<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi StrongSwan User,<br>
<br>
I would like to setup ipsec in between two aws server. The condition
is able to ping each other of the server private ip. <b>The result
is fail to ping the private ip. </b><br>
<br>
Appreciate that you could advise on this.<br>
<br>
I had configured the ipsec.conf as follows<br>
<br>
Left site:<br>
<br>
<i>config setup</i><i><br>
</i><i> plutodebug=all</i><i><br>
</i><i> # crlcheckinterval=600</i><i><br>
</i><i> # strictcrlpolicy=yes</i><i><br>
</i><i> # cachecrls=yes</i><i><br>
</i><i> nat_traversal=yes</i><i><br>
</i><i> charonstart=no</i><i><br>
</i><i> plutostart=yes</i><i><br>
</i><i> interfaces=%defaultroute</i><i><br>
</i><i><br>
</i><i>conn %default</i><i><br>
</i><i> type=tunnel</i><i><br>
</i><i> # auto=route</i><i><br>
</i><i> keyexchange=ikev1</i><i><br>
</i><i> ikelifetime=3600</i><i><br>
</i><i> keylife=1800</i><i><br>
</i><i> rekeymargin=180</i><i><br>
</i><i> keyingtries=1</i><i><br>
</i><i> authby=psk</i><i><br>
</i><i> auth=esp</i><i><br>
</i><i> ike=3des-md5</i><i><br>
</i><i> esp=3des-md5</i><i><br>
</i><i><br>
</i><i>conn net-net</i><i><br>
</i><i> left=54.254.3.195</i><i><br>
</i><i> leftsubnet=10.136.121.0/24</i><i><br>
</i><i> leftfirewall=yes</i><i><br>
</i><i> right=184.73.246.15</i><i><br>
</i><i> rightsubnet=10.165.27.0/26</i><i><br>
</i><i> auto=route</i><br>
================================================================================================<br>
Right side:<br>
<br>
<i>config setup</i><i><br>
</i><i> plutodebug=all</i><i><br>
</i><i> # crlcheckinterval=600</i><i><br>
</i><i> # strictcrlpolicy=yes</i><i><br>
</i><i> # cachecrls=yes</i><i><br>
</i><i> nat_traversal=yes</i><i><br>
</i><i> charonstart=no</i><i><br>
</i><i> plutostart=yes</i><i><br>
</i><i> interfaces=%defaultroute</i><i><br>
</i><i><br>
</i><i>conn %default</i><i><br>
</i><i> type=tunnel</i><i><br>
</i><i> # auto=route</i><i><br>
</i><i> keyexchange=ikev1</i><i><br>
</i><i> ikelifetime=3600</i><i><br>
</i><i> keylife=1800</i><i><br>
</i><i> rekeymargin=180</i><i><br>
</i><i> keyingtries=1</i><i><br>
</i><i> authby=psk</i><i><br>
</i><i> auth=esp</i><i><br>
</i><i> ike=3des-md5</i><i><br>
</i><i> esp=3des-md5</i><i><br>
</i><i> pfs=no</i><i><br>
</i><i><br>
</i><i>conn net-net</i><i><br>
</i><i> left=184.73.246.15</i><i><br>
</i><i> leftsubnet=10.165.27.0/26</i><i><br>
</i><i> leftfirewall=yes</i><i><br>
</i><i> right=54.254.3.195</i><i><br>
</i><i> rightsubnet=10.136.121.0/24</i><i><br>
</i><i> auto=route</i><br>
==================================================================================================<br>
<br>
For ipsec.secrets setup as follows.<br>
<br>
Left side:<br>
<br>
<i># This file holds shared secrets or RSA private keys for
inter-Pluto</i><i><br>
</i><i># authentication. See ipsec_pluto(8) manpage, and HTML
documentation.</i><i><br>
</i><i><br>
</i><i># RSA private key for this host, authenticating it to any
other host</i><i><br>
</i><i># which knows the public part. Suitable public keys, for
ipsec.conf, DNS,</i><i><br>
</i><i># or configuration of other implementations, can be extracted
conveniently</i><i><br>
</i><i># with "ipsec showhostkey".</i><i><br>
</i><i><br>
</i><i># this file is managed with debconf and will contain the
automatically created private key</i><i><br>
</i><i>include /var/lib/strongswan/ipsec.secrets.inc</i><i><br>
</i><b><i>10.136.121.121 184.73.246.15 : PSK "123456"</i></b><br>
<br>
