<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Hi,</div><div>I typo'd the users DL on the mail below.</div>if someone can help with below query it would be appreciated. I understand if the topology is not understood.<div>Regards,</div><div>Neil.<br><div><br><div>Begin forwarded message:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>From: </b></span><span style="font-family:'Helvetica'; font-size:medium;">neil payne <<a href="mailto:payne.neil@gmail.com">payne.neil@gmail.com</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>Date: </b></span><span style="font-family:'Helvetica'; font-size:medium;">2 May 2011 20:13:56 GMT+01:00<br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>To: </b></span><span style="font-family:'Helvetica'; font-size:medium;">neil payne <<a href="mailto:payne.neil@gmail.com">payne.neil@gmail.com</a>><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>Cc: </b></span><span style="font-family:'Helvetica'; font-size:medium;">Andreas Steffen <<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>>, Alan Parkinson <<a href="mailto:alan.parkinson@arcticlake.com">alan.parkinson@arcticlake.com</a>>, ; <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px;"><span style="font-family:'Helvetica'; font-size:medium; color:rgba(0, 0, 0, 1);"><b>Subject: </b></span><span style="font-family:'Helvetica'; font-size:medium;"><b>Re: no ike packets being generated</b><br></span></div><br><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>We've overcome this error by giving the elastic ip address to the dummy0 interface on the new AWS instance. Although the packets appear to be sent by the instance after using the 'up up' command they never arrive at the remote firewall. We can however ping the remote firewall. </div><div>Below shows a tcpdump on the AWS instance (on it's only physical interface) during ping and then after issuing the up up command. The ping traffic receives replies but the ike packets do not - do you think they are being blackholed by the firewall even though they are captured on the physical interface?</div><div><br></div><div>!!!! ping is successful</div><div><div>18:55:01.844445 IP <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a> > 10.5.51.242: ICMP echo reply, id 17185, seq 13, length 64</div><div>18:55:02.729528 IP 10.5.51.242 > <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a>: ICMP echo request, id 17185, seq 14, length 64</div><div>18:55:02.854489 IP <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a> > 10.5.51.242: ICMP echo reply, id 17185, seq 14, length 64</div><div>18:55:03.739513 IP 10.5.51.242 > <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a>: ICMP echo request, id 17185, seq 15, length 64</div><div>18:55:03.864476 IP <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a> > 10.5.51.242: ICMP echo reply, id 17185, seq 15, length 64</div><div>18:55:04.749507 IP 10.5.51.242 > <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a>: ICMP echo request, id 17185, seq 16, length 64</div><div>18:55:04.883326 IP <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a> > 10.5.51.242: ICMP echo reply, id 17185, seq 16, length 64</div><div>18:55:05.759502 IP 10.5.51.242 > <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a>: ICMP echo request, id 17185, seq 17, length 64</div><div>18:55:05.893521 IP <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a> > 10.5.51.242: ICMP echo reply, id 17185, seq 17, length 64</div><div>18:55:06.769529 IP 10.5.51.242 > <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a>: ICMP echo request, id 17185, seq 18, length 64</div><div>18:55:06.903207 IP <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a> > 10.5.51.242: ICMP echo reply, id 17185, seq 18, length 64</div><div>18:55:07.779595 IP 10.5.51.242 > <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a>: ICMP echo request, id 17185, seq 19, length 64</div><div>18:55:07.913360 IP <a href="http://50-56-121-20.static.cloud-ips.com/">50-56-121-20.static.cloud-ips.com</a> > 10.5.51.242: ICMP echo reply, id 17185, seq 19, length 64</div><div><br></div><div><br></div><div>!!! ike packets never arrive at the rightfirewall </div><div>18:57:10.043768 IP ec2-46-51-193-228.eu-west-1.compute.amazonaws.com.isakmp > 50-56-121-20.static.cloud-ips.com.isakmp: isakmp: phase 1 I ident</div><div>18:57:20.068922 IP ec2-46-51-193-228.eu-west-1.compute.amazonaws.com.isakmp > 50-56-121-20.static.cloud-ips.com.isakmp: isakmp: phase 1 I ident</div><div>18:57:40.099089 IP ec2-46-51-193-228.eu-west-1.compute.amazonaws.com.isakmp > 50-56-121-20.static.cloud-ips.com.isakmp: isakmp: phase 1 I ident</div></div><div><br></div><div>Regards,</div><div>Neil.</div><div><br></div><div><br></div><br><div><div>On 28 Apr 2011, at 14:06, neil payne wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Andreas, </div><div>We built a 'vanilla' new build linux AWS instance and loaded v4.3.2 fresh. Unfortunately when I try to bring up the connection with the command ipsec up net-net I see the following entry in the logs:</div><div><font class="Apple-style-span" color="#FF313D"><br></font></div><div><font class="Apple-style-span" color="#FF313D">Apr 28 12:58:16 ip-10-5-51-242 pluto[2167]: "net-net": we have no ipsecN interface for either end of this connection</font></div><div><font class="Apple-style-span" color="#FF313D"><br></font></div><div><font class="Apple-style-span" color="#FF313D"><br></font></div><div><font class="Apple-style-span" color="#FF313D"><br></font></div><div>There is only one physical interface as it is an AWS instance.