6

Trying to set up a openswan based server sitting in an Amazon VPC cluster. The goal is to make it so we can VPN into VPC and have our workstations be as if they were on the network, more of a roadwarrior configuration.

Our VPN client of choice is Equinux VPN Tracker (http://equinux.com/us/products/vpntracker/) for Mac OS X. We already use it to connect to our existing networks through hardware based VPNs and were hoping to just continue using it to connect to our VPC network.

So far, I have it setup to where I can successfully connect to the openswan server running in VPC, however I can only ping the openswan server's internal IP. I can't talk to anything else on the network. I can run tcpdump and see the ping requests show up, however they never make it to the other host.

My first thought was that it was related to the EC2 instance only having a single network interface, however I have setup a OpenVPN connections before without a problem, though they usually make use of a tunnel device and I haven't really found an example of openswan with a tunnel or a single interface.

Any help would be greatly appreciated.

Some configuration:

VPC Subnet: 10.10.1.0/24
VPC Gateweay: 10.10.1.1
Openswan Private IP: 10.10.1.11
Openswan Public IP: xxx.xxx.xxx.xxx

Openswan Configuration:

version 2.0

config setup
  interfaces=%defaultroute
  klipsdebug=none
  plutodebug=none
  dumpdir=/var/log
  nat_traversal=yes
  virtual_private=%v4:10.10.1.0/24

conn vpntracker-psk
  left=%any
  leftsubnet=vhost:%no,%priv
  right=10.10.1.11
  rightid=xxx.xxx.xxx.xxx
  rightsubnet=10.10.1.0/24
  rightnexthop=10.10.1.1
  auto=add
  authby=secret
  dpddelay=40
  dpdtimeout=130
  dpdaction=clear
  pfs=yes
  forceencaps=yes

iptables/sysctl:

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

tcpdump output:

09:13:25.346645 IP ROADWARRIOR_IP.4500 > ip-10-10-1-11.4500: UDP-encap: ESP(spi=0x38543e78,seq=0x6), length 116
09:13:25.346645 IP 10.200.0.30 > 10.10.1.251: ICMP echo request, id 21250, seq 0, length 64
09:13:25.346789 IP ip-10-10-1-11.4500 > ROADWARRIOR_IP.4500: UDP-encap: ESP(spi=0x07046a51,seq=0x6), length 148
09:13:26.506120 IP ROADWARRIOR_IP.4500 > ip-10-10-1-11.4500: UDP-encap: ESP(spi=0x38543e78,seq=0x7), length 116
09:13:26.506120 IP 10.200.0.30 > 10.10.1.251: ICMP echo request, id 21250, seq 1, length 64
09:13:26.506245 IP ip-10-10-1-11.4500 > ROADWARRIOR_IP.4500: UDP-encap: ESP(spi=0x07046a51,seq=0x7), length 148
09:13:27.332308 IP ROADWARRIOR_IP.4500 > ip-10-10-1-11.4500: UDP-encap: ESP(spi=0x38543e78,seq=0x8), length 116
09:13:27.332308 IP 10.200.0.30 > 10.10.1.251: ICMP echo request, id 21250, seq 2, length 64
09:13:27.332397 IP ip-10-10-1-11.4500 > ROADWARRIOR_IP.4500: UDP-encap: ESP(spi=0x07046a51,seq=0x8), length 148

ping output from OS X:

:~> ping 10.10.1.251
PING 10.10.1.251 (10.10.1.251): 56 data bytes
92 bytes from 10.10.1.11: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 6c64   0 0000  3f  01 f85a 10.200.0.30  10.10.1.251 

Request timeout for icmp_seq 0
92 bytes from 10.10.1.11: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 1818   0 0000  3f  01 4ca7 10.200.0.30  10.10.1.251 

Request timeout for icmp_seq 1
92 bytes from 10.10.1.11: Destination Host Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 1a09   0 0000  3f  01 4ab6 10.200.0.30  10.10.1.251 

Request timeout for icmp_seq 2
Ken Robertson
  • 61
  • 1
  • 3
  • I was excited at first to see this question since am struggling through same thing. Then I noticed it is unanswered. I will continue digging for an answer. I'm a software architect who plays IT guy during early stage of startups but feeling a little over my head. At the moment I'm using OpenVPN but I'll use an Linux/Mac/Windows compatible IPSec-based VPN in my VPC. Hit me back Ken if you ever solved this. – Rich Sadowsky Nov 11 '14 at 23:37
  • I am also in more or less the same situation. Still looking for an answer. – mwangi Nov 15 '14 at 10:41

2 Answers2

1

Not sure if this helps, but i found this website really useful.

http://fortycloud.com/setting-up-ipsecopenswan-in-amazon-ec2/

scroll down to the CONFIGURING MASQUERADE section.

This helped the "Remote" end see all the hosts on my local network, and then this

http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/

helped with the reverse.

  • Welcome to Server Fault! Your answer suggests a workable solution to the question is available via another website. The Stack Exchange family of Q&A websites [generally frowns on this type of answer](http://meta.stackexchange.com/questions/8231/are-answers-that-just-contain-links-elsewhere-really-good-answers). Please read [How do I write a good answer?](http://serverfault.com/help/how-to-answer) and consider revising your answer to include the steps required to resolve the issue. And don't forget to take the [site tour](http://serverfault.com/tour). – Paul Jan 02 '16 at 01:53
  • This was exactly what we were looking for! – Jesse May 04 '16 at 19:14
0

Always make sure to disable the Source/Destination check on your Openswan instance. I see no mention of that being done.

Craig
  • 585
  • 2
  • 12