Find the answer to your Linux question:
Results 1 to 2 of 2
Hi folks, I'm very noob about openswan and I was tried to configure a site-to-site IPSec VPN between Amazon VPC (172.20.10.0/24) and my branch office network (172.20.2.0/24). I was guiding ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jan 2013
    Posts
    1

    Help Site-to-Site IPSec VPN VPC Openswan


    Hi folks,

    I'm very noob about openswan and I was tried to configure a site-to-site IPSec VPN between Amazon VPC (172.20.10.0/24) and my branch office network (172.20.2.0/24).

    I was guiding me with this tutorial: gist.github.com/2871257 but I can get connection.

    Here is my configuration:

    Amazon VPC:

    Ubuntu 12.04 x64
    Openswan 2.6.37
    Network: 172.20.10.0/24
    Ubuntu local IP: 172.20.10.221
    Public IP: 107.23.111.XXX

    ipsec.conf:
    Code:
    # /etc/ipsec.conf - Openswan IPsec configuration file
    
    # This file:  /usr/share/doc/openswan/ipsec.conf-sample
    #
    # Manual:     ipsec.conf.5
    
    
    version 2.0     # conforms to second version of ipsec.conf specification
    
    # basic configuration
    config setup
            # Do not set debug options to debug configuration issues!
            # plutodebug / klipsdebug = "all", "none" or a combation from below:
            # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
            # eg:
            # plutodebug="control parsing"
            # Again: only enable plutodebug or klipsdebug when asked by a developer
            #
            # enable to get logs per-peer
            # plutoopts="--perpeerlog"
            #
            # Enable core dumps (might require system changes, like ulimit -C)
            # This is required for abrtd to work properly
            # Note: incorrect SElinux policies might prevent pluto writing the core
            dumpdir=/var/run/pluto/
            #
            # NAT-TRAVERSAL support, see README.NAT-Traversal
            nat_traversal=yes
            # exclude networks used on server side by adding %v4:!a.b.c.0/24
            # It seems that T-Mobile in the US and Rogers/Fido in Canada are
            # using 25/8 as "private" address space on their 3G network.
            # This range has not been announced via BGP (at least upto 2010-12-21)
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.20.2.0./24
            # OE is now off by default. Uncomment and change to on, to enable.
            oe=off
            # which IPsec stack to use. auto will try netkey, then klips then mast
            protostack=auto
            # Use this to log to a file, or disable logging on embedded systems (like openwrt)
            #plutostderrlog=/dev/null
    
    # Add connections here
    
    # sample VPN connection
    # for more examples, see /etc/ipsec.d/examples/
    #conn sample
    #               # Left security gateway, subnet behind it, nexthop toward right.
    #               left=10.0.0.1
    #               leftsubnet=172.16.0.0/24
    #               leftnexthop=10.22.33.44
    #               # Right security gateway, subnet behind it, nexthop toward left.
    #               right=10.12.12.1
    #               rightsubnet=192.168.0.0/24
    #               rightnexthop=10.101.102.103
    #               # To authorize this connection, but not actually start it,
    #               # at startup, uncomment this.
    #               #auto=add
    
    include /etc/ipsec.d/*.conf
    /etc/ipsec.d/vimex.conf

    Code:
    conn vimex
            authby=secret
            forceencaps=yes
            auto=start
            left=%defaultroute
            leftid=107.23.111.XXX
            leftsourceip=107.23.111.XXX
            right=201.122.32.XXX
            rightid=201.122.32.XXX
            rightsubnet=172.20.2.0/24
    vimex.secrets:

    Code:
    201.122.32.XXX 0.0.0.0: PSK "12345"

    Branch office (VIMEX):

    Ubuntu 12.04 x32
    Openswan 2.6.37
    Network: 172.20.2.0/24
    Ubuntu local IP: 172.20.2.193
    Public IP: 201.122.32.XXX
    *This network is behind endian firewall and the Ubuntu server is NATed.

    ipsec.conf

    Code:
    # /etc/ipsec.conf - Openswan IPsec configuration file
    
    # This file:  /usr/share/doc/openswan/ipsec.conf-sample
    #
    # Manual:     ipsec.conf.5
    
    
    version 2.0     # conforms to second version of ipsec.conf specification
    
    # basic configuration
    config setup
            # Do not set debug options to debug configuration issues!
            # plutodebug / klipsdebug = "all", "none" or a combation from below:
            # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
            # eg:
            # plutodebug="control parsing"
            # Again: only enable plutodebug or klipsdebug when asked by a developer
            #
            # enable to get logs per-peer
            # plutoopts="--perpeerlog"
            #
            # Enable core dumps (might require system changes, like ulimit -C)
            # This is required for abrtd to work properly
            # Note: incorrect SElinux policies might prevent pluto writing the core
            dumpdir=/var/run/pluto/
            #
            # NAT-TRAVERSAL support, see README.NAT-Traversal
            nat_traversal=yes
            # exclude networks used on server side by adding %v4:!a.b.c.0/24
            # It seems that T-Mobile in the US and Rogers/Fido in Canada are
            # using 25/8 as "private" address space on their 3G network.
            # This range has not been announced via BGP (at least upto 2010-12-21)
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,$/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,,%v4:!172.20.10.0/24
            # OE is now off by default. Uncomment and change to on, to enable.
            oe=off
            # which IPsec stack to use. auto will try netkey, then klips then mast
            protostack=netkey
            # Use this to log to a file, or disable logging on embedded systems (like openwrt)
            #plutostderrlog=/dev/null
    
    # Add connections here
    
    # sample VPN connection
    # for more examples, see /etc/ipsec.d/examples/
    #conn sample
    #               # Left security gateway, subnet behind it, nexthop toward right.
    #               left=10.0.0.1
    #               leftsubnet=172.16.0.0/24
    #               leftnexthop=10.22.33.44
    #               # Right security gateway, subnet behind it, nexthop toward left.
    #               right=10.12.12.1
    #               rightsubnet=192.168.0.0/24
    #               rightnexthop=10.101.102.103
    #               # To authorize this connection, but not actually start it,
    #               # at startup, uncomment this.
    #               #auto=add
    
    include /etc/ipsec.d/*.conf
    /etc/ipsec.d/vpc.conf

    Code:
    conn vpc
            authby=secret
            forceencaps=yes
            auto=start
            left=%defaultroute
            leftid=201.122.32.XX
            leftsourceip=201.122.32.XX
            right=107.23.111.XX
            rightid=107.23.111.XX
            rightsubnet=172.20.10.0/24
    vpc.secrets

    Code:
    107.23.111.XXX 0.0.0.0: PSK "12345"
    When I start the openswan service and do
    Code:
    ipsec auto --up vpc
    or
    Code:
    ipsec auto --up vimex
    , I get this error:

    Code:
    022 "vpc": We cannot identify ourselves with either end of this connection.
    Do you have any idea whats wrong?

    Thanks for advice

  2. #2
    Just Joined! msohail's Avatar
    Join Date
    Nov 2011
    Posts
    47
    Quote Originally Posted by gustavoavila View Post
    Hi folks,

    I'm very noob about openswan and I was tried to configure a site-to-site IPSec VPN between Amazon VPC (172.20.10.0/24) and my branch office network (172.20.2.0/24).

    I was guiding me with this tutorial: gist.github.com/2871257 but I can get connection.

    Here is my configuration:

    Amazon VPC:

    Ubuntu 12.04 x64
    Openswan 2.6.37
    Network: 172.20.10.0/24
    Ubuntu local IP: 172.20.10.221
    Public IP: 107.23.111.XXX

    ipsec.conf:
    Code:
    # /etc/ipsec.conf - Openswan IPsec configuration file
    
    # This file:  /usr/share/doc/openswan/ipsec.conf-sample
    #
    # Manual:     ipsec.conf.5
    
    
    version 2.0     # conforms to second version of ipsec.conf specification
    
    # basic configuration
    config setup
            # Do not set debug options to debug configuration issues!
            # plutodebug / klipsdebug = "all", "none" or a combation from below:
            # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
            # eg:
            # plutodebug="control parsing"
            # Again: only enable plutodebug or klipsdebug when asked by a developer
            #
            # enable to get logs per-peer
            # plutoopts="--perpeerlog"
            #
            # Enable core dumps (might require system changes, like ulimit -C)
            # This is required for abrtd to work properly
            # Note: incorrect SElinux policies might prevent pluto writing the core
            dumpdir=/var/run/pluto/
            #
            # NAT-TRAVERSAL support, see README.NAT-Traversal
            nat_traversal=yes
            # exclude networks used on server side by adding %v4:!a.b.c.0/24
            # It seems that T-Mobile in the US and Rogers/Fido in Canada are
            # using 25/8 as "private" address space on their 3G network.
            # This range has not been announced via BGP (at least upto 2010-12-21)
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,%v4:!172.20.2.0./24
            # OE is now off by default. Uncomment and change to on, to enable.
            oe=off
            # which IPsec stack to use. auto will try netkey, then klips then mast
            protostack=auto
            # Use this to log to a file, or disable logging on embedded systems (like openwrt)
            #plutostderrlog=/dev/null
    
