=128, KEYSIZEMAX=128
>>>>> 000 ALGORITHM ESP AUTH ATTR: ID=251, NAME=AUTH_ALGORITHM_NULL_KAME,
>>>>> KEYSIZEMIN=0, KEYSIZEMAX=0
>>>>> 000
>>>>> 000 ALGORITHM IKE ENCRYPT: ID=0, NAME=(NULL), BLOCKSIZE=16,
>>>>> KEYDEFLEN=131
>>>>> 000 ALGORITHM IKE ENCRYPT: ID=5, NAME=OAKLEY_3DES_CBC, BLOCKSIZE=8,
>>>>> KEYDEFLEN=192
>>>>> 000 ALGORITHM IKE ENCRYPT: ID=7, NAME=OAKLEY_AES_CBC, BLOCKSIZE=16,
>>>>> KEYDEFLEN=128
>>>>> 000 ALGORITHM IKE HASH: ID=1, NAME=OAKLEY_MD5, HASHSIZE=16
>>>>> 000 ALGORITHM IKE HASH: ID=2, NAME=OAKLEY_SHA1, HASHSIZE=20
>>>>> 000 ALGORITHM IKE HASH: ID=4, NAME=OAKLEY_SHA2_256, HASHSIZE=32
>>>>> 000 ALGORITHM IKE HASH: ID=6, NAME=OAKLEY_SHA2_512, HASHSIZE=64
>>>>> 000 ALGORITHM IKE DH GROUP: ID=2, NAME=OAKLEY_GROUP_MODP1024,
>>>>> BITS=1024
>>>>> 000 ALGORITHM IKE DH GROUP: ID=5, NAME=OAKLEY_GROUP_MODP1536,
>>>>> BITS=1536
>>>>> 000 ALGORITHM IKE DH GROUP: ID=14, NAME=OAKLEY_GROUP_MODP2048,
>>>>> BITS=2048
>>>>> 000 ALGORITHM IKE DH GROUP: ID=15, NAME=OAKLEY_GROUP_MODP3072,
>>>>> BITS=3072
>>>>> 000 ALGORITHM IKE DH GROUP: ID=16, NAME=OAKLEY_GROUP_MODP4096,
>>>>> BITS=4096
>>>>> 000 ALGORITHM IKE DH GROUP: ID=17, NAME=OAKLEY_GROUP_MODP6144,
>>>>> BITS=6144
>>>>> 000 ALGORITHM IKE DH GROUP: ID=18, NAME=OAKLEY_GROUP_MODP8192,
>>>>> BITS=8192
>>>>> 000 ALGORITHM IKE DH GROUP: ID=22, NAME=OAKLEY_GROUP_DH22, BITS=1024
>>>>> 000 ALGORITHM IKE DH GROUP: ID=23, NAME=OAKLEY_GROUP_DH23, BITS=2048
>>>>> 000 ALGORITHM IKE DH GROUP: ID=24, NAME=OAKLEY_GROUP_DH24, BITS=2048
>>>>> 000
>>>>> 000 STATS DB_OPS: {CURR_CNT, TOTAL_CNT, MAXSZ} :CONTEXT={0,0,0}
>>>>> TRANS={0,0,0} ATTRS={0,0,0}
>>>>> 000
>>>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1":
>>>>> 172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3
>>>>> [11]<203.191.19.3>===192.168.2.0/24 [5]; EROUTED; EROUTE OWNER: #3
>>>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": MYIP=52.63.20.251; HISIP=UNSET;
>>>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": IKE_LIFE: 3600S; IPSEC_LIFE:
>>>>> 28800S; REKEY_MARGIN: 540S; REKEY_FUZZ: 100%; KEYINGTRIES: 0
>>>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": POLICY:
>>>>> PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV2ALLOW+SAREFTRACK+LKOD+RKOD; PRIO:
>>>>> 16,24; INTERFACE: ETH0;
>>>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": NEWEST ISAKMP SA: #2; NEWEST IPSEC
>>>>> SA: #3;
