|
Adding NAT IP to Openswan VPN Tunnel on Amazon EC2
Hello,
I’m currently working on a Openswan configuration that involves an Amazon EC2 instance in a VPC. I’ve gotten Openswan to work with EC2 before when its just a simple connection going from my local network to the customer local network. However in this case the customer is asking that I add a NAT’d IP to our local network that they will use to transmit data to us. Having never done this before I thought I’d see if someone here was more knowledgeable with setting up a NAT’d IP on an Ubuntu instance. I’ve included my ipsec.conf and a bit of the auth.log that shows the connection not working at this time.
I did try searching a bit but was unable to find any Openswan links that had to do with this exact type of situation. Any help would be appreciated and thank you!
version 2.0 # conforms to second version of ipsec.conf specification
config setup
nat_traversal=yes
nhelpers=0
conn testprod
left=%defaultroute
leftsubnet=10.170.18.9/32
leftid=a.a.a.a
right=b.b.b.b
rightid=b.b.b.b
rightsubnet=b.b.b.28/30
ike=aes256-sha1-modp1024
esp=aes256-sha1
authby=secret
pfs=no
forceencaps=yes
auto=start
compress=no
include /etc/ipsec.d/examples/no_oe.conf
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: initiating Main Mode
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-02/03
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: STATE_MAIN_I2: sent MI2, expecting MR2
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Vendor ID payload [Cisco-Unity]
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Vendor ID payload [XAUTH]
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: ignoring unknown Vendor ID payload [234234234234]
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: I did not send a certificate because I do not have one.
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: both are NATed
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Vendor ID payload [Dead Peer Detection]
Jan 9 10:35:44 xxx pluto[27135]: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: Main mode peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.xxx'
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2079: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP {using isakmp#2078}
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: ignoring informational payload, type NO_PROPOSAL_CHOSEN
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received and ignored informational message
Jan 9 10:35:44 xxx pluto[27135]: "xxx" #2078: received Delete SA payload: deleting ISAKMP State #2078
Jan 9 10:35:44 xxx pluto[27135]: packet from abc.abc.abc.abc:4500: received and ignored informational message
Last edited by ckkoba; 01-09-2013 at 06:45 PM.
|
OpenSwan example on EC2
