[prev in list] [next in list] [prev in thread] [next in thread]
List: openswan-users
Subject: Re: [Openswan Users] "We cannot identify ourselves with either end of this connection." on EC2 insta
From: Amos Shapira <amos.shapira () gmail ! com>
Date: 2016-01-20 5:14:08
Message-ID: CAF9n_WXrws0bvBYCWY0j019UCR7hDSMBEd4zvgMuOEmNGfdzRQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Neal,
Just a quick update - I'm not sure what changed but I managed to get the
VPN working without adding the sourceip fields. The second tunnel also
reports up after a while, sometimes.
I also got forwarding between all subnets (public and private on each side
of the VPN) as well as NAT to the public Internet from the single EC2
instance.
Here are the working configuration files, in case someone else finds this
useful:
/etc/ipsec.conf (note - 172.29/16 is the local subnet of the EC2 instance
running openswan):
version 2.0
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.29.0.0/16
oe=off
protostack=netkey
interfaces=%defaultroute
include /etc/ipsec.d/*.conf
/etc/ipsec.d/tunnel1.conf:
conn sin-test-1-syd-test-3-1
type=tunnel
authby=secret
forceencaps=yes
auto=start
left=%defaultroute
leftid=52.74.73.X
leftnexthop=%defaultroute
leftsubnet=172.29.0.0/16
right=52.64.24.Y
rightid=52.64.24.Y
rightsubnet=172.26.0.0/16
Thanks for your help.
--Amos
On 19 January 2016 at 17:42, Amos Shapira <amos.shapira@gmail.com> wrote:
> Thanks Neal,
>
> I'll test that when I get back to the office tomorrow.
>
> In the meantime I found a copy of the old working ipsec.conf and compared
> it with the one that doesn't work (which is basically the default one from
> the Ubuntu package, plus an "include /etc/ipsec.d/*.conf") and noticed that
> they differ in the "protostack" setting - the working one had "netkey" and
> the broken one had "auto". Once I updated the broken config file to
> "netkey" the connection came up (with everything else untouched, as far as
> I remember).
>
> One of the VPN tunnels is now marked as "up" on the AWS side (the second
> one is down, with an error about "can't set eroute, already used" in the
> ipsec logs, I suspect this is normal), but no routing is happening. (ping
> to an EC2 instance behind the virtual GW doesn't get any response, and I
> don't see where the packets go. It's not a firewall/security-group/acl
> issue).
>
> Cheers,
>
> --Amos
>
> On 19 January 2016 at 17:04, Neal P. Murphy <neal.p.murphy@alum.wpi.edu>
> wrote:
>
> > On Tue, 19 Jan 2016 15:47:20 +1100
> > Amos Shapira <amos.shapira@gmail.com> wrote:
> >
> > > Hello,
> > >
> > > I'm trying to connect an EC2 instance to an Amazon Virtual gateway using
> > > openswan.
> > >
> > > My configuration:
> > >
> > > 1. Ubuntu Trusty, up to date.
> > > 2. Openswan 2.6.38 from the standard Ubuntu package.
> > >
> > > The following configuration (real IP's slightly obscured) worked for me
> > > before when I did manual tests:
> > >
> > > conn sing-sydney
> > > type=tunnel
> > > authby=secret
> > > forceencaps=yes
> > > auto=start
> > > left=%defaultroute
> > > leftid=52.74.73.X
> > > #leftsourceip=52.74.73.X
> > > leftnexthop=%defaultroute
> > > leftsubnet=172.28.0.0/16
> > > right=52.64.16.Y
> > > rightid=52.64.16.Y
> > > rightsubnet=172.27.0.0/16
> > >
> > > ...
> > > So what am I missing to make it work?
> >
> > I think you need *sourceip.
> >
> > In a nutshell (meaning this is close but mayhap not technically
> > accurate), 'left' and 'right' are the publicly-accessible addresses; each
> > tells the remote end where to send packets. 'leftsourceip' and
> > 'rightsourceip' are the 'private' or 'locally assigned' addresses on the
> > public-facing interfaces; each tells the local end which interface to use.
> > *sourceip is usually used when an end is behind a NATting firewall; this
> > end usually has to initiate the VPN.
