Hello,<div><br></div><div>I'm attempting to follow the tutorial at: <a href="https://www.openswan.org/projects/openswan/wiki/Amazon_EC2_example">https://www.openswan.org/projects/openswan/wiki/Amazon_EC2_example</a></div>
<div><br></div><div>I have an Ubuntu 10.04 ec2 instance that needs to be able to access an LDAP server on a remote network behind a Cisco ASA. The problem is that the LDAP server has the IP 10.10.1.13, which is in the block that EC2 uses.</div>
<div><br></div><div>There's a note in the tutorial "If it is via port forward, avoid 10/8 that Amazon uses". Any suggestions for what needs to be done if the other side does use that block? </div><div><br></div>
<div>Right now, the tunnel is successfully established:</div><div><br></div><div>$ sudo ipsec auto --up apd<div>117 "apd" #3: STATE_QUICK_I1: initiate</div><div>004 "apd" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x4041650d <0xa7665556 xfrm=3DES_0-HMAC_MD5 NATOA=none NATD=none DPD=none}</div>
<div><br></div><div>The problem is that pings to 10.10.1.13 aren't reaching the other end. From the EC2 instance, I run:</div><div><br></div><div>$ ping 10.1.1.13</div><div><br></div><div>All of the packets are lost, even though that box is in fact configured to respond to ping (same results with nmap to the LDAP port). I then monitor with:</div>
<div><br></div><div><div>$ sudo tcpdump -n host 10.1.1.13</div><div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div><div>listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes</div>
<div>12:40:07.212436 IP 10.243.79.134 > <a href="http://10.1.1.13">10.1.1.13</a>: ICMP echo request, id 62815, seq 1, length 64</div><div>12:40:08.229371 IP 10.243.79.134 > <a href="http://10.1.1.13">10.1.1.13</a>: ICMP echo request, id 62815, seq 2, length 64</div>
</div><div><br></div><div>My IPSec verify looks good I think:</div><div><br></div><div><div>$ sudo ipsec verify</div><div>Checking your system to see if IPsec got installed and started correctly:</div><div>Version check and ipsec on-path <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div>
<div>Linux Openswan U2.6.23/K2.6.32-318-ec2 (netkey)</div><div>Checking for IPsec support in kernel <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>NETKEY detected, testing for disabled ICMP send_redirects <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div>
<div>NETKEY detected, testing for disabled ICMP accept_redirects <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Checking for RSA private key (/etc/ipsec.secrets) <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div>
<div>Checking that pluto is running <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Pluto listening for IKE on udp 500 <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div>
<div>Pluto listening for NAT-T on udp 4500 <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Two or more interfaces found, checking IP forwarding <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div>
<div>Checking NAT and MASQUERADEing <span class="Apple-tab-span" style="white-space:pre"> </span>[N/A]</div><div>Checking for 'ip' command <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div>
<div>Checking for 'iptables' command <span class="Apple-tab-span" style="white-space:pre"> </span>[OK]</div><div>Opportunistic Encryption Support <span class="Apple-tab-span" style="white-space:pre"> </span>[DISABLED]</div>
</div><div><br></div><div>Any hints on how to solve the <a href="http://10.0.0.0/8">10.0.0.0/8</a> thing or maybe some additional debugging tips I could try?</div><div><br></div><div>Also, if anyone else is trying to follow that tutorial using Ubuntu 10.04, this might help: </div>
<div><a href="https://gist.github.com/2871257">https://gist.github.com/2871257</a></div><div><br></div><div>I wrote up detailed instructions for Ubuntu 10.04 (which needs network parameters to be tuned) and a subnet to subnet connection specifically.</div>
<div><br></div><div>Thanks</div><div>-Wes</div><div><br></div>-- <br><font face="verdana, sans-serif" color="#333333"><b>Wes Winham, Product Development</b><br><span style="border-collapse:collapse;font-family:arial,sans-serif;font-size:13px;color:rgb(0,0,0)"><font color="#333333" face="verdana, sans-serif"><font size="1">PolicyStat, LLC </font></font><font size="1" style="color:rgb(51,51,51);font-family:verdana,sans-serif"><span style="color:rgb(51,51,51)">|<font color="#333333"><font face="verdana, sans-serif"> </font></font></span></font><font color="#333333" face="verdana, sans-serif" size="1">mobile: 405.320.9379 | desk: 317.644.1296 x1105</font></span><br>
<font size="1">schedule: <a href="http://tungle.me/weswinham" target="_blank">http://tungle.me/weswinham</a></font></font><br>
</div>