===================================================================================================<br>
<br>
Right side:<br>
<br>
<i># This file holds shared secrets or RSA private keys for
inter-Pluto</i><i><br>
</i><i># authentication. See ipsec_pluto(8) manpage, and HTML
documentation.</i><i><br>
</i><i><br>
</i><i># RSA private key for this host, authenticating it to any
other host</i><i><br>
</i><i># which knows the public part. Suitable public keys, for
ipsec.conf, DNS,</i><i><br>
</i><i># or configuration of other implementations, can be extracted
conveniently</i><i><br>
</i><i># with "ipsec showhostkey".</i><i><br>
</i><i><br>
</i><i># this file is managed with debconf and will contain the
automatically created private key</i><i><br>
</i><i>include /var/lib/strongswan/ipsec.secrets.inc</i><i><br>
</i><b><i>10.165.27.47 54.254.3.195 : PSK "123456"</i></b><br>
<br>
====================================================================================================<br>
<br>
When I check it via <i>ipsec statusall</i>; the outcome as follows;<br>
Remark: There is a message shown <b>"unrouted; eroute owner: #0"</b><br>
<br>
Left side:<br>
<br>
<i>000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):</i><i><br>
</i><i>000 interface lo/lo ::1:500</i><i><br>
</i><i>000 interface lo/lo 127.0.0.1:4500</i><i><br>
</i><i>000 interface lo/lo 127.0.0.1:500</i><i><br>
</i><i>000 interface eth0/eth0 10.136.121.121:4500</i><i><br>
</i><i>000 interface eth0/eth0 10.136.121.121:500</i><i><br>
</i><i>000 %myid = '%any'</i><i><br>
</i><i>000 loaded plugins: test-vectors curl ldap aes des sha1 sha2
md5 random x509 pkc s1 pgp dnskey pem openssl gmp hmac xauth attr
kernel-netlink resolve</i><i><br>
</i><i>000 debug options:
raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+natt+oppo+controlmore</i><i><br>
</i><i>000</i><i><br>
</i><i>000 "net-net":
10.136.121.0/24===54.254.3.195[54.254.3.195]...184.73.246.15[184.73.246.15]===10.165.27.0/26;
</i><i><b>unrouted; eroute owner: #0</b></i><i><br>
</i><i>000 "net-net": ike_life: 3600s; ipsec_life: 1800s;
rekey_margin: 180s; rekey_fuzz: 100%; keyingtries: 1</i><i><br>
</i><i>000 "net-net": policy: PSK+ENCRYPT+TUNNEL; prio: 24,26;
interface: ;</i><i><br>
</i><i>000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0;</i><i><br>
</i><i>000</i><br>
<br>
======================================================================================================<br>
<br>
Right side:<br>
<br>
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):<br>
000 interface lo/lo ::1:500<br>
000 interface lo/lo 127.0.0.1:4500<br>
000 interface lo/lo 127.0.0.1:500<br>
000 interface eth0/eth0 10.165.27.47:4500<br>
000 interface eth0/eth0 10.165.27.47:500<br>
000 %myid = '%any'<br>
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5
random x509 pkc s1 pgp dnskey pem openssl gmp hmac xauth attr
kernel-netlink resolve<br>
000 debug options:
raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+natt+oppo+controlmore<br>
000<br>
000 "net-net":
10.165.27.0/26===184.73.246.15[184.73.246.15]...54.254.3.195[54.254.3.195]===10.136.121.0/24;
<b>unrouted; eroute owner: #0</b><br>
000 "net-net": ike_life: 3600s; ipsec_life: 1800s; rekey_margin:
180s; rekey_fuzz: 100%; keyingtries: 1<br>
000 "net-net": policy: PSK+ENCRYPT+TUNNEL; prio: 26,24; interface:
;<br>
000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0;<br>
000<br>
<br>
<br>
Thank you.<br>
<br>
Regards,<br>
Ang<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>