[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] INVALID_ID_INFORMATION between OpenSwan and Checkpoint
From: Patrick Naubert <patrickn () xelerance ! com>
Date: 2015-07-30 12:30:46
Message-ID: 2DAEB245-1368-4E68-9C06-F417C033C47B () xelerance ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Rescued from the spam bucket. Please remember to subscribe to the mailing list \
before posting to it.
From: Daniel Cave <dan.cave@icloud.com>
Subject: Re: [Openswan Users] INVALID_ID_INFORMATION between OpenSwan and Checkpoint
Date: July 29, 2015 at 3:14:17 PM EDT
To: Simon Deziel <simon@xelerance.com>
Cc: "users@lists.openswan.org" <users@lists.openswan.org>
Fwiw. This article below does. It cover the following gotchas and problems caused by \
a potential lack of understanding of how AWs ec2 instances and security policy
1. To allow traffic to pass through your VPN server you must disable check source \
address checking which can be done by right clicking the instance in the EC2 manager \
and going to security settings. This allows traffic from another network outside of \
that used by your vpc/classic instance so your end to end routing works
2. Disable iptables on linux
3. Create a security group for your cons networks and add the subnets into that from \
all the networks which are going INTO the vpn instance and apply that security group \
to the EC2 instance where applicable
#lotsOfLessonsLearnedFromExperience
Hope that helps
Sent from my iPhone
> On 29 Jul 2015, at 16:31, Simon Deziel <simon@xelerance.com> wrote:
>
> Hi Daniel,
>
> You might find the following wiki page helpful:
> https://github.com/xelerance/Openswan/wiki/Amazon-ec2-example
>
> Regards,
> Simon
>
> > On 07/24/2015 02:51 AM, Daniel Carraro wrote:
> > Hi All,
> >
> > I'm running OpenSwan on an Amazon Linux EC2 Instance (inside a VPC) and
> > am trying to connect to a Checkpoint 4800 Series appliance (running R75.45).
> >
> > Phase 1 passes successfully, however I'm having issues with Phase 2.
> > Specifically, INVALID_ID_INFORMATION gets sent from my EC2 instance back
> > to the Client.
> >
> > I'll give a quick summary of the networks:
> > - Our VPC is 10.200.0.0/16 <http://10.200.0.0/16>; the OpenSwan instance
> > is 54.66.155.156 (10.200.0.171)
> > - Their Network is 192.168.187.0/24 <http://192.168.187.0/24>; Their
> > Public Endpoint is 203.39.70.3 (192.168.187.253)
> >
> > What's odd as well, I'm able to ping/telnet servers inside their network
> > (192.168.187.0/24 <http://192.168.187.0/24>), but they're unable to
> > ping/ssh inside my network (10.200.0.0/16 <http://10.200.0.0/16>)
> >
> > I've included relevant config/log files below, trying to condense when
> > possible:
> >
> > /etc/ipsec.conf:
> > version 2.0 # conforms to second version of ipsec.conf specification
> > # basic configuration
> > config setup
> > # Debug-logging controls: "none" for (almost) none, "all" for lots.
> > klipsdebug=none
> > plutodebug="control parsing"
> > # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
> > protostack=netkey
> > nat_traversal=yes
> > virtual_private=
> > oe=off
> > # Enable this if you see "failed to find any available worker"
> > # nhelpers=0
> > # custom config options
> > force_keepalive=yes
> > keep_alive=10
> > #You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
> > uncomment this.
> > include /etc/ipsec.d/*.conf
> >
> > /etc/ipsec.d/wc-vpn.conf:
> > conn wc-vpn
> > type=tunnel
> > auth=esp
> > authby=secret
> >
> > left=10.200.0.171
> > leftid=54.66.155.156
> > leftnexthop=%defaultroute
> > leftsubnet=10.200.0.0/16 <http://10.200.0.0/16>
> > leftprotoport=0/0
> >
> > right=203.39.70.3
> > rightid=203.39.70.3/32 <http://203.39.70.3/32>
> > rightsubnet=192.168.187.0/24 <http://192.168.187.0/24>
> > rightnexthop=192.168.187.253
> > rightprotoport=0/0
> >
> > keyexchange=ike
> > ike=aes256-sha1;modp1024!
> > ikelifetime=28800s
> >
> > phase2alg=aes256-sha1
> > keylife=3600s
> >
> > dpddelay=3
> > dpdtimeout=10
> > dpdaction=clear
> >
> > pfs=no
> > auto=start
> > forceencaps=yes
> > compress=no
> >
> > /etc/ipsec.d/wc-vpn.secrets (with actual PSK changed):
> > 54.66.155.156 203.39.70.3 <http://203.39.70.3>: PSK "1234567890"
> >
> > Finally, a snippet from /var/log/secure:
> > Jul 19 23:10:28 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: sending
> > encrypted notification INVALID_ID_INFORMATION to 203.39.70.3:500
> > <http://203.39.70.3:500>
> > Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: the peer
> > proposed: 10.200.0.0/16:0/0 <http://10.200.0.0/16:0/0> ->
> > 203.39.70.3/32:0/0 <http://203.39.70.3/32:0/0>
> > Jul 19 23:10:32 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: cannot
> > respond to IPsec SA request because no connection is known for
> > 10.200.0.0/16===10.200.0.171
> > <http://10.200.0.0/16===10.200.0.171><10.200.0.171>[54.66.155.156,+S=C]...203.39.70.3<203.39.70.3>[+S=C]
> >
> > Any help would be greatly appreciated.
