[Openswan Users] S2S Centos7 OpenSwan to AWS VPC VPN Woes / Assistance Request
Mr Paws
mpawelsk at gmail.com
Tue May 3 01:19:42 EDT 2016
Hello!
First I'll just say thank you for having such a list and for creating a
great product. I've come from basically ground 0 with VPN technology to
'almost there' for a basic configuration over the last couple of weeks.
Switched between Strongswan and Openswan implementations on Centos 7 and
basically always got stuck at the same part regardless of which product is
used. Here goes and thanks in advance for considering my situation.
I have configured an AWS VPC Hardware VPN and have an offsite office
running OpenSwan (and also Strongswan configured, but only running one at a
time). Thus far traffic can transmit from AWS into office network and any
of the machines can respond. I cannot however transmit from the office to
an AWS EC2 instance.
I've added static routes on the EC2 side and established the tunnel
successfully but I see packets from the office destined for the VPC VPN
getting filtered by my ISP's gateway (admin prohibted refuses to forward
packets destined private address range (and rightly so!)). This tells me
I have a problem on my end.
My desired configuration is similar to this test case for Strongswan (I
realize this is OpenSwan we're talking):
https://www.strongswan.org/testing/testresults/ikev1/net2net-psk/
OFFICE / LEFT / MOON
# cat /etc/ipsec.d/aws_vpc.conf
conn VPC-CUST-GW1
type=tunnel
authby=secret
left=%defaultroute
pfs=yes
ike=aes128-sha1
ikelifetime=28800s
salifetime=3600s
ikev2=never
phase2=esp
phase2alg=aes128-sha1
leftsubnet=10.0.0.0/22
leftnexthop=%defaultroute
leftid=216.243.47.245
rekey=yes
right=52.39.7.197
rightsubnet=10.0.4.0/24
auto=start
keyingtries=%forever
dpddelay=10
dpdtimeout=60
dpdaction=restart_by_peer
# /etc/ipsec.conf - Libreswan IPsec configuration file
# This file: /etc/ipsec.conf
#
# Enable when using this configuration file with openswan instead of
libreswan
#version 2
#
# Manual: ipsec.conf.5
# basic configuration
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or
"mast".
# For MacOSX use "bsd"
protostack=netkey
#
# Normally, pluto logs via syslog. If you want to log to a file,
# specify below or to disable logging, eg for embedded systems, use
# the file name /dev/null
# Note: SElinux policies might prevent pluto writing to a log file
at
# an unusual location.
logfile=/var/log/pluto.log
#
# The interfaces= line is only required for the klips/mast stack
#interfaces="%defaultroute"
#interfaces="ipsec0=eth0 ipsec1=ppp0"
#
# If you want to limit listening on a single IP - not required for
# normal operation
#listen=127.0.0.1
#
# Do not set debug options to debug configuration issues!
#
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control kernel pfkey natt x509 dpd
# private".
# Note: "crypt" is not included with "all", as it can show
confidential
# information. It must be specifically specified
# examples:
# plutodebug="control parsing"
# plutodebug="all crypt"
# Again: only enable plutodebug or klipsdebug when asked by a
developer
#plutodebug=none
#klipsdebug=none
#
# Enable core dumps (might require system changes, like ulimit -C)
# This is required for abrtd to work properly
# Note: SElinux policies might prevent pluto writing the core at
# unusual locations
dumpdir=/var/run/pluto/
#
# NAT-TRAVERSAL support
# exclude networks used on server side by adding %v4:!a.b.c.0/24
# It seems that T-Mobile in the US and Rogers/Fido in Canada are
# using 25/8 as "private" address space on their wireless networks.
# This range has never been announced via BGP (at least upto 2015)
# cat /etc/ipsec.conf
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# For example connections, see your distribution's documentation directory,
# or https://libreswan.org/wiki/
#
# There is also a lot of information in the manual page, "man ipsec.conf"
#
# It is best to add your IPsec connections as separate files in
/etc/ipsec.d/
include /etc/ipsec.d/*.conf
# ip xfrm state
src 52.39.7.197 dst 216.243.47.245
proto esp spi 0x266885c1 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x10dbf3efa43767dc1d32ae9a0feec92392e1aaa9 96
enc cbc(aes) 0x28d9edd61a117bdd44498a6f754e5fde
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 216.243.47.245 dst 52.39.7.197
proto esp spi 0xd962f547 reqid 16389 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x3594bd0dc9a907603f582f1246106edbb4332c67 96
enc cbc(aes) 0x381e74cfc6b05a187e1c96e456df249c
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
# ip -s xfrm policy
src 10.0.0.0/22 dst 10.0.4.0/24 uid 0
dir out action allow index 1121 priority 2408 ptype main share any
flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2016-05-02 14:24:39 use 2016-05-02 14:55:35
tmpl src 216.243.47.245 dst 52.39.7.197
proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.4.0/24 dst 10.0.0.0/22 uid 0
dir fwd action allow index 1186 priority 2408 ptype main share any
flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2016-05-02 14:24:39 use 2016-05-02 14:55:35
tmpl src 52.39.7.197 dst 216.243.47.245
proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.4.0/24 dst 10.0.0.0/22 uid 0
dir in action allow index 1176 priority 2408 ptype main share any
flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2016-05-02 14:24:39 use -
tmpl src 52.39.7.197 dst 216.243.47.245
proto esp spi 0x00000000(0) reqid 16389(0x00004005) mode
tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src ::/0 dst ::/0 proto ipv6-icmp type 135 uid 0
.....
