0

I was hoping this website would be able to help with solving this issue since I've been running in circles on my end!

I am using OpenSwan to setup an IPSec tunnel between a VPN server on Rackspace and a VPN server on AWS. I've gone through several tutorials online and have tried looking through the logs and looking up certain errors but I'm not finding one definite answer.

Here is my ipsec.conf file for my Rackspace machine

## general configuration parameters ##

config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        ## disable opportunistic encryption in Red Hat ##
        #oe=off

## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf

## connection definition in Debian ##
conn    compconnection
        authby=rsasig
        auto=start
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        esp=3des-md5
        pfs=yes
        type=tunnel
        left=104.130.13.126
        leftrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
        rightrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
        leftsourceip=192.168.3.1
        leftsubnet=192.168.3.0/24
        ## for direct routing ##
        #leftsubnet=/32
        leftnexthop=%defaultroute
        right=54.164.228.5
        rightsubnet=172.31.16.0/20

Here is ipsec.conf for my AWS machine:

## general configuration parameters ##

config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        ## disable opportunistic encryption in Red Hat ##
        #oe=off

## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf

## connection definition in Debian ##
conn compconnection
        authby=rsasig
        auto=start
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        esp=3des-md5
        pfs=yes
        type=tunnel
        left=54.164.228.5
        leftrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
        rightrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
        leftsourceip=172.31.24.171
        leftsubnet=172.31.16.0/20
        ## for direct routing ##
        #leftsubnet=/32
        leftnexthop=%defaultroute
        right=104.130.13.126
        rightsubnet=192.168.3.0/24

Once I setup the conf files I turned on the Ipsec service but I cannot get the tunnels to come up. One thing that I am noticing in the pluto.log file is that the Rackspace side is sending bits over to the public IP of AWS but AWS is responding with:


| find_host_connection2 called from main_inI1_outR1, me=172.31.24.171:500 him=%any:500 policy=RSASIG
| find_host_pair_conn (find_host_connection2): 172.31.24.171:500 %any:500 -> hp:none
| searching for connection with policy = RSASIG
| find_host_connection2 returns empty
packet from 104.130.13.126:500: initial Main Mode message received on 172.31.24.171:500 but no connection has been authorized with policy=RSASIG
| complete state transition with STF_IGNORE

So it looks like it's not authorizing the RSASIG key for some odd reason

I've also tried to manually turn on the tunnel by doing the ipsec auto --up command but it times out on the rackspace side and AWS it says "We cannot identify ourselves with either end of this connection"

I honestly don't know what the issue is and why it's giving me weird errors that I can't seem to fix

Any help would be appreciated!

EDIT

The public IP of Rackspace: 104.130.13.126 Private IP of Rackspace: 192.168.3.1

Public IP of AWS: 54.164.228.5 Private IP of AWS: 172.31.24.171

Additional edit/problem

I'm trying to telnet from one server to the other through port 4500 since IPSec uses that port to make a connection and I am getting an actively refused connection coming from both ends which is odd since it says it allows it on IPtables and on AWS end I've configured the security groups.

IPTables:


target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4500
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

That is how IPtables looks on both ends

Also I'm using Ubuntu as the operating system on both ends.

IPSEC Verify output

IPSec verify on AWS:


Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-74-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Rackspace IPSec Verify


Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-79-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
8
  • Why did you change left and right parameters? They have to be the same on both machines. Also: why leftsourceip=192.168.3.1? Thats a private IP. Please consider adding more detail (servers' obfuscated IP adresses, NAT?, etc.)
    – Lenniey
    Commented Apr 7, 2016 at 8:08
  • From what I've read online, the left should be the machine that you are currently configuring in the conf file and the right should be the one you are making the connection to so that is why they're different in both configs. The left is the public IP and the leftsourceip is the private IP address for that respective machine As far as NAT is concerned I'm unsure if they're is one since one server is in Rackspace and one on AWS. Rackspace told me their is no firewall in the way and AWS I made sure to add port 4500 to the security groups. I also added the ports on iptables for both servers
    – Nare
    Commented Apr 7, 2016 at 12:32
  • You have to think about it like that: (leftsubnet) - [left] <--internet--> [right] - (rightsubnet). The configuration doesn't change on the hosts. Otherwise they both would "think of themselves" as left with no right to connect to.
    – Lenniey
    Commented Apr 7, 2016 at 12:37
  • I'm assuming if I'm going with that way of thinking that the leftrsasigkey & rightrsasigkey should remain the same on both ends for the config file? I tried making those changes and leaving the config the same on both ends but the tunnel still isn't coming up. I made a couple of edits up top in case that will help
    – Nare
    Commented Apr 7, 2016 at 12:50
  • Try to start from the beginning: simplest config, PSKs instead of RSASIG, etc. and see if anything comes up. There are some pretty simple tutorials out there (here for example.)
    – Lenniey
    Commented Apr 7, 2016 at 16:24

0

You must log in to answer this question.

Browse other questions tagged .