> >
> > Thanks,
> > Daniel
> >
> >
> > _______________________________________________
> > Users@lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
> _______________________________________________
> Users@lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[Attachment #5 (unknown)]
<html><head><meta http-equiv="Content-Type" content="text/html \
charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: \
space; -webkit-line-break: after-white-space;" class="">Rescued from the spam bucket. \
Please remember to subscribe to the mailing list before posting to it.<br \
class=""><div><br class=""><div class=""><div class=""><span class="" \
style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, sans-serif; \
color: rgb(127, 127, 127);"><b class="">From: </b></span><span class="" \
style="font-family: -webkit-system-font, 'Helvetica Neue', Helvetica, \
sans-serif;">Daniel Cave <<a href="mailto:dan.cave@icloud.com" \
class="">dan.cave@icloud.com</a>></span></div><div class=""><div \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" \
class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, \
sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">Subject: \
</b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, \
sans-serif;" class=""><b class="">Re: [Openswan Users] INVALID_ID_INFORMATION between \
OpenSwan and Checkpoint</b><br class=""></span></div><div style="margin-top: 0px; \
margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span \
style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; \
color:rgba(127, 127, 127, 1.0);" class=""><b class="">Date: </b></span><span \
style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" \
class="">July 29, 2015 at 3:14:17 PM EDT<br class=""></span></div><div \
style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" \
class=""><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, \
sans-serif; color:rgba(127, 127, 127, 1.0);" class=""><b class="">To: \
</b></span><span style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, \
sans-serif;" class="">Simon Deziel <<a href="mailto:simon@xelerance.com" \
class="">simon@xelerance.com</a>><br class=""></span></div><div style="margin-top: \
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;" class=""><span \
style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif; \
color:rgba(127, 127, 127, 1.0);" class=""><b class="">Cc: </b></span><span \
style="font-family: -webkit-system-font, Helvetica Neue, Helvetica, sans-serif;" \
class="">"<a href="mailto:users@lists.openswan.org" \
class="">users@lists.openswan.org</a>" <<a href="mailto:users@lists.openswan.org" \
class="">users@lists.openswan.org</a>><br class=""></span></div><br class=""><br \
class="">Fwiw. This article below does. It cover the following gotchas and problems \
caused by a potential lack of understanding of how AWs ec2 instances and security \
policy <br class=""><br class="">1. To allow traffic to pass through your VPN server \
you must disable check source address checking which can be done by right clicking \
the instance in the EC2 manager and going to security settings. This allows traffic \
from another network outside of that used by your vpc/classic instance so your end to \
end routing works <br class=""><br class="">2. Disable iptables on linux <br \
class=""><br class="">3. Create a security group for your cons networks and add the \
subnets into that from all the networks which are going INTO the vpn instance and \
apply that security group to the EC2 instance where applicable <br class=""><br \
class="">#lotsOfLessonsLearnedFromExperience<br class=""><br class="">Hope that \
helps<br class=""><br class="">Sent from my iPhone<br class=""><br \
class=""><blockquote type="cite" class="">On 29 Jul 2015, at 16:31, Simon Deziel \
<<a href="mailto:simon@xelerance.com" class="">simon@xelerance.com</a>> \
wrote:<br class=""><br class="">Hi Daniel,<br class=""><br class="">You might find \
the following wiki page helpful:<br class=""><a \
href="https://github.com/xelerance/Openswan/wiki/Amazon-ec2-example" \
class="">https://github.com/xelerance/Openswan/wiki/Amazon-ec2-example</a><br \
class=""><br class="">Regards,<br class="">Simon<br class=""><br class=""><blockquote \
type="cite" class="">On 07/24/2015 02:51 AM, Daniel Carraro wrote:<br class="">Hi \
All,<br class=""><br class="">I'm running OpenSwan on an Amazon Linux EC2 Instance \
(inside a VPC) and<br class="">am trying to connect to a Checkpoint 4800 Series \
appliance (running R75.45).<br class=""><br class="">Phase 1 passes successfully, \
however I'm having issues with Phase 2.<br class="">Specifically, \
INVALID_ID_INFORMATION gets sent from my EC2 instance back<br class="">to the \
Client.<br class=""><br class="">I'll give a quick summary of the networks:<br \