# ip route
default via 216.243.47.1 dev enp3s0
10.0.0.0/22 dev bond0 proto kernel scope link src 10.0.0.1
169.254.0.0/16 dev enp3s0 scope link metric 1002
169.254.0.0/16 dev bond0 scope link metric 1005
216.243.47.0/24 dev enp3s0 proto kernel scope link src 216.243.47.245
# ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::1 at 500
000 interface enp3s0/enp3s0 2604:4080:115f:0:52e5:49ff:feb5:8b5e at 500
000 interface lo/lo 127.0.0.1 at 4500
000 interface lo/lo 127.0.0.1 at 500
000 interface enp3s0/enp3s0 216.243.47.245 at 4500
000 interface enp3s0/enp3s0 216.243.47.245 at 500
000 interface enp3s0/enp3s0 169.254.12.17 at 4500
000 interface enp3s0/enp3s0 169.254.12.17 at 500
000 interface bond0/bond0 10.0.0.1 at 4500
000 interface bond0/bond0 10.0.0.1 at 500
000
000
000 fips mode=disabled;
000 SElinux=enabled
000
000 config setup options:
000
000 configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets,
ipsecdir=/etc/ipsec.d, dumpdir=/var/run/pluto/, statsbin=unset
000 sbindir=/usr/sbin, libexecdir=/usr/libexec/ipsec
000 pluto_version=3.15, pluto_vendorid=OE-Libreswan-3.15
000 nhelpers=-1, uniqueids=yes, perpeerlog=no, shuntlifetime=900s,
xfrmlifetime=300s
000 ddos-cookies-treshold=50000, ddos-max-halfopen=25000, ddos-mode=auto
000 ikeport=500, strictcrlpolicy=no, crlcheckinterval=0, listen=<any>,
nflog-all=0
000 secctx-attr-type=32001
000 myid = (none)
000 debug none
000
000 nat-traversal=yes, keep-alive=20, nat-ikeport=4500
000 virtual-private (%priv):
000 - allowed subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8,
100.64.0.0/10, fd00::/8, fe80::/10
000
000 ESP algorithms supported:
000
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192,
keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=128,
keysizemax=128
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0,
keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128,
keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8,
keysizemin=128, keysizemax=256
000 algorithm AH/ESP auth: id=1, name=AUTH_ALGORITHM_HMAC_MD5,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=2, name=AUTH_ALGORITHM_HMAC_SHA1,
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256,
keysizemin=256, keysizemax=256
000 algorithm AH/ESP auth: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384,
keysizemin=384, keysizemax=384
000 algorithm AH/ESP auth: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512,
keysizemin=512, keysizemax=512
000 algorithm AH/ESP auth: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD,
keysizemin=160, keysizemax=160
000 algorithm AH/ESP auth: id=9, name=AUTH_ALGORITHM_AES_XCBC,
keysizemin=128, keysizemax=128
000 algorithm AH/ESP auth: id=251, name=AUTH_ALGORITHM_NULL_KAME,
keysizemin=0, keysizemax=0
000
000 IKE algorithms supported:
000
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=16, v2name=AES_CCM_C,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=15, v2name=AES_CCM_B,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=0, v1name=0??, v2id=14, v2name=AES_CCM_A,
blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3,
v2name=3DES, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: v1id=24, v1name=OAKLEY_CAMELLIA_CTR, v2id=24,
v2name=CAMELLIA_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23,
v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=20, v1name=OAKLEY_AES_GCM_C, v2id=20,
v2name=AES_GCM_C, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=19, v1name=OAKLEY_AES_GCM_B, v2id=19,
v2name=AES_GCM_B, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=18, v1name=OAKLEY_AES_GCM_A, v2id=18,
v2name=AES_GCM_A, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13,
v2name=AES_CTR, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12,
v2name=AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65004, v1name=OAKLEY_SERPENT_CBC,
v2id=65004, v2name=SERPENT_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65005, v1name=OAKLEY_TWOFISH_CBC,
v2id=65005, v2name=TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: v1id=65289, v1name=OAKLEY_TWOFISH_CBC_SSH,
