I was hoping this website would be able to help with solving this issue since I've been running in circles on my end!
I am using OpenSwan to setup an IPSec tunnel between a VPN server on Rackspace and a VPN server on AWS. I've gone through several tutorials online and have tried looking through the logs and looking up certain errors but I'm not finding one definite answer.
Here is my ipsec.conf file for my Rackspace machine
## general configuration parameters ##
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
## disable opportunistic encryption in Red Hat ##
#oe=off
## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf
## connection definition in Debian ##
conn compconnection
authby=rsasig
auto=start
## phase 1 ##
keyexchange=ike
## phase 2 ##
esp=3des-md5
pfs=yes
type=tunnel
left=104.130.13.126
leftrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
rightrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
leftsourceip=192.168.3.1
leftsubnet=192.168.3.0/24
## for direct routing ##
#leftsubnet=/32
leftnexthop=%defaultroute
right=54.164.228.5
rightsubnet=172.31.16.0/20
Here is ipsec.conf for my AWS machine:
## general configuration parameters ##
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
## disable opportunistic encryption in Red Hat ##
#oe=off
## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf
## connection definition in Debian ##
conn compconnection
authby=rsasig
auto=start
## phase 1 ##
keyexchange=ike
## phase 2 ##
esp=3des-md5
pfs=yes
type=tunnel
left=54.164.228.5
leftrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
rightrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
leftsourceip=172.31.24.171
leftsubnet=172.31.16.0/20
## for direct routing ##
#leftsubnet=/32
leftnexthop=%defaultroute
right=104.130.13.126
rightsubnet=192.168.3.0/24
Once I setup the conf files I turned on the Ipsec service but I cannot get the tunnels to come up. One thing that I am noticing in the pluto.log file is that the Rackspace side is sending bits over to the public IP of AWS but AWS is responding with:
| find_host_connection2 called from main_inI1_outR1, me=172.31.24.171:500 him=%any:500 policy=RSASIG
| find_host_pair_conn (find_host_connection2): 172.31.24.171:500 %any:500 -> hp:none
| searching for connection with policy = RSASIG
| find_host_connection2 returns empty
packet from 104.130.13.126:500: initial Main Mode message received on 172.31.24.171:500 but no connection has been authorized with policy=RSASIG
| complete state transition with STF_IGNORE
So it looks like it's not authorizing the RSASIG key for some odd reason
I've also tried to manually turn on the tunnel by doing the ipsec auto --up command but it times out on the rackspace side and AWS it says "We cannot identify ourselves with either end of this connection"
I honestly don't know what the issue is and why it's giving me weird errors that I can't seem to fix
Any help would be appreciated!
EDIT
The public IP of Rackspace: 104.130.13.126 Private IP of Rackspace: 192.168.3.1
Public IP of AWS: 54.164.228.5 Private IP of AWS: 172.31.24.171
Additional edit/problem
I'm trying to telnet from one server to the other through port 4500 since IPSec uses that port to make a connection and I am getting an actively refused connection coming from both ends which is odd since it says it allows it on IPtables and on AWS end I've configured the security groups.
IPTables:
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT tcp -- anywhere anywhere tcp dpt:4500
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
That is how IPtables looks on both ends
Also I'm using Ubuntu as the operating system on both ends.
IPSEC Verify output
IPSec verify on AWS:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-74-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Rackspace IPSec Verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-79-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]