class="">- Our VPC is 10.200.0.0/16 <http://10.200.0.0/16>; the OpenSwan \
instance<br class="">is 54.66.155.156 (10.200.0.171)<br class="">- Their Network is \
192.168.187.0/24 <http://192.168.187.0/24>; Their<br class="">Public Endpoint \
is 203.39.70.3 (192.168.187.253)<br class=""><br class="">What's odd as well, I'm \
able to ping/telnet servers inside their network<br class="">(192.168.187.0/24 \
<http://192.168.187.0/24>), but they're unable to<br class="">ping/ssh inside \
my network (10.200.0.0/16 <http://10.200.0.0/16>)<br class=""><br class="">I've \
included relevant config/log files below, trying to condense when<br \
class="">possible:<br class=""><br class="">/etc/ipsec.conf:<br class="">version 2.0 \
# conforms to second version of ipsec.conf specification<br \
class=""># basic configuration<br class="">config setup<br class=""> \
# Debug-logging controls: "none" for \
(almost) none, "all" for lots.<br class=""> \
klipsdebug=none<br class=""> \
plutodebug="control parsing"<br class=""> \
# For Red Hat Enterprise Linux and Fedora, leave \
protostack=netkey<br class=""> \
protostack=netkey<br class=""> \
nat_traversal=yes<br class=""> \
virtual_private=<br class=""> \
oe=off<br class=""> \
# Enable this if you see "failed to find any \
available worker"<br class=""> # nhelpers=0<br \
class=""> # custom config options<br class=""> \
force_keepalive=yes<br class=""> \
keep_alive=10<br class="">#You may put your \
configuration (.conf) file in the "/etc/ipsec.d/" and<br class="">uncomment this.<br \
class="">include /etc/ipsec.d/*.conf<br class=""><br \
class="">/etc/ipsec.d/wc-vpn.conf:<br class="">conn wc-vpn<br class=""> \
type=tunnel<br class=""> \
auth=esp<br class=""> \
authby=secret<br class=""><br class=""> \
left=10.200.0.171<br class=""> \
leftid=54.66.155.156<br class=""> \
leftnexthop=%defaultroute<br class=""> \
leftsubnet=10.200.0.0/16 \
<http://10.200.0.0/16><br class=""> \
leftprotoport=0/0<br class=""><br class=""> \
right=203.39.70.3<br class=""> \
rightid=203.39.70.3/32 \
<http://203.39.70.3/32><br class=""> \
rightsubnet=192.168.187.0/24 \
<http://192.168.187.0/24><br class=""> \
rightnexthop=192.168.187.253<br class=""> \
rightprotoport=0/0<br class=""><br class=""> \
keyexchange=ike<br class=""> \
ike=aes256-sha1;modp1024!<br class=""> \
ikelifetime=28800s<br class=""><br class=""> \
phase2alg=aes256-sha1<br class=""> \
keylife=3600s<br class=""><br class=""> \
dpddelay=3<br class=""> \
dpdtimeout=10<br class=""> \
dpdaction=clear<br class=""><br class=""> \
pfs=no<br class=""> \
auto=start<br class=""> \
forceencaps=yes<br class=""> \
compress=no<br class=""><br \
class="">/etc/ipsec.d/wc-vpn.secrets (with actual PSK changed):<br \
class="">54.66.155.156 203.39.70.3 <http://203.39.70.3>: PSK "1234567890"<br \
class=""><br class="">Finally, a snippet from /var/log/secure:<br class="">Jul 19 \
23:10:28 ip-10-200-0-171 pluto[22644]: "wc-vpn" #616: sending<br class="">encrypted \
notification INVALID_ID_INFORMATION to 203.39.70.3:500<br \
class=""><http://203.39.70.3:500><br class="">Jul 19 23:10:32 ip-10-200-0-171 \
pluto[22644]: "wc-vpn" #616: the peer<br class="">proposed: 10.200.0.0/16:0/0 \
<http://10.200.0.0/16:0/0> -><br class="">203.39.70.3/32:0/0 \
<http://203.39.70.3/32:0/0><br class="">Jul 19 23:10:32 ip-10-200-0-171 \
pluto[22644]: "wc-vpn" #616: cannot<br class="">respond to IPsec SA request because \
no connection is known for<br class="">10.200.0.0/16===10.200.0.171<br \
class=""><http://10.200.0.0/16===10.200.0.171><10.200.0.171>[54.66.155.156,+S=C]...203.39.70.3<203.39.70.3>[+S=C]<br \
class=""><br class="">Any help would be greatly appreciated.<br class=""><br \
class="">Thanks,<br class="">Daniel<br class=""><br class=""><br \
class="">_______________________________________________<br \
class="">Users@lists.openswan.org<br \
class="">https://lists.openswan.org/mailman/listinfo/users<br class="">Micropayments: \
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br class="">Building and \
Integrating Virtual Private Networks with Openswan:<br \
class="">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br \
class=""></blockquote><br class="">_______________________________________________<br \
class="">Users@lists.openswan.org<br \
class="">https://lists.openswan.org/mailman/listinfo/users<br class="">Micropayments: \
https://flattr.com/thing/38387/IPsec-for-Linux-made-easy<br class="">Building and \
Integrating Virtual Private Networks with Openswan:<br \
class="">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155<br \
class=""></blockquote><br class=""><br class=""></div></div></div><br \
class=""></body></html>
[Attachment #6 (text/plain)]
_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic