IPSec Tunnel AWS VPC <-> openSwan CentOS 6.6 Tunnel up, no traffic
Hey all,
Managed to get a tunnel up between a CentOS 6.6 box and our AWS VPC. It shows as connected both on the box, and in AWS. The problem is routing the traffic from the server. Everything I've tried doesn't seem to have worked, and I'm feeling a little beyond my reach here. Any advice? Code:
[USER@SERVER /]# sudo service ipsec status Code:
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.43 Code:
src 10.0.0.0/24 dst 10.4.0.0/16 Code:
Checking your system to see if IPsec got installed and started correctly: Code:
protostack=netkey Code:
conn aws Code:
171.X.XX.XX 71.XX.XX.XXX: PSK "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" Code:
iptables -A INPUT -i eth0 -p 50 -j ACCEPT Code:
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,1536} attrs={0,2,2048} |
What does the route command show you?
Code:
route -n |
@lazydog
Code:
[USER@SERVER tmp]# route -n |
Have you done a tracerouter from both ends to see where traffic gets lost?
|
@lazydog
There is no return. It's not going out over the eth0 interface, but it's not traversing the tunnel either. |
Looking at your route table it looks like you are not routing 10.4.0.0 (assuming this is AWS) over your tunnel interface.
What is the out put from Code:
ifconfig |
I came to the same conclusion, I've been trying to find a way to route the traffic over the tunnel.
eth0 Link encap:Ethernet HWaddr 08:00:27:F6:F7:16 inet addr:10.0.0.43 Bcast:10.0.0.255 Mask:255.255.255.0 inet6 addr: fe80::a00:27ff:fef6:f716/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:96248 errors:0 dropped:0 overruns:0 frame:0 TX packets:34684 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:19453550 (18.5 MiB) TX bytes:10183662 (9.7 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:1 errors:0 dropped:0 overruns:0 frame:0 TX packets:1 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:148 (148.0 b) TX bytes:148 (148.0 b) Also, updated /etc/ipsec.conf to try and exclude the aws subnet. protostack=netkey nat_traversal=yes virtual_private=v4:10.0.0.0/24,%v4:!10.4.0.0/16 oe=off |
You do not have a tun interface listed here. You need to setup the tun interface.
Code:
ifconfig tun0 inet <IP LOCAL> <IP REMOTE> up |
Should it be the cidr block 10.0.0.0/24 for ip local, and the remote cidr block for the ip remote (10.4.0.0./16)?
Edit: I'd also really like to thank you for being kind enough, and patient enough to help me with this. It is very much appreciated. |
IPsec doesn't (normally) use a tunnel interface. Traffic is routed according to the regular routing table, and is encrypted/decrypted as it exits/enters the external interface of the gateways.
What does ipsec status say? |
Since the subnets are similar for both environments behind the routers, I setup (since the first post) the virtual_private to allow only the subnet I'm trying to route traffic to (10.4.0.0/16), and excluded the other.
Quote:
|
All times are GMT -5. The time now is 04:19 AM. |