[strongSwan] IPSec in between two aws server - unrouted; eroute owner: #0
Chun How.Ang
chunhow.ang at tunegroup.com
Thu Aug 15 05:40:15 CEST 2013
Hi StrongSwan User,
I would like to setup ipsec in between two aws server. The condition is
able to ping each other of the server private ip. *The result is fail to
ping the private ip. *
Appreciate that you could advise on this.
I had configured the ipsec.conf as follows
Left site:
/config setup//
// plutodebug=all//
// # crlcheckinterval=600//
// # strictcrlpolicy=yes//
// # cachecrls=yes//
// nat_traversal=yes//
// charonstart=no//
// plutostart=yes//
// interfaces=%defaultroute//
//
//conn %default//
// type=tunnel//
// # auto=route//
// keyexchange=ikev1//
// ikelifetime=3600//
// keylife=1800//
// rekeymargin=180//
// keyingtries=1//
// authby=psk//
// auth=esp//
// ike=3des-md5//
// esp=3des-md5//
//
//conn net-net//
// left=54.254.3.195//
// leftsubnet=10.136.121.0/24//
// leftfirewall=yes//
// right=184.73.246.15//
// rightsubnet=10.165.27.0/26//
// auto=route/
================================================================================================
Right side:
/config setup//
// plutodebug=all//
// # crlcheckinterval=600//
// # strictcrlpolicy=yes//
// # cachecrls=yes//
// nat_traversal=yes//
// charonstart=no//
// plutostart=yes//
// interfaces=%defaultroute//
//
//conn %default//
// type=tunnel//
// # auto=route//
// keyexchange=ikev1//
// ikelifetime=3600//
// keylife=1800//
// rekeymargin=180//
// keyingtries=1//
// authby=psk//
// auth=esp//
// ike=3des-md5//
// esp=3des-md5//
// pfs=no//
//
//conn net-net//
// left=184.73.246.15//
// leftsubnet=10.165.27.0/26//
// leftfirewall=yes//
// right=54.254.3.195//
// rightsubnet=10.136.121.0/24//
// auto=route/
==================================================================================================
For ipsec.secrets setup as follows.
Left side:
/# This file holds shared secrets or RSA private keys for inter-Pluto//
//# authentication. See ipsec_pluto(8) manpage, and HTML documentation.//
//
//# RSA private key for this host, authenticating it to any other host//
//# which knows the public part. Suitable public keys, for ipsec.conf,
DNS,//
//# or configuration of other implementations, can be extracted
conveniently//
//# with "ipsec showhostkey".//
//
//# this file is managed with debconf and will contain the automatically
created private key//
//include /var/lib/strongswan/ipsec.secrets.inc//
/*/10.136.121.121 184.73.246.15 : PSK "123456"/*
===================================================================================================
Right side:
/# This file holds shared secrets or RSA private keys for inter-Pluto//
//# authentication. See ipsec_pluto(8) manpage, and HTML documentation.//
//
//# RSA private key for this host, authenticating it to any other host//
//# which knows the public part. Suitable public keys, for ipsec.conf,
DNS,//
//# or configuration of other implementations, can be extracted
conveniently//
//# with "ipsec showhostkey".//
//
//# this file is managed with debconf and will contain the automatically
created private key//
//include /var/lib/strongswan/ipsec.secrets.inc//
/*/10.165.27.47 54.254.3.195 : PSK "123456"/*
====================================================================================================
When I check it via /ipsec statusall/; the outcome as follows;
Remark: There is a message shown *"unrouted; eroute owner: #0"*
Left side:
/000 Status of IKEv1 pluto daemon (strongSwan 4.5.2)://
//000 interface lo/lo ::1:500//
//000 interface lo/lo 127.0.0.1:4500//
//000 interface lo/lo 127.0.0.1:500//
//000 interface eth0/eth0 10.136.121.121:4500//
//000 interface eth0/eth0 10.136.121.121:500//
//000 %myid = '%any'//
//000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5
random x509 pkc s1 pgp dnskey pem openssl gmp hmac xauth attr
kernel-netlink resolve//
//000 debug options:
raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+natt+oppo+controlmore//
//000//
//000 "net-net":
10.136.121.0/24===54.254.3.195[54.254.3.195]...184.73.246.15[184.73.246.15]===10.165.27.0/26;
//*unrouted; eroute owner: #0*//
//000 "net-net": ike_life: 3600s; ipsec_life: 1800s; rekey_margin:
180s; rekey_fuzz: 100%; keyingtries: 1//
//000 "net-net": policy: PSK+ENCRYPT+TUNNEL; prio: 24,26; interface: ;//
//000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0;//
//000/
======================================================================================================
Right side:
000 Status of IKEv1 pluto daemon (strongSwan 4.5.2):
000 interface lo/lo ::1:500
000 interface lo/lo 127.0.0.1:4500
000 interface lo/lo 127.0.0.1:500
000 interface eth0/eth0 10.165.27.47:4500
000 interface eth0/eth0 10.165.27.47:500
000 %myid = '%any'
000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random
x509 pkc s1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink
resolve
000 debug options:
raw+crypt+parsing+emitting+control+lifecycle+kernel+dns+natt+oppo+controlmore
000
000 "net-net":
10.165.27.0/26===184.73.246.15[184.73.246.15]...54.254.3.195[54.254.3.195]===10.136.121.0/24;
*unrouted; eroute owner: #0*
000 "net-net": ike_life: 3600s; ipsec_life: 1800s; rekey_margin: 180s;
rekey_fuzz: 100%; keyingtries: 1
000 "net-net": policy: PSK+ENCRYPT+TUNNEL; prio: 26,24; interface: ;
000 "net-net": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
Thank you.
Regards,
Ang
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130815/41d315e9/attachment.html>
More information about the Users
mailing list