Hi, I typo'd the users DL on the mail below. if someone can help with below query it would be appreciated. I understand if the topology is not understood. Regards, Neil.
Begin forwarded message: > From: neil payne <[email protected]> > Date: 2 May 2011 20:13:56 GMT+01:00 > To: neil payne <[email protected]> > Cc: Andreas Steffen <[email protected]>, Alan Parkinson > <[email protected]>, ; [email protected] > Subject: Re: no ike packets being generated > > We've overcome this error by giving the elastic ip address to the dummy0 > interface on the new AWS instance. Although the packets appear to be sent by > the instance after using the 'up up' command they never arrive at the remote > firewall. We can however ping the remote firewall. > Below shows a tcpdump on the AWS instance (on it's only physical interface) > during ping and then after issuing the up up command. The ping traffic > receives replies but the ike packets do not - do you think they are being > blackholed by the firewall even though they are captured on the physical > interface? > > !!!! ping is successful > 18:55:01.844445 IP 50-56-121-20.static.cloud-ips.com > 10.5.51.242: ICMP echo > reply, id 17185, seq 13, length 64 > 18:55:02.729528 IP 10.5.51.242 > 50-56-121-20.static.cloud-ips.com: ICMP echo > request, id 17185, seq 14, length 64 > 18:55:02.854489 IP 50-56-121-20.static.cloud-ips.com > 10.5.51.242: ICMP echo > reply, id 17185, seq 14, length 64 > 18:55:03.739513 IP 10.5.51.242 > 50-56-121-20.static.cloud-ips.com: ICMP echo > request, id 17185, seq 15, length 64 > 18:55:03.864476 IP 50-56-121-20.static.cloud-ips.com > 10.5.51.242: ICMP echo > reply, id 17185, seq 15, length 64 > 18:55:04.749507 IP 10.5.51.242 > 50-56-121-20.static.cloud-ips.com: ICMP echo > request, id 17185, seq 16, length 64 > 18:55:04.883326 IP 50-56-121-20.static.cloud-ips.com > 10.5.51.242: ICMP echo > reply, id 17185, seq 16, length 64 > 18:55:05.759502 IP 10.5.51.242 > 50-56-121-20.static.cloud-ips.com: ICMP echo > request, id 17185, seq 17, length 64 > 18:55:05.893521 IP 50-56-121-20.static.cloud-ips.com > 10.5.51.242: ICMP echo > reply, id 17185, seq 17, length 64 > 18:55:06.769529 IP 10.5.51.242 > 50-56-121-20.static.cloud-ips.com: ICMP echo > request, id 17185, seq 18, length 64 > 18:55:06.903207 IP 50-56-121-20.static.cloud-ips.com > 10.5.51.242: ICMP echo > reply, id 17185, seq 18, length 64 > 18:55:07.779595 IP 10.5.51.242 > 50-56-121-20.static.cloud-ips.com: ICMP echo > request, id 17185, seq 19, length 64 > 18:55:07.913360 IP 50-56-121-20.static.cloud-ips.com > 10.5.51.242: ICMP echo > reply, id 17185, seq 19, length 64 > > > !!! ike packets never arrive at the rightfirewall > 18:57:10.043768 IP ec2-46-51-193-228.eu-west-1.compute.amazonaws.com.isakmp > > 50-56-121-20.static.cloud-ips.com.isakmp: isakmp: phase 1 I ident > 18:57:20.068922 IP ec2-46-51-193-228.eu-west-1.compute.amazonaws.com.isakmp > > 50-56-121-20.static.cloud-ips.com.isakmp: isakmp: phase 1 I ident > 18:57:40.099089 IP ec2-46-51-193-228.eu-west-1.compute.amazonaws.com.isakmp > > 50-56-121-20.static.cloud-ips.com.isakmp: isakmp: phase 1 I ident > > Regards, > Neil. > > > > On 28 Apr 2011, at 14:06, neil payne wrote: > >> Andreas, >> We built a 'vanilla' new build linux AWS instance and loaded v4.3.2 fresh. >> Unfortunately when I try to bring up the connection with the command ipsec >> up net-net I see the following entry in the logs: >> >> Apr 28 12:58:16 ip-10-5-51-242 pluto[2167]: "net-net": we have no ipsecN >> interface for either end of this connection >> >> >> >> There is only one physical interface as it is an AWS instance. >> We tried binding the elastic ip to the dummy0 interface in order to leverage >> the cloud infrastructure to no avail, and while strongswan finds the >> interface and ip on starting it appears it wont try to encapsulate the >> traffic when we bring up the connection - is the above error terminal for >> this scenario? >> >> Regards, >> Neil. >> >> >> On 26 Apr 2011, at 15:40, neil payne wrote: >> >>> >>> Hi Andreas, >>> We reverted to v4.3.2 but the 'up' command still doesn't recognize the >>> net-net connection: >>> >>> ubuntu@ip-10-5-51-61:~$ sudo ipsec --version >>> sudo: unable to resolve host ip-10-5-51-61 >>> Linux strongSwan U4.3.2/K2.6.32-312-ec2 >>> Institute for Internet Technologies and Applications >>> University of Applied Sciences Rapperswil, Switzerland >>> See 'ipsec --copyright' for copyright information. >>> ubuntu@ip-10-5-51-61:~$ >>> ubuntu@ip-10-5-51-61:~$ >>> ubuntu@ip-10-5-51-61:~$ >>> ubuntu@ip-10-5-51-61:~$ sudo ipsec up net-net >>> sudo: unable to resolve host ip-10-5-51-61 >>> 021 no connection named "net-net" >>> ubuntu@ip-10-5-51-61:~$ >>> ubuntu@ip-10-5-51-61:~$ >>> ubuntu@ip-10-5-51-61:~$ >>> ubuntu@ip-10-5-51-61:~$ sudo ipsec statusall !!!!!!!!! this has the >>> appearance of the later version's statusall output rather than v4.3.2 >>> !!!!!!!! >>> sudo: unable to resolve host ip-10-5-51-61 >>> 000 Status of IKEv1 pluto daemon (strongSwan 4.3.2): >>> 000 interface lo/lo ::1:500 >>> 000 interface lo/lo 127.0.0.1:500 >>> 000 interface eth0/eth0 10.5.51.61:500 >>> 000 interface dummy0/dummy0 46.51.193.145:500 >>> 000 %myid = (none) >>> 000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp >>> 000 debug options: none >>> 000 >>> Status of IKEv2 charon daemon (strongSwan 4.3.2): >>> uptime: 4 minutes, since Apr 26 14:28:12 2011 >>> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0 >>> loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc >>> hmac gmp kernel-netlink stroke updown attr resolv-conf >>> Listening IP addresses: >>> 10.5.51.61 >>> 46.51.193.145 >>> Connections: >>> Security Associations: >>> none >>> >>> >>> >>> <leftfirewall2-ipsec.conf.rtf> >>> >>> >>> On 21 Apr 2011, at 13:25, neil payne wrote: >>> >>>> >>>> Hi Andreas, >>>> We're now running version 4.5.1 on the leftfirewall (downgraded from the >>>> one below). We are using the same config files as the ones I sent last >>>> night but on the left firewall it doesn't recognize the net-net connection: >>>> >>>> ubuntu@ip-10-5-51-61:/etc$ sudo ipsec --version >>>> sudo: unable to resolve host ip-10-5-51-61 >>>> Linux strongSwan U4.5.1/K2.6.32-312-ec2 >>>> Institute for Internet Technologies and Applications >>>> University of Applied Sciences Rapperswil, Switzerland >>>> See 'ipsec --copyright' for copyright information. >>>> ubuntu@ip-10-5-51-61:/etc$ >>>> ubuntu@ip-10-5-51-61:/etc$ >>>> ubuntu@ip-10-5-51-61:/etc$ >>>> ubuntu@ip-10-5-51-61:/etc$ >>>> ubuntu@ip-10-5-51-61:/etc$ sudo ipsec up net-net >>>> sudo: unable to resolve host ip-10-5-51-61 >>>> 021 no connection named "net-net" >>>> ubuntu@ip-10-5-51-61:/etc$ >>>> >>>> >>>> If I use ipsec up net-net on the rightfirewall running 4.3.2 it does >>>> generate IKE packets which reach the leftfirewall but the left firewall >>>> doesn't recognize it and logs: >>>> >>>> Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: >>>> ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] >>>> Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: >>>> initial Main Mode message received on 10.5.51.61:500 but no connection has >>>> been authorized with policy=PSK >>>> >>>> Regards, >>>> Neil. >>>> >>>> >>>> >>>> On 20 Apr 2011, at 22:43, neil payne wrote: >>>> >>>>> Hi Andreas, >>>>> No! >>>>> In fact I didn't know this was the ignition key. >>>>> Unfortunately my colleague upgraded to strongswan 4.5.2dr5 on my >>>>> prompting on one of the firewalls and now ipsec wont start - i get the >>>>> following messages in auth.log: >>>>> >>>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- >>>>> restart scheduled (5sec) >>>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be >>>>> started >>>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- >>>>> restart scheduled (5sec) >>>>> Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be >>>>> started >>>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- >>>>> restart scheduled (5sec) >>>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be >>>>> started >>>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- >>>>> restart scheduled (5sec) >>>>> Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be >>>>> started >>>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- >>>>> restart scheduled (5sec) >>>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be >>>>> started >>>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- >>>>> restart scheduled (5sec) >>>>> Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be >>>>> started >>>>> Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- >>>>> restart scheduled (5sec) >>>>> Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be >>>>> started >>>>> >>>>> I fear that we didn't need this upgrade and my configs may have worked >>>>> with the standard release if I'd known about this start command. >>>>> Would you recommend uninstalling this release or are the errors >>>>> recoverable? >>>>> Thank you very much for your time and attention. >>>>> Regards, >>>>> Neil. >>>>> >>>>> >>>>> On 20 Apr 2011, at 20:43, Andreas Steffen wrote: >>>>> >>>>>> Hi Neil, >>>>>> >>>>>> are you starting the connection explicitly with >>>>>> >>>>>> ipsec up net-net >>>>>> >>>>>> on one of the two peers? >>>>>> >>>>>> Regards >>>>>> >>>>>> Andreas >>>>>> >>>>>> On 20.04.2011 19:56, neil payne wrote: >>>>>>> Hi Andreas, I amended my syntax on ipsec.secrets as you suggested >>>>>>> (may be change crypto algos later) but i still see no ike packets >>>>>>> generated by the firewall on either side when i try and ping the >>>>>>> remote encryption domain. Is my config missing something, i don't >>>>>>> know how i'm going wrong here but surely it is something fundamental >>>>>>> missing, I cannot tell as I've followed the available documentation >>>>>>> as best as I can? I'm getting desperate for a solution now. >>>>>>> >>>>>>> Thanks, Neil >>>>>> >>>>>> ====================================================================== >>>>>> Andreas Steffen [email protected] >>>>>> strongSwan - the Linux VPN Solution! www.strongswan.org >>>>>> Institute for Internet Technologies and Applications >>>>>> University of Applied Sciences Rapperswil >>>>>> CH-8640 Rapperswil (Switzerland) >>>>>> ===========================================================[ITA-HSR]== >>>>> >>>> >>> >> >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