v2id=65289, v2name=TWOFISH_CBC_SSH, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashlen=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashlen=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashlen=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashlen=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashlen=64
000 algorithm IKE hash: id=9, name=DISABLED-OAKLEY_AES_XCBC, hashlen=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,64}
trans={0,2,6144} attrs={0,2,4096}
000
000 Connection list:
000
000 "VPC-CUST-GW1":
10.0.0.0/22===216.243.47.245---216.243.47.1...52.39.7.197<52.39.7.197>===
10.0.4.0/24; erouted; eroute owner: #2
000 "VPC-CUST-GW1": oriented; my_ip=unset; their_ip=unset
000 "VPC-CUST-GW1": xauth info: us:none, them:none, my_xauthuser=[any];
their_xauthuser=[any]
000 "VPC-CUST-GW1": modecfg info: us:none, them:none, modecfg
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "VPC-CUST-GW1": labeled_ipsec:no;
000 "VPC-CUST-GW1": policy_label:unset;
000 "VPC-CUST-GW1": ike_life: 28800s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0;
000 "VPC-CUST-GW1": retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "VPC-CUST-GW1": sha2_truncbug:no; initial_contact:no; cisco_unity:no;
send_vendorid:no;
000 "VPC-CUST-GW1": policy:
PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "VPC-CUST-GW1": conn_prio: 22,24; interface: enp3s0; metric: 0; mtu:
unset; sa_prio:auto; nflog-group: unset;
000 "VPC-CUST-GW1": dpd: action:restart; delay:10; timeout:60; nat-t:
force_encaps:no; nat_keepalive:yes; ikev1_natt:both
000 "VPC-CUST-GW1": newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "VPC-CUST-GW1": IKE algorithms wanted:
AES_CBC(7)_128-SHA1(2)_000-MODP2048(14),
AES_CBC(7)_128-SHA1(2)_000-MODP1536(5),
AES_CBC(7)_128-SHA1(2)_000-MODP1024(2)
000 "VPC-CUST-GW1": IKE algorithms found:
AES_CBC(7)_128-SHA1(2)_160-MODP2048(14),
AES_CBC(7)_128-SHA1(2)_160-MODP1536(5),
AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 "VPC-CUST-GW1": IKE algorithm newest: AES_CBC_128-SHA1-MODP2048
000 "VPC-CUST-GW1": ESP algorithms wanted: AES(12)_128-SHA1(2)_000
000 "VPC-CUST-GW1": ESP algorithms loaded: AES(12)_128-SHA1(2)_000
000 "VPC-CUST-GW1": ESP algorithm newest: AES_128-HMAC_SHA1;
pfsgroup=<Phase1>
000 "v6neighbor-hole-in": ::/0===::1<::1>:58/34560...%any:58/34816===::/0;
prospective erouted; eroute owner: #0
000 "v6neighbor-hole-in": oriented; my_ip=unset; their_ip=unset
000 "v6neighbor-hole-in": xauth info: us:none, them:none,
my_xauthuser=[any]; their_xauthuser=[any]
000 "v6neighbor-hole-in": modecfg info: us:none, them:none, modecfg
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "v6neighbor-hole-in": labeled_ipsec:no;
000 "v6neighbor-hole-in": policy_label:unset;
000 "v6neighbor-hole-in": ike_life: 0s; ipsec_life: 0s; rekey_margin: 0s;
rekey_fuzz: 0%; keyingtries: 0;
000 "v6neighbor-hole-in": retransmit-interval: 0ms; retransmit-timeout:
0s;
000 "v6neighbor-hole-in": sha2_truncbug:no; initial_contact:no;
cisco_unity:no; send_vendorid:no;
000 "v6neighbor-hole-in": policy:
PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+PASS+NEVER_NEGOTIATE;
000 "v6neighbor-hole-in": conn_prio: 0,0; interface: lo; metric: 0; mtu:
unset; sa_prio:1; nflog-group: unset;
000 "v6neighbor-hole-in": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "v6neighbor-hole-out": ::/0===::1<::1>:58/34816...%any:58/34560===::/0;
prospective erouted; eroute owner: #0
000 "v6neighbor-hole-out": oriented; my_ip=unset; their_ip=unset
000 "v6neighbor-hole-out": xauth info: us:none, them:none,
my_xauthuser=[any]; their_xauthuser=[any]
000 "v6neighbor-hole-out": modecfg info: us:none, them:none, modecfg
policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "v6neighbor-hole-out": labeled_ipsec:no;
000 "v6neighbor-hole-out": policy_label:unset;
000 "v6neighbor-hole-out": ike_life: 0s; ipsec_life: 0s; rekey_margin:
0s; rekey_fuzz: 0%; keyingtries: 0;
000 "v6neighbor-hole-out": retransmit-interval: 0ms; retransmit-timeout:
