Hi Guyz
I've got the following problem:
I need to configure an IPSEC VPN Connection from an Amazone EC2 instance to a Cisco ASA5505 Firewall. the version of Ubuntu is 12.04 LTS and the one of openswan 2.6.37.
Unfortunately I only have access to the amazone instance but not to the ASA Firewall as it belongs to a third party but I have all required parameters.
Because I'm new to openswan I first tested if I can access the server in a roadwarrior setup. This worked without problems. Then I tried to configure a host to host connection between two amazone instances which worked as well.
Now with the cisco fw I cannot establish a connection and unfortunately I have no clue why because the logs are not clear enough for my understanding.
First things first my ipsec.conf is as follows:
Code:
# basic configuration
config setup
plutodebug="all"
klipsdebug="none"
protostack=netkey
nat_traversal=yes
nhelpers=0
conn burundi
type=tunnel
dpddelay=30
dpdtimeout=120
dpdaction=restart
compress=no
left=10.224.74.85
leftid=@server1
right=41.79.47.2
rightsubnet=192.168.0.0/24
authby=secret
ikelifetime=86400s
keylife=3600s
rightid="emailAddress=Krishna.kishore@leo.bi"
pfs=yes
auto=start
ike=3des-sha1;modp1024!
phase2alg=3des-sha1;modp1024
aggrmode=no
#keyingtries=3
Left is the private IP of the amazone ec2 instance. I'm using a private IP because it is behind an 1:1 NAT (as far as I can tell)
The only thing I'm not sure about is the ID's. The Cisco fw is configured to use an e-mail ID. I hope this is configured correctly. The Leftid i dont use as it seems to work without using it (in a roadwarriorsetup)
Code:
ipsec auto --status
Code:
00 "burundi": 10.224.74.85<10.224.74.85>[@server1,+S=C]...41.79.47.2<41.79.47.2>[E=Krishna.kishore@leo.bi,+S=C]===192.168.0.0/24; prospective erouted; eroute owner: #0
000 "burundi": myip=unset; hisip=unset;
000 "burundi": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "burundi": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,24; interface: eth0;
000 "burundi": dpd: action:restart; delay:30; timeout:120;
000 "burundi": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "burundi": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=strict
000 "burundi": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "burundi": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "burundi": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000
000 #23: "burundi":500 STATE_MAIN_I2 (sent MI2, expecting MR2); EVENT_RETRANSMIT in 16s; nodpd; idle; import:admin initiate
000 #23: pending Phase 2 for "burundi" replacing #0
if i set auto=add in ipsec.conf and use
Code:
ipsec whack --name burundi --initiate
I get the following:
Code:
002 "burundi" #1: initiating Main Mode
104 "burundi" #1: STATE_MAIN_I1: initiate
003 "burundi" #1: ignoring Vendor ID payload [Cisco IKE Fragmentation]
002 "burundi" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "burundi" #1: STATE_MAIN_I2: sent MI2, expecting MR2
010 "burundi" #1: STATE_MAIN_I2: retransmission; will wait 20s for response
003 "burundi" #1: ignoring informational payload, type INVALID_COOKIE msgid=00000000
003 "burundi" #1: received and ignored informational message
The
auth.log after an ipsec restart shows that the psk has been accepted and i guess that means that phase 1 is complete so I think there must be something wrong with phase 2.
What concerns me a little bit is what begins at line 218 :
Code:
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | *received whack message
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | processing connection burundi
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | route owner of "burundi" unrouted: NULL; eroute owner: NULL
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | could_route called for burundi (kind=CK_PERMANENT)
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | route owner of "burundi" unrouted: NULL; eroute owner: NULL
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | route_and_eroute with c: burundi (next: none) ero:null esr:{(nil)} ro:null rosr:{(nil)} and state: 0
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | request to add a prospective erouted policy with netkey kernel --- experimental
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | satype(0) is not used in netlink_raw_eroute.
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | route_and_eroute: firewall_notified: true
May 23 16:19:12 ip-10-224-74-85 pluto[5252]: | command executing prepare-host
Could this be because I omitted the next hop statement? The defaults seem to be ok though:
Code:
ipsec showdefaults
root@ip-10-224-74-85:/home/andreas# routephys=eth0
root@ip-10-224-74-85:/home/andreas# routevirt=none
root@ip-10-224-74-85:/home/andreas# routeaddr=10.224.74.85
root@ip-10-224-74-85:/home/andreas# routenexthop=10.224.74.1
I know all this could be because of a wrong configuration on the Cisco firewall but the third party claims that he uses this configuration with many clients and also I think it should be possible to read out of the logs what could be the problem.
I'd be sooo grateful if anyone could help because I think I have tried everything I can without having to take apart the whole ipsec protocol and opwenswan code
Thanks a lot for your help!