> >
> > N
> > _______________________________________________
> > Users@lists.openswan.org
> > https://lists.openswan.org/mailman/listinfo/users
> > Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> > Building and Integrating Virtual Private Networks with Openswan:
> > http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
>
>
>
> --
> <http://au.linkedin.com/in/gliderflyer>
>
--
<http://au.linkedin.com/in/gliderflyer>
[Attachment #5 (text/html)]
<div dir="ltr">Hi Neal,<div><br></div><div>Just a quick update - I'm not sure \
what changed but I managed to get the VPN working without adding the sourceip fields. \
The second tunnel also reports up after a while, \
sometimes.</div><div><br></div><div>I also got forwarding between all subnets (public \
and private on each side of the VPN) as well as NAT to the public Internet from the \
single EC2 instance.</div><div><br></div><div>Here are the working configuration \
files, in case someone else finds this useful:</div><div><font face="monospace, \
monospace"><br></font></div><div><font face="monospace, monospace">/etc/ipsec.conf \
(note - 172.29/16 is the local subnet of the EC2 instance running \
openswan):</font></div><div><div><font face="monospace, monospace">version \
2.0</font></div><div><font face="monospace, monospace">config \
setup</font></div><div><font face="monospace, monospace"><span class="" \
style="white-space:pre"> </span>dumpdir=/var/run/pluto/</font></div><div><font \
face="monospace, monospace"><span class="" \
style="white-space:pre"> </span>nat_traversal=yes</font></div><div><font \
face="monospace, monospace"><span class="" \
style="white-space:pre"> </span>virtual_private=%v4:<a \
href="http://10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00:: \
/8,%v6:fe80::/10,%v4:!172.29.0.0/16">10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,% \
v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.29.0.0/16</a></font></div><div><font \
face="monospace, monospace"><span class="" \
style="white-space:pre"> </span>oe=off</font></div><div><font face="monospace, \
monospace"><span class="" \
style="white-space:pre"> </span>protostack=netkey</font></div><div><font \
face="monospace, monospace"><span class="" \
style="white-space:pre"> </span>interfaces=%defaultroute</font></div><div><font \
face="monospace, monospace">include /etc/ipsec.d/*.conf</font></div></div><div><font \
face="monospace, monospace"><br></font></div><div><font face="monospace, \
monospace">/etc/ipsec.d/tunnel1.conf:</font></div><div><div \
style="font-family:monospace,monospace">conn sin-test-1-syd-test-3-1</div><div \
style="font-family:monospace,monospace"> type=tunnel</div><div \
style="font-family:monospace,monospace"> authby=secret</div><div \
style="font-family:monospace,monospace"> forceencaps=yes</div><div \
style="font-family:monospace,monospace"> auto=start</div><div \
style="font-family:monospace,monospace"> left=%defaultroute</div><div \
style="font-family:monospace,monospace"> leftid=52.74.73.X</div><div \
style="font-family:monospace,monospace"> leftnexthop=%defaultroute</div><div \
style="font-family:monospace,monospace"> leftsubnet=<a \
href="http://172.29.0.0/16">172.29.0.0/16</a></div><div \
style="font-family:monospace,monospace"> right=52.64.24.Y</div><div \
style="font-family:monospace,monospace"> rightid=52.64.24.Y</div><div \
style="font-family:monospace,monospace"> rightsubnet=<a \
href="http://172.26.0.0/16">172.26.0.0/16</a></div><div \
style="font-family:monospace,monospace"><br></div><div><font face="arial, helvetica, \
sans-serif">Thanks for your help.</font></div></div><div><font face="arial, \
helvetica, sans-serif"><br></font></div><div><font face="arial, helvetica, \
sans-serif">--Amos</font></div></div><div class="gmail_extra"><br><div \
class="gmail_quote">On 19 January 2016 at 17:42, Amos Shapira <span dir="ltr"><<a \
href="mailto:amos.shapira@gmail.com" \
target="_blank">amos.shapira@gmail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Thanks Neal,<div><br></div><div>I'll test \
that when I get back to the office tomorrow.</div><div><br></div><div>In the meantime \
I found a copy of the old working ipsec.conf and compared it with the one that \