</div><div>We tried binding the elastic ip to the dummy0 interface in order to leverage the cloud infrastructure to no avail, and while strongswan finds the interface and ip on starting it appears it wont try to encapsulate the traffic when we bring up the connection - is the above error terminal for this scenario?</div><div><br></div><div>Regards,</div><div>Neil.</div><div><br></div><br><div><div>On 26 Apr 2011, at 15:40, neil payne wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div><div>Hi Andreas,</div><div>We reverted to v4.3.2 but the 'up' command still doesn't recognize the net-net connection:</div><div><br></div><div><div>ubuntu@ip-10-5-51-61:~$ sudo ipsec --version</div><div>sudo: unable to resolve host ip-10-5-51-61</div><div>Linux strongSwan U4.3.2/K2.6.32-312-ec2</div><div>Institute for Internet Technologies and Applications</div><div>University of Applied Sciences Rapperswil, Switzerland</div><div>See 'ipsec --copyright' for copyright information.</div><div>ubuntu@ip-10-5-51-61:~$ </div><div>ubuntu@ip-10-5-51-61:~$ </div><div>ubuntu@ip-10-5-51-61:~$ </div><div>ubuntu@ip-10-5-51-61:~$ sudo ipsec up net-net</div><div>sudo: unable to resolve host ip-10-5-51-61</div><div><font class="Apple-style-span" color="#FF2F2A">021 no connection named "net-net"</font></div><div>ubuntu@ip-10-5-51-61:~$ </div><div>ubuntu@ip-10-5-51-61:~$ </div><div>ubuntu@ip-10-5-51-61:~$ </div><div><font class="Apple-style-span" color="#0066FA">ubuntu@ip-10-5-51-61:~$ sudo ipsec statusall !!!!!!!!! this has the appearance of the later version's statusall output rather than v4.3.2 !!!!!!!!</font></div><div><font class="Apple-style-span" color="#0066FA">sudo: unable to resolve host ip-10-5-51-61</font></div><div><font class="Apple-style-span" color="#0066FA">000 Status of IKEv1 pluto daemon (strongSwan 4.3.2):</font></div><div><font class="Apple-style-span" color="#0066FA">000 interface lo/lo ::1:500</font></div><div><font class="Apple-style-span" color="#0066FA">000 interface lo/lo 127.0.0.1:500</font></div><div><font class="Apple-style-span" color="#0066FA">000 interface eth0/eth0 10.5.51.61:500</font></div><div><font class="Apple-style-span" color="#0066FA">000 interface dummy0/dummy0 46.51.193.145:500</font></div><div><font class="Apple-style-span" color="#0066FA">000 %myid = (none)</font></div><div><font class="Apple-style-span" color="#0066FA">000 loaded plugins: aes des sha1 sha2 md5 random pubkey hmac gmp </font></div><div><font class="Apple-style-span" color="#0066FA">000 debug options: none</font></div><div><font class="Apple-style-span" color="#0066FA">000 </font></div><div><font class="Apple-style-span" color="#0066FA">Status of IKEv2 charon daemon (strongSwan 4.3.2):</font></div><div><font class="Apple-style-span" color="#0066FA"> uptime: 4 minutes, since Apr 26 14:28:12 2011</font></div><div><font class="Apple-style-span" color="#0066FA"> worker threads: 9 idle of 16, job queue load: 0, scheduled events: 0</font></div><div><font class="Apple-style-span" color="#0066FA"> loaded plugins: aes des sha1 sha2 md5 fips-prf random x509 pubkey xcbc hmac gmp kernel-netlink stroke updown attr resolv-conf </font></div><div><font class="Apple-style-span" color="#0066FA">Listening IP addresses:</font></div><div><font class="Apple-style-span" color="#0066FA"> 10.5.51.61</font></div><div><font class="Apple-style-span" color="#0066FA"> 46.51.193.145</font></div><div><font class="Apple-style-span" color="#0066FA">Connections:</font></div><div><font class="Apple-style-span" color="#0066FA">Security Associations:</font></div><div><font class="Apple-style-span" color="#0066FA"> none</font></div></div><div><br></div><div><br></div><div><br></div><div></div></div><span><leftfirewall2-ipsec.conf.rtf></span><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div></div><div><br></div><br><div><div>On 21 Apr 2011, at 13:25, neil payne wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br></div><div>Hi Andreas, </div><div>We're now running version 4.5.1 on the leftfirewall (downgraded from the one below). We are using the same config files as the ones I sent last night but on the left firewall it doesn't recognize the net-net connection:</div><div><br></div><div><div>ubuntu@ip-10-5-51-61:/etc$ sudo ipsec --version</div><div>sudo: unable to resolve host ip-10-5-51-61</div><div>Linux strongSwan U4.5.1/K2.6.32-312-ec2</div><div>Institute for Internet Technologies and Applications</div><div>University of Applied Sciences Rapperswil, Switzerland</div><div>See 'ipsec --copyright' for copyright information.