Adding NAT IP to Openswan VPN Tunnel on Amazon EC2
Hello,
I’m currently working on a Openswan configuration that involves an Amazon EC2 instance in a VPC. I’ve gotten Openswan to work with EC2 before when its just a simple connection going from my local network to the customer local network. However in this case the customer is asking that I add a NAT’d IP to our local network that they will use to transmit data to us. Having never done this before I thought I’d see if someone here was more knowledgeable with setting up a NAT’d IP on an Ubuntu instance. I’ve included my ipsec.conf and a bit of the auth.log that shows the connection not working at this time. I did try searching a bit but was unable to find any Openswan links that had to do with this exact type of situation. Any help would be appreciated and thank you! version 2.0 # conforms to second version of ipsec.conf specification config setup nat_traversal=yes nhelpers=0 conn testprod left=%defaultroute leftsubnet=10.170.18.9/32 leftid=a.a.a.a right=b.b.b.b rightid=b.b.b.b rightsubnet=b.b.b.28/30 ike=aes256-sha1-modp1024 esp=aes256-sha1 authby=secret pfs=no forceencaps=yes auto=start compress=no include /etc/ipsec.d/examples/no_oe.conf Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: initiating Main Mode Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: ignoring Vendor ID payload [FRAGMENTATION c0000000] Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03 Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: STATE_MAIN_I2: sent MI2, expecting MR2 Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Vendor ID payload [Cisco-Unity] Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Vendor ID payload [XAUTH] Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: ignoring unknown Vendor ID payload [234234234234] Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: ignoring Vendor ID payload [Cisco VPN 3000 Series] Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: I did not send a certificate because I do not have one. Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: STATE_MAIN_I3: sent MI3, expecting MR3 Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Vendor ID payload [Dead Peer Detection] Jan 9 10:35:44 xxx pluto[27135]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx' Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024} Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2079: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#2078} Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: ignoring informational payload, type NO_PROPOSAL_CHOSEN Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received and ignored informational message Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Delete SA payload: deleting ISAKMP State #2078 Jan 9 10:35:44 xxx pluto[27135]: packet from abc.abc.abc.abc:4500: received and ignored informational message |
For once I can answer my own question:
Looks like I was failing Phase 1 because the endpoint IP on my side was incorrect. Instead of using the local IP, all I had to do was put in a route for the NAT IP c.c.c.c, then point the leftsubnet=c.c.c.c/32 |
OpenSwan example on EC2
Maybe this can help (there is a NAT example at the end)
http://www.fortycloud.com/setting-up...in-amazon-ec2/ |
Site 2 Site Connection Example
Here is a latest update that Include a step by step example of how to connect 2 VPC regions (both GW are using EIP/NAT)
Amir |
All times are GMT -5. The time now is 07:27 PM. |