    # Add connections here
    
    # sample VPN connection
    # for more examples, see /etc/ipsec.d/examples/
    #conn sample
    #               # Left security gateway, subnet behind it, nexthop toward right.
    #               left=10.0.0.1
    #               leftsubnet=172.16.0.0/24
    #               leftnexthop=10.22.33.44
    #               # Right security gateway, subnet behind it, nexthop toward left.
    #               right=10.12.12.1
    #               rightsubnet=192.168.0.0/24
    #               rightnexthop=10.101.102.103
    #               # To authorize this connection, but not actually start it,
    #               # at startup, uncomment this.
    #               #auto=add
    
    include /etc/ipsec.d/*.conf
    /etc/ipsec.d/vimex.conf

    Code:
    conn vimex
            authby=secret
            forceencaps=yes
            auto=start
            left=%defaultroute
            leftid=107.23.111.XXX
            leftsourceip=107.23.111.XXX
            right=201.122.32.XXX
            rightid=201.122.32.XXX
            rightsubnet=172.20.2.0/24
    vimex.secrets:

    Code:
    201.122.32.XXX 0.0.0.0: PSK "12345"

    Branch office (VIMEX):

    Ubuntu 12.04 x32
    Openswan 2.6.37
    Network: 172.20.2.0/24
    Ubuntu local IP: 172.20.2.193
    Public IP: 201.122.32.XXX
    *This network is behind endian firewall and the Ubuntu server is NATed.

    ipsec.conf

    Code:
    # /etc/ipsec.conf - Openswan IPsec configuration file
    
    # This file:  /usr/share/doc/openswan/ipsec.conf-sample
    #
    # Manual:     ipsec.conf.5
    
    
    version 2.0     # conforms to second version of ipsec.conf specification
    
    # basic configuration
    config setup
            # Do not set debug options to debug configuration issues!
            # plutodebug / klipsdebug = "all", "none" or a combation from below:
            # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
            # eg:
            # plutodebug="control parsing"
            # Again: only enable plutodebug or klipsdebug when asked by a developer
            #
            # enable to get logs per-peer
            # plutoopts="--perpeerlog"
            #
            # Enable core dumps (might require system changes, like ulimit -C)
            # This is required for abrtd to work properly
            # Note: incorrect SElinux policies might prevent pluto writing the core
            dumpdir=/var/run/pluto/
            #
            # NAT-TRAVERSAL support, see README.NAT-Traversal
            nat_traversal=yes
            # exclude networks used on server side by adding %v4:!a.b.c.0/24
            # It seems that T-Mobile in the US and Rogers/Fido in Canada are
            # using 25/8 as "private" address space on their 3G network.
            # This range has not been announced via BGP (at least upto 2010-12-21)
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,$/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10,,%v4:!172.20.10.0/24
            # OE is now off by default. Uncomment and change to on, to enable.
            oe=off
            # which IPsec stack to use. auto will try netkey, then klips then mast
            protostack=netkey
            # Use this to log to a file, or disable logging on embedded systems (like openwrt)
            #plutostderrlog=/dev/null
    
    # Add connections here
    
    # sample VPN connection
    # for more examples, see /etc/ipsec.d/examples/
    #conn sample
    #               # Left security gateway, subnet behind it, nexthop toward right.
    #               left=10.0.0.1
    #               leftsubnet=172.16.0.0/24
    #               leftnexthop=10.22.33.44
    #               # Right security gateway, subnet behind it, nexthop toward left.
    #               right=10.12.12.1
    #               rightsubnet=192.168.0.0/24
    #               rightnexthop=10.101.102.103
    #               # To authorize this connection, but not actually start it,
    #               # at startup, uncomment this.
    #               #auto=add
    
    include /etc/ipsec.d/*.conf
    /etc/ipsec.d/vpc.conf

    Code:
    conn vpc
            authby=secret
            forceencaps=yes
            auto=start
            left=%defaultroute
            leftid=201.122.32.XX
            leftsourceip=201.122.32.XX
            right=107.23.111.XX
            rightid=107.23.111.XX
            rightsubnet=172.20.10.0/24
    vpc.secrets

    Code:
    107.23.111.XXX 0.0.0.0: PSK "12345"
    When I start the openswan service and do
    Code:
    ipsec auto --up vpc
    or
    Code:
    ipsec auto --up vimex
    , I get this error:

    Code:
    022 "vpc": We cannot identify ourselves with either end of this connection.
    Do you have any idea whats wrong?

    Thanks for advice

    Try SSL-Explorer - Simple to configure and easy to use.

    Jazak Allah,
    Sohail

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •