OpenSwan VPN IPSEC Tunnel Connection

Question

I was hoping this website would be able to help with solving this issue since I've been running in circles on my end!

I am using OpenSwan to setup an IPSec tunnel between a VPN server on Rackspace and a VPN server on AWS. I've gone through several tutorials online and have tried looking through the logs and looking up certain errors but I'm not finding one definite answer.

Here is my ipsec.conf file for my Rackspace machine

## general configuration parameters ##

config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        ## disable opportunistic encryption in Red Hat ##
        #oe=off

## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf

## connection definition in Debian ##
conn    compconnection
        authby=rsasig
        auto=start
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        esp=3des-md5
        pfs=yes
        type=tunnel
        left=104.130.13.126
        leftrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
        rightrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
        leftsourceip=192.168.3.1
        leftsubnet=192.168.3.0/24
        ## for direct routing ##
        #leftsubnet=/32
        leftnexthop=%defaultroute
        right=54.164.228.5
        rightsubnet=172.31.16.0/20

Here is ipsec.conf for my AWS machine:

## general configuration parameters ##

config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        ## disable opportunistic encryption in Red Hat ##
        #oe=off

## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf

## connection definition in Debian ##
conn compconnection
        authby=rsasig
        auto=start
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        esp=3des-md5
        pfs=yes
        type=tunnel
        left=54.164.228.5
        leftrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
        rightrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
        leftsourceip=172.31.24.171
        leftsubnet=172.31.16.0/20
        ## for direct routing ##
        #leftsubnet=/32
        leftnexthop=%defaultroute
        right=104.130.13.126
        rightsubnet=192.168.3.0/24

Once I setup the conf files I turned on the Ipsec service but I cannot get the tunnels to come up. One thing that I am noticing in the pluto.log file is that the Rackspace side is sending bits over to the public IP of AWS but AWS is responding with:

| find_host_connection2 called from main_inI1_outR1, me=172.31.24.171:500 him=%any:500 policy=RSASIG
| find_host_pair_conn (find_host_connection2): 172.31.24.171:500 %any:500 -> hp:none
| searching for connection with policy = RSASIG
| find_host_connection2 returns empty
packet from 104.130.13.126:500: initial Main Mode message received on 172.31.24.171:500 but no connection has been authorized with policy=RSASIG
| complete state transition with STF_IGNORE

So it looks like it's not authorizing the RSASIG key for some odd reason

I've also tried to manually turn on the tunnel by doing the ipsec auto --up command but it times out on the rackspace side and AWS it says "We cannot identify ourselves with either end of this connection"

I honestly don't know what the issue is and why it's giving me weird errors that I can't seem to fix

Any help would be appreciated!

EDIT

The public IP of Rackspace: 104.130.13.126 Private IP of Rackspace: 192.168.3.1

Public IP of AWS: 54.164.228.5 Private IP of AWS: 172.31.24.171

Additional edit/problem

I'm trying to telnet from one server to the other through port 4500 since IPSec uses that port to make a connection and I am getting an actively refused connection coming from both ends which is odd since it says it allows it on IPtables and on AWS end I've configured the security groups.

IPTables:

target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4500
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

That is how IPtables looks on both ends

Also I'm using Ubuntu as the operating system on both ends.

IPSEC Verify output

IPSec verify on AWS:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-74-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Rackspace IPSec Verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-79-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]