Hi Ryan,<div><br></div><div>Sorry if I'm being dense (networking is definitely not my strong point), but I have a couple of questions:</div><div><br></div><div>1. I've read many threads on this list where folks pointed out that you should almost never need to mess with adding routes yourself, because if you configured your connection correctly, OpenSwan would do that for you. Is there a good rule of thumb for when this isn't true? In this case, don't the leftnexthop and leftsourceip settings both tweak the way OpenSwan sets up routes to the rightsubnet? </div>
<div><br></div><div>Is the problem that both Amazon and OpenSwan are using a network range route and Amazon's is taking precedence, but a host route I add myself will take precedence over them both?</div><div><br>2. When I have the connection up, I can run:</div>
<div><br></div><div><div>$ sudo ip -s route get <a href="http://10.10.1.13/32">10.10.1.13/32</a></div><div>10.10.1.13 dev eth0 src 184.72.237.166 </div><div> cache users 1 mtu 1500 advmss 1460 hoplimit 64</div></div>
<div><br></div><div>With my limited understanding, this route (to the desired remote LDAP server), should be going through the default gateway on eth0 and should have a src IP of 184.72.237.166 (my elastic IP address). Isn't this what I want?</div>
<div><br></div><div>Thanks so much.</div><div>-Wes</div><div><br></div><div>sudo ip route add 10.10.1.13 via <rightside_ip> src <left_elastic_ip></div><div><br><div class="gmail_quote">On Wed, Jun 6, 2012 at 1:02 PM, Ryan Whelan <span dir="ltr"><<a href="mailto:rcwhelan@gmail.com" target="_blank">rcwhelan@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If you add a host route, it should take precedence over a network range route.<br>
<div><div class="h5"><br>
On Wed, Jun 6, 2012 at 12:51 PM, Wes Winham <<a href="mailto:wes@policystat.com">wes@policystat.com</a>> wrote:<br>
> Hello,<br>
><br>
> I'm attempting to follow the tutorial<br>
> at: <a href="https://www.openswan.org/projects/openswan/wiki/Amazon_EC2_example" target="_blank">https://www.openswan.org/projects/openswan/wiki/Amazon_EC2_example</a><br>
><br>
> I have an Ubuntu 10.04 ec2 instance that needs to be able to access an LDAP<br>
> server on a remote network behind a Cisco ASA. The problem is that the LDAP<br>
> server has the IP 10.10.1.13, which is in the block that EC2 uses.<br>
><br>
> There's a note in the tutorial "If it is via port forward, avoid 10/8 that<br>
> Amazon uses". Any suggestions for what needs to be done if the other side<br>
> does use that block?<br>
><br>
> Right now, the tunnel is successfully established:<br>
><br>
> $ sudo ipsec auto --up apd<br>
> 117 "apd" #3: STATE_QUICK_I1: initiate<br>
> 004 "apd" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode<br>
> {ESP/NAT=>0x4041650d <0xa7665556 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none<br>
> DPD=none}<br>
><br>
> The problem is that pings to 10.10.1.13 aren't reaching the other end. From<br>
> the EC2 instance, I run:<br>
><br>
> $ ping 10.1.1.13<br>
><br>
> All of the packets are lost, even though that box is in fact configured to<br>
> respond to ping (same results with nmap to the LDAP port). I then monitor<br>
> with:<br>
><br>
> $ sudo tcpdump -n host 10.1.1.13<br>
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>
> listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br>
> 12:40:07.212436 IP 10.243.79.134 > <a href="http://10.1.1.13" target="_blank">10.1.1.13</a>: ICMP echo request, id 62815,<br>
> seq 1, length 64<br>
> 12:40:08.229371 IP 10.243.79.134 > <a href="http://10.1.1.13" target="_blank">10.1.1.13</a>: ICMP echo request, id 62815,<br>
> seq 2, length 64<br>
><br>
> My IPSec verify looks good I think:<br>
><br>
> $ sudo ipsec verify<br>
> Checking your system to see if IPsec got installed and started correctly:<br>
> Version check and ipsec on-path [OK]<br>
> Linux Openswan U2.6.23/K2.6.32-318-ec2 (netkey)<br>
> Checking for IPsec support in kernel [OK]<br>
> NETKEY detected, testing for disabled ICMP send_redirects [OK]<br>
> NETKEY detected, testing for disabled ICMP accept_redirects [OK]<br>
> Checking for RSA private key (/etc/ipsec.secrets) [OK]<br>
> Checking that pluto is running [OK]<br>
> Pluto listening for IKE on udp 500 [OK]<br>
> Pluto listening for NAT-T on udp 4500 [OK]<br>
> Two or more interfaces found, checking IP forwarding [OK]<br>
> Checking NAT and MASQUERADEing [N/A]<br>
> Checking for 'ip' command [OK]<br>
> Checking for 'iptables' command [OK]<br>
> Opportunistic Encryption Support [DISABLED]<br>
><br>
> Any hints on how to solve the <a href="http://10.0.0.0/8" target="_blank">10.0.0.0/8</a> thing or maybe some additional<br>
> debugging tips I could try?<br>
><br>
> Also, if anyone else is trying to follow that tutorial using Ubuntu 10.04,<br>
> this might help:<br>
> <a href="https://gist.github.com/2871257" target="_blank">https://gist.github.com/2871257</a><br>
><br>
> I wrote up detailed instructions for Ubuntu 10.04 (which needs network<br>
> parameters to be tuned) and a subnet to subnet connection specifically.<br>
><br>
> Thanks<br>
> -Wes<br>
><br>
> --<br>
> Wes Winham, Product Development<br>
> PolicyStat, LLC | mobile: <a href="tel:405.320.9379" value="+14053209379">405.320.9379</a> | desk: <a href="tel:317.644.1296%20x1105" value="+13176441296">317.644.1296 x1105</a><br>
> schedule: <a href="http://tungle.me/weswinham" target="_blank">http://tungle.me/weswinham</a><br>
><br>
</div></div>> _______________________________________________<br>
> <a href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
> <a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
> Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> Building and Integrating Virtual Private Networks with Openswan:<br>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a><br>
><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><font face="verdana, sans-serif" color="#333333"><b>Wes Winham, Product Development</b><br><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px;color:rgb(0,0,0)"><font color="#333333" face="verdana, sans-serif"><font size="1">PolicyStat, LLC </font></font><font size="1" style="color:rgb(51,51,51);font-family:verdana,sans-serif"><span style="color:rgb(51,51,51)">|<font color="#333333"><font face="verdana, sans-serif"> </font></font></span></font><font color="#333333" face="verdana, sans-serif" size="1">mobile: 405.320.9379 | desk: 317.644.1296 x1105</font></span><br>
<font size="1">schedule: <a href="http://tungle.me/weswinham" target="_blank">http://tungle.me/weswinham</a></font></font><br>
</div>