0s;
000 "v6neighbor-hole-out": sha2_truncbug:no; initial_contact:no;
cisco_unity:no; send_vendorid:no;
000 "v6neighbor-hole-out": policy:
PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+PASS+NEVER_NEGOTIATE;
000 "v6neighbor-hole-out": conn_prio: 0,0; interface: lo; metric: 0; mtu:
unset; sa_prio:1; nflog-group: unset;
000 "v6neighbor-hole-out": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 Total IPsec connections: loaded 3, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE
connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "VPC-CUST-GW1":4500 STATE_QUICK_I2 (sent QI2, IPsec SA
established); EVENT_SA_REPLACE in 896s; newest IPSEC; eroute owner;
isakmp#1; idle; import:admin initiate
000 #2: "VPC-CUST-GW1" esp.d962f547 at 52.39.7.197 esp.266885c1 at 216.243.47.245
tun.0 at 52.39.7.197 tun.0 at 216.243.47.245 ref=0 refhim=4294901761 Traffic:
ESPout=157KB ESPin=159KB! ESPmax=4194303B
000 #1: "VPC-CUST-GW1":4500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 25855s; newest ISAKMP; lastdpd=2s(seq in:14566 out:0);
idle; import:admin initiate
000
000 Bare Shunt list:
000
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
state UP qlen 1000
link/ether 50:e5:49:b5:8b:5e brd ff:ff:ff:ff:ff:ff
inet 216.243.47.245/24 brd 216.243.47.255 scope global dynamic enp3s0
valid_lft 3469sec preferred_lft 3469sec
inet6 2604:4080:115f:0:52e5:49ff:feb5:8b5e/64 scope global mngtmpaddr
dynamic
valid_lft 2591917sec preferred_lft 604717sec
inet6 fe80::52e5:49ff:feb5:8b5e/64 scope link
valid_lft forever preferred_lft forever
3: enp1s0f0: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master bond0 state UP qlen 1000
link/ether 00:15:17:94:0d:38 brd ff:ff:ff:ff:ff:ff
4: enp1s0f1: <BROADCAST,MULTICAST,SLAVE,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast master bond0 state UP qlen 1000
link/ether 00:15:17:94:0d:38 brd ff:ff:ff:ff:ff:ff
5: bond0: <BROADCAST,MULTICAST,MASTER,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP
link/ether 00:15:17:94:0d:38 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.1/22 brd 10.0.0.255 scope global bond0
valid_lft forever preferred_lft forever
inet6 fe80::215:17ff:fe94:d38/64 scope link
valid_lft forever preferred_lft forever
6: ip_vti0 at NONE: <NOARP> mtu 1480 qdisc noop state DOWN
link/ipip 0.0.0.0 brd 0.0.0.0
# Trouble shooting
When I first configured, I could only transmit to the the Office gateway
(the VPN endpoint), so I added this rule in the office gateway:
iptables -t nat -A POSTROUTING -s 10.0.4.0/22 -d 10.0.0.0/22 -j SNAT --to
10.0.0.1
And then I could hit all of my Office machines from AWS.
So again, I can get packets into the office from AWS but I can't get them
out of the office to AWS. When I tcpdump in the office I see ESP packets
and the pings from AWS but when I ping to AWS from office, my ISP ends up
with the traffic. I don't know why the interface is down too, but when I
bring it up (ip_vti0) the tunneling from AWS that does work stops working.
I can't seem to find a lot of good docs on how the interfaces and routing
works but what I did find indicates that openswan eroutes like those
indicated in the ipsec status all should handle the routing.
>From EC2 instance (10.0.4.11) to Office machine::
[ec2-user at ip-10-0-4-11 ~]$ ping 10.0.0.12
PING 10.0.0.12 (10.0.0.12) 56(84) bytes of data.
64 bytes from 10.0.0.12: icmp_seq=1 ttl=127 time=9.07
>From Office (10.0.0.1/22 : 216.243.47.245) to AWS :
# ping 10.0.4.11
PING 10.0.4.11 (10.0.4.11) 56(84) bytes of data.
>From 216.243.47.1 icmp_seq=2 Packet filtered
It seems like I need a route or some kind of rule to transmit properly?
Thanks, I know it's asking a lot for help like this so if I can get more
information this is mostly a throwaway setup and can try anything to get it
working.
Matt
--
------------------
Matthew
"To be a rock and not to roll"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160502/80ba748d/attachment-0001.html>
More information about the Users
mailing list