</div><div>ubuntu@ip-10-5-51-61:/etc$ </div><div>ubuntu@ip-10-5-51-61:/etc$ </div><div>ubuntu@ip-10-5-51-61:/etc$ </div><div>ubuntu@ip-10-5-51-61:/etc$ </div><div><font class="Apple-style-span" color="#FF584E">ubuntu@ip-10-5-51-61:/etc$ sudo ipsec up net-net</font></div><div><font class="Apple-style-span" color="#FF584E">sudo: unable to resolve host ip-10-5-51-61</font></div><div><font class="Apple-style-span" color="#FF584E">021 no connection named "net-net"</font></div><div>ubuntu@ip-10-5-51-61:/etc$ </div></div><div><br></div><div><br></div><div>If I use ipsec up net-net on the rightfirewall running 4.3.2 it does generate IKE packets which reach the leftfirewall but the left firewall doesn't recognize it and logs:</div><div><br></div><div><div>Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]</div><div>Apr 21 12:10:15 ip-10-5-51-61 pluto[16057]: packet from 50.56.121.20:500: <font class="Apple-style-span" color="#3A58FA">initial Main Mode message received on 10.5.51.61:500 but no connection has been authorized with policy=PSK</font></div></div><div><br></div><div>Regards,</div><div>Neil.</div><div><br></div><div><br></div><br><div><div>On 20 Apr 2011, at 22:43, neil payne wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>Hi Andreas,<br>No! <br>In fact I didn't know this was the ignition key.<br>Unfortunately my colleague upgraded to strongswan 4.5.2dr5 on my prompting on one of the firewalls and now ipsec wont start - i get the following messages in auth.log:<br><br>Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)<br>Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started<br>Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)<br>Apr 20 21:32:06 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started<br>Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)<br>Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started<br>Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)<br>Apr 20 21:32:11 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started<br>Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)<br>Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started<br>Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon has died -- restart scheduled (5sec)<br>Apr 20 21:32:16 ip-10-5-51-61 ipsec_starter[21851]: charon refused to be started<br>Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto has died -- restart scheduled (5sec)<br>Apr 20 21:32:21 ip-10-5-51-61 ipsec_starter[21851]: pluto refused to be started<br><br>I fear that we didn't need this upgrade and my configs may have worked with the standard release if I'd known about this start command.<br>Would you recommend uninstalling this release or are the errors recoverable?<br>Thank you very much for your time and attention.<br>Regards,<br>Neil.<br><br><br>On 20 Apr 2011, at 20:43, Andreas Steffen wrote:<br><br><blockquote type="cite">Hi Neil,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">are you starting the connection explicitly with<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"> ipsec up net-net<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">on one of the two peers?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Regards<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Andreas<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">On 20.04.2011 19:56, neil payne wrote:<br></blockquote><blockquote type="cite"><blockquote type="cite">Hi Andreas, I amended my syntax on ipsec.secrets as you suggested<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">(may be change crypto algos later) but i still see no ike packets<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">generated by the firewall on either side when i try and ping the<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">remote encryption domain. Is my config missing something, i don't<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">know how i'm going wrong here but surely it is something fundamental<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">missing, I cannot tell as I've followed the available documentation<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">as best as I can? I'm getting desperate for a solution now.<br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite"><br></blockquote></blockquote><blockquote type="cite"><blockquote type="cite">Thanks, Neil<br></blockquote></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">======================================================================<br></blockquote><blockquote type="cite">Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br></blockquote><blockquote type="cite">strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org/">www.strongswan.org</a><br></blockquote><blockquote type="cite">Institute for Internet Technologies and Applications<br></blockquote><blockquote type="cite">University of Applied Sciences Rapperswil<br></blockquote><blockquote type="cite">CH-8640 Rapperswil (Switzerland)<br></blockquote><blockquote type="cite">===========================================================[ITA-HSR]==<br></blockquote><br></div></blockquote></div><br></div></blockquote></div><br></div></blockquote></div><br></div></blockquote></div><br></div></blockquote></div><br></div></body></html>