>>>>> 000 "SYDNEY-HUB-SYDNEY-OFFICE-1": IKE ALGORITHM NEWEST:
>>>>> AES_CBC_256-SHA1-MODP1024
>>>>> 000
>>>>> 000 #3: "SYDNEY-HUB-SYDNEY-OFFICE-1":4500 STATE_QUICK_R2 (IPSEC SA
>>>>> ESTABLISHED); EVENT_SA_REPLACE IN 3237S; NEWEST IPSEC; EROUTE OWNER;
>>>>> ISAKMP#2; IDLE; IMPORT:NOT SET
>>>>> 000 #3: "SYDNEY-HUB-SYDNEY-OFFICE-1" ESP.CD5A1422 at 203.191.19.3
>>>>> ESP.9998C8E5 at 172.22.0.207 TUN.0 at 203.191.19.3 TUN.0 at 172.22.0.207 REF=0
>>>>> REFHIM=4294901761
>>>>> 000 #2: "SYDNEY-HUB-SYDNEY-OFFICE-1":4500 STATE_MAIN_R3 (SENT MR3,
>>>>> ISAKMP SA ESTABLISHED); EVENT_SA_REPLACE IN 3237S; NEWEST ISAKMP;
>>>>> LASTDPD=-1S(SEQ IN:0 OUT:0); IDLE; IMPORT:NOT SET
>>>>> 000 #1: "SYDNEY-HUB-SYDNEY-OFFICE-1":500 STATE_MAIN_I1 (SENT MI1,
>>>>> EXPECTING MR1); EVENT_RETRANSMIT IN 21S; NODPD; IDLE; IMPORT:ADMIN
>>>>> INITIATE
>>>>> 000 #1: PENDING PHASE 2 FOR "SYDNEY-HUB-SYDNEY-OFFICE-1" REPLACING #0
>>>>> 000
>>>>>
>>>>> But ping to the address of the VyOS host (or any host on the other
>>>>> side) doesn't get any response. I verified that ping from other IPSec
>>>>> tunnels (which use either Vyatta or AWS Virtual Gateway) works fine.
>>>>>
>>>>> Here is the configuration of the tunnel from the EC2 side:
>>>>>
>>>>> VERSION 2.0
>>>>> CONFIG SETUP
>>>>> DUMPDIR=/VAR/RUN/PLUTO/
>>>>> NAT_TRAVERSAL=YES
>>>>>
>>>>> VIRTUAL_PRIVATE=%V4:10.0.0.0/8,%V4:192.168.0.0/16,%V4:172.16.0.0/12,%V4:25.0.0.0/8,%V6:FD00::/8,%V6:FE80::/10,%V4:!172.22.0.0/16
>>>>> [12]
>>>>> OE=OFF
>>>>> PROTOSTACK=NETKEY
>>>>> INTERFACES=%DEFAULTROUTE
>>>>>
>>>>> CONN SYDNEY-HUB-SYDNEY-OFFICE-1
>>>>>
>>>>> TYPE=TUNNEL
>>>>> AUTHBY=SECRET
>>>>> FORCEENCAPS=YES
>>>>> AUTO=START
>>>>> LEFT=%DEFAULTROUTE
>>>>> LEFTID=52.63.20.251
>>>>> LEFTSOURCEIP=52.63.20.251
>>>>> LEFTNEXTHOP=%DEFAULTROUTE
>>>>> LEFTSUBNET=172.22.0.0/16 [10]
>>>>> RIGHT=203.191.19.3
>>>>> RIGHTID=203.191.19.3
>>>>> RIGHTSUBNET=192.168.2.0/24 [5]
>>>>>
>>>>> And here it is from the VyOS side (I tried to include all relevant
>>>>> global settings too):
>>>>>
>>>>> VERSION 2.0
>>>>> CONFIG SETUP
>>>>>
>>>>> CHARONSTART=YES
>>>>> INTERFACES="%NONE"
>>>>> NAT_TRAVERSAL=YES
>>>>>
>>>>> CONN PEER-52.63.20.251-TUNNEL-1
>>>>> LEFT=203.191.19.3
>>>>> RIGHT=52.63.20.251
>>>>> LEFTSUBNET=192.168.2.0/24 [5]
>>>>> RIGHTSUBNET=172.22.0.0/16 [10]
>>>>> LEFTSOURCEIP=192.168.2.254
>>>>> IKE=AES256-SHA1-MODP1024!