doesn't work (which is basically the default one from the Ubuntu package, plus an \
"include /etc/ipsec.d/*.conf") and noticed that they differ in the \
"protostack" setting - the working one had "netkey" and the \
broken one had "auto". Once I updated the broken config file to \
"netkey" the connection came up (with everything else untouched, as far as \
I remember).</div><div><br></div><div>One of the VPN tunnels is now marked as \
"up" on the AWS side (the second one is down, with an error about \
"can't set eroute, already used" in the ipsec logs, I suspect this is \
normal), but no routing is happening. (ping to an EC2 instance behind the virtual GW \
doesn't get any response, and I don't see where the packets go. It's not \
a firewall/security-group/acl \
issue).</div><div><br></div><div>Cheers,</div><div><br></div><div>--Amos</div></div><div \
class="gmail_extra"><div><div class="h5"><br><div class="gmail_quote">On 19 January \
2016 at 17:04, Neal P. Murphy <span dir="ltr"><<a \
href="mailto:neal.p.murphy@alum.wpi.edu" \
target="_blank">neal.p.murphy@alum.wpi.edu</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><span>On Tue, 19 Jan 2016 15:47:20 +1100<br> Amos Shapira \
<<a href="mailto:amos.shapira@gmail.com" \
target="_blank">amos.shapira@gmail.com</a>> wrote:<br> <br>
> Hello,<br>
><br>
> I'm trying to connect an EC2 instance to an Amazon Virtual gateway using<br>
> openswan.<br>
><br>
> My configuration:<br>
><br>
> 1. Ubuntu Trusty, up to date.<br>
> 2. Openswan 2.6.38 from the standard Ubuntu package.<br>
><br>
> The following configuration (real IP's slightly obscured) worked for me<br>
> before when I did manual tests:<br>
><br>
> conn sing-sydney<br>
> type=tunnel<br>
> authby=secret<br>
> forceencaps=yes<br>
> auto=start<br>
> left=%defaultroute<br>
> leftid=52.74.73.X<br>
> #leftsourceip=52.74.73.X<br>
> leftnexthop=%defaultroute<br>
> leftsubnet=<a href="http://172.28.0.0/16" rel="noreferrer" \
target="_blank">172.28.0.0/16</a><br> > right=52.64.16.Y<br>
> rightid=52.64.16.Y<br>
> rightsubnet=<a href="http://172.27.0.0/16" rel="noreferrer" \
target="_blank">172.27.0.0/16</a><br> ><br>
</span>> ...<br>
<span>> So what am I missing to make it work?<br>
<br>
</span>I think you need *sourceip.<br>
<br>
In a nutshell (meaning this is close but mayhap not technically accurate), \
'left' and 'right' are the publicly-accessible addresses; each tells \
the remote end where to send packets. 'leftsourceip' and \
'rightsourceip' are the 'private' or 'locally assigned' \
addresses on the public-facing interfaces; each tells the local end which interface \
to use. *sourceip is usually used when an end is behind a NATting firewall; this end \
usually has to initiate the VPN.<br> <br>
N<br>
_______________________________________________<br>
<a href="mailto:Users@lists.openswan.org" \
target="_blank">Users@lists.openswan.org</a><br> <a \
href="https://lists.openswan.org/mailman/listinfo/users" rel="noreferrer" \
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" \
rel="noreferrer" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
Building and Integrating Virtual Private Networks with Openswan:<br>
<a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" \
rel="noreferrer" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></blockquote></div><br><br \
clear="all"><div><br></div></div></div><span class="HOEnZb"><font color="#888888">-- \
<br><div><div dir="ltr"><a href="http://au.linkedin.com/in/gliderflyer" \
target="_blank"><img \
src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png"></a><br></div></div>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div \
class="gmail_signature"><div dir="ltr"><a \
href="http://au.linkedin.com/in/gliderflyer" target="_blank"><img \
src="https://static.licdn.com/scds/common/u/img/webpromo/btn_viewmy_160x25.png"></a><br></div></div>
</div>
[Attachment #6 (text/plain)]
_______________________________________________
Users@lists.openswan.org
https://lists.openswan.org/mailman/listinfo/users
Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
Building and Integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic