I was hoping this website would be able to help with solving this issue since I've been running in circles on my end!

I am using OpenSwan to setup an IPSec tunnel between a VPN server on Rackspace and a VPN server on AWS. I've gone through several tutorials online and have tried looking through the logs and looking up certain errors but I'm not finding one definite answer.

Here is my ipsec.conf file for my Rackspace machine

## general configuration parameters ##

config setup
        ## disable opportunistic encryption in Red Hat ##

## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf

## connection definition in Debian ##
conn    compconnection
        ## phase 1 ##
        ## phase 2 ##
        ## for direct routing ##

Here is ipsec.conf for my AWS machine:

## general configuration parameters ##

config setup
        ## disable opportunistic encryption in Red Hat ##

## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf

## connection definition in Debian ##
conn compconnection
        ## phase 1 ##
        ## phase 2 ##
        ## for direct routing ##

Once I setup the conf files I turned on the Ipsec service but I cannot get the tunnels to come up. One thing that I am noticing in the pluto.log file is that the Rackspace side is sending bits over to the public IP of AWS but AWS is responding with:

| find_host_connection2 called from main_inI1_outR1, me= him=%any:500 policy=RSASIG
| find_host_pair_conn (find_host_connection2): %any:500 -> hp:none
| searching for connection with policy = RSASIG
| find_host_connection2 returns empty
packet from initial Main Mode message received on but no connection has been authorized with policy=RSASIG
| complete state transition with STF_IGNORE

So it looks like it's not authorizing the RSASIG key for some odd reason

I've also tried to manually turn on the tunnel by doing the ipsec auto --up command but it times out on the rackspace side and AWS it says "We cannot identify ourselves with either end of this connection"

I honestly don't know what the issue is and why it's giving me weird errors that I can't seem to fix

Any help would be appreciated!


The public IP of Rackspace: Private IP of Rackspace:

Public IP of AWS: Private IP of AWS:

Additional edit/problem

I'm trying to telnet from one server to the other through port 4500 since IPSec uses that port to make a connection and I am getting an actively refused connection coming from both ends which is odd since it says it allows it on IPtables and on AWS end I've configured the security groups.


target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4500
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

That is how IPtables looks on both ends

Also I'm using Ubuntu as the operating system on both ends.

IPSEC Verify output

IPSec verify on AWS:

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-74-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Rackspace IPSec Verify

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-79-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
  • Why did you change left and right parameters? They have to be the same on both machines. Also: why leftsourceip= Thats a private IP. Please consider adding more detail (servers' _obfuscated_ IP adresses, NAT?, etc.) – Lenniey Apr 07 '16 at 08:08
  • From what I've read online, the left should be the machine that you are currently configuring in the conf file and the right should be the one you are making the connection to so that is why they're different in both configs. The left is the public IP and the leftsourceip is the private IP address for that respective machine As far as NAT is concerned I'm unsure if they're is one since one server is in Rackspace and one on AWS. Rackspace told me their is no firewall in the way and AWS I made sure to add port 4500 to the security groups. I also added the ports on iptables for both servers – Nare Apr 07 '16 at 12:32
  • You have to think about it like that: (leftsubnet) - [left] <--internet--> [right] - (rightsubnet). The configuration doesn't change on the hosts. Otherwise they both would "think of themselves" as *left* with no *right* to connect to. – Lenniey Apr 07 '16 at 12:37
  • I'm assuming if I'm going with that way of thinking that the leftrsasigkey & rightrsasigkey should remain the same on both ends for the config file? I tried making those changes and leaving the config the same on both ends but the tunnel still isn't coming up. I made a couple of edits up top in case that will help – Nare Apr 07 '16 at 12:50
  • Try to start from the beginning: simplest config, PSKs instead of RSASIG, etc. and see if anything comes up. There are some pretty simple tutorials out there ([here](http://xmodulo.com/create-site-to-site-ipsec-vpn-tunnel-openswan-linux.html) for example.) – Lenniey Apr 07 '16 at 16:24
  • I've tried using that tutorial when setting up OpenSwan originally but still ran into the same issue of "Initial main mode message receive on IP address but no connection has been authorized with policy = PSK. I rebuilt the servers, follow the guide exactly again,made the configuration identical on both servers and restarted the ipsec service but I'm still getting the above error. From the looks of the pluto.log it's receiving the packet and transmitting it to the private IP address on AWS but then that's where I get the no policy authorization error. Would it help to put the logs here? – Nare Apr 07 '16 at 18:36
  • Yeah the uploading the logs would be good. – Lenniey Apr 11 '16 at 07:30