>>>>> KEYEXCHANGE=IKEV1
>>>>> IKELIFETIME=86400S
>>>>> ESP=AES256-SHA1,3DES-MD5!
>>>>> KEYLIFE=3600S
>>>>> REKEYMARGIN=540S
>>>>> TYPE=TUNNEL
>>>>> PFS=YES
>>>>> COMPRESS=NO
>>>>> AUTHBY=SECRET
>>>>> AUTO=START
>>>>> KEYINGTRIES=%FOREVER
>>>>>
>>>>> Here is the "ipsec status" output from the VyOS side for that link (I
>>>>> left out other links):
>>>>>
>>>>> 000 "PEER-52.63.20.251-TUNNEL-1":
>>>>> 192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16
>>>>> [13]; EROUTED; EROUTE OWNER: #265
>>>>> 000 "PEER-52.63.20.251-TUNNEL-1": NEWEST ISAKMP SA: #263; NEWEST
>>>>> IPSEC SA: #265;
>>>>> ...
>>>>>
>>>>> 000 #265: "PEER-52.63.20.251-TUNNEL-1" STATE_QUICK_I2 (SENT QI2, IPSEC
>>>>> SA ESTABLISHED); EVENT_SA_REPLACE IN 2420S; NEWEST IPSEC; EROUTE OWNER
>>>>> 000 #265: "PEER-52.63.20.251-TUNNEL-1" ESP.9998C8E5 at 52.63.20.251 (0
>>>>> BYTES) ESP.CD5A1422 at 203.191.19.3 (0 BYTES); TUNNEL
>>>>> 000 #263: "PEER-52.63.20.251-TUNNEL-1" STATE_MAIN_I4 (ISAKMP SA
>>>>> ESTABLISHED); EVENT_SA_REPLACE IN 84976S; NEWEST ISAKMP
>>>>> 000
>>>>> SECURITY ASSOCIATIONS:
>>>>> NONE
>>>>>
>>>>> Can anyone see what am I doing wrong?
>>>>>
>>>>> Thanks.
>>>>>
>>>>> Links:
>>>>> ------
>>>>> [1] http://203.191.19.3:4500
>>>>> [2] http://172.22.0.0/16:0/0
>>>>> [3] http://192.168.2.0/24:0/0
>>>>> [4] http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1
>>>>> [5] http://192.168.2.0/24
>>>>> [6] http://10.0.0.0/8
>>>>> [7] http://192.168.0.0/16
>>>>> [8] http://172.16.0.0/12
>>>>> [9] http://25.0.0.0/8
>>>>> [10] http://172.22.0.0/16
>>>>> [11]
>>>>> http://172.22.0.0/16===172.22.0.207[52.63.20.251]---172.22.0.1...203.191.19.3
>>>>> [12]
>>>>> http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.22.0.0/16
>>>>> [13]
>>>>> http://192.168.2.0/24===203.191.19.3:4500[203.191.19.3]...52.63.20.251:4500[52.63.20.251]===172.22.0.0/16
>>>>>
>>>>> _______________________________________________
>>>>> Users at lists.openswan.org
>>>>> https://lists.openswan.org/mailman/listinfo/users
>>>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>>>> Building and Integrating Virtual Private Networks with Openswan:
>>>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>> _______________________________________________
>>> Users at lists.openswan.org
>>> https://lists.openswan.org/mailman/listinfo/users
>>> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>> Building and Integrating Virtual Private Networks with Openswan:
>>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160212/a578475c/attachment-0001.html>
More information about the Users
mailing list