<div dir="ltr">Hi Paul,<div><br></div><div>Thanks for your reply.</div><div><br></div><div><div>Before changing any configuration, I've pasted the output of the ipsec initiator at <a href="http://pastebin.com/ct532Ewc">http://pastebin.com/ct532Ewc</a> and the ipsec responder at <a href="http://pastebin.com/1bzGcq1d">http://pastebin.com/1bzGcq1d</a></div></div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-size:13px">Does the server have one interface in the </span><a href="http://10.1.2.0/24" target="_blank" style="font-size:13px">10.1.2.0/24</a><span style="font-size:13px"> network? If so,<br></span><span style="font-size:13px">can you add leftsourceip=10.1.2.x to that? (where 10.1.2.x is the<br></span><span style="font-size:13px">IP the server has in the </span><a href="http://10.1.2.0/24" target="_blank" style="font-size:13px">10.1.2.0/24</a><span style="font-size:13px"> network?)</span></blockquote></blockquote><div><span style="font-size:13px"><br></span></div><div><span style="font-size:13px">The ipsec initiator (mdserver) has it's only ethernet address as <a href="http://10.1.2.2/24">10.1.2.2/24</a> on the internal network.</span></div><div><span style="font-size:13px"><br></span></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style><b>[root@mdserver ~]# ifconfig</b></div></div><div><div style><b>enp0s29f0u2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500</b></div></div><div><div style><b> ether 02:21:5e:0a:a9:1f txqueuelen 1000 (Ethernet)</b></div></div><div><div style><b> RX packets 39263 bytes 2555803 (2.4 MiB)</b></div></div><div><div style><b> RX errors 0 dropped 0 overruns 0 frame 0</b></div></div><div><div style><b> TX packets 0 bytes 0 (0.0 B)</b></div></div><div><div style><b> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</b></div></div><div><div style><b><br></b></div></div><div><div style><b>enp11s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500</b></div></div><div><div style><b> inet 10.1.2.2 netmask 255.255.255.0 broadcast 10.1.2.255</b></div></div><div><div style><b> inet6 fe80::221:5eff:fe09:a91c prefixlen 64 scopeid 0x20<link></b></div></div><div><div style><b> ether 00:21:5e:09:a9:1c txqueuelen 1000 (Ethernet)</b></div></div><div><div style><b> RX packets 184092 bytes 41376693 (39.4 MiB)</b></div></div><div><div style><b> RX errors 0 dropped 29 overruns 0 frame 0</b></div></div><div><div style><b> TX packets 138809 bytes 43058412 (41.0 MiB)</b></div></div><div><div style><b> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</b></div></div><div><div style><b><br></b></div></div><div><div style><b>enp11s0f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500</b></div></div><div><div style><b> ether 00:21:5e:09:a9:1e txqueuelen 1000 (Ethernet)</b></div></div><div><div style><b> RX packets 0 bytes 0 (0.0 B)</b></div></div><div><div style><b> RX errors 0 dropped 0 overruns 0 frame 0</b></div></div><div><div style><b> TX packets 0 bytes 0 (0.0 B)</b></div></div><div><div style><b> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</b></div></div><div><div style><b><br></b></div></div><div><div style><b>lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536</b></div></div><div><div style><b> inet 127.0.0.1 netmask 255.0.0.0</b></div></div><div><div style><b> inet6 ::1 prefixlen 128 scopeid 0x10<host></b></div></div><div><div style><b> loop txqueuelen 0 (Local Loopback)</b></div></div><div><div style><b> RX packets 165379 bytes 52434556 (50.0 MiB)</b></div></div><div><div style><b> RX errors 0 dropped 0 overruns 0 frame 0</b></div></div><div><div style><b> TX packets 165379 bytes 52434556 (50.0 MiB)</b></div></div><div><div style><b> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</b></div></div><div><div style><b><br></b></div></div><div><div style><b>[root@mdserver ~]# </b></div></div></blockquote><div><br></div><div>I've added "leftsourceip" but changed it to "rightsourceip" to both the ipsec initiator (hmserver) and the ipsec responder (core - ip-172-31-6-188) configuration.</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><b>[root@mdserver ~]# cat /etc/ipsec.d/amazoncore.conf </b></div></div><div><div><b>conn amazoncore</b></div></div><div><div><b> type=tunnel</b></div></div><div><div><b> authby=secret</b></div></div><div><div><b> auto=start</b></div></div><div><div><b> ike=aes256-sha1;modp1536,3des-md5;modp1024</b></div></div><div><div><b> forceencaps=yes</b></div></div><div><div><b> left=54.66.129.223</b></div></div><div><div><b> leftid=@blender</b></div></div><div><div><b> leftsourceip=10.1.0.1</b></div></div><div><div><b> leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a></b></div></div><div><div><b> right=%defaultroute</b></div></div><div><div><b> rightid=@potatoe</b></div></div><div><div><b> rightsourceip=10.1.2.2</b></div></div><div><div><b> rightsubnet=<a href="http://10.1.2.0/24">10.1.2.0/24</a></b></div></div><div><div><b>[root@mdserver ~]# </b></div></div><div><b><br></b></div><div><b><br></b></div><div><div><b>[root@ip-172-31-6-188 ~]# cat /etc/ipsec.d/forestlake.conf </b></div></div><div><div><b>conn forestlake</b></div></div><div><div><b> type=tunnel</b></div></div><div><div><b> authby=secret</b></div></div><div><div><b> auto=add</b></div></div><div><div><b> ike=aes256-sha1;modp1536,3des-md5;modp1024</b></div></div><div><div><b> forceencaps=yes</b></div></div><div><div><b> left=%defaultroute</b></div></div><div><div><b> leftid=@blender</b></div></div><div><div><b> leftsourceip=10.1.0.1</b></div></div><div><div><b> leftsubnet=<a href="http://10.1.0.0/16">10.1.0.0/16</a></b></div></div><div><div><b> right=%any</b></div></div><div><div><b> rightid=@potatoe</b></div></div><div><div><b> rightsourceip=10.1.2.2</b></div></div><div><div><b> rightsubnet=<a href="http://10.1.2.0/24">10.1.2.0/24</a></b></div></div><div><div><b>[root@ip-172-31-6-188 ~]# </b></div></div><div><br></div></blockquote><div><br></div><div>Based on your comments I've subsequently changed a few things which did not fix the problem and the same behaviour occurs, but might help get us closer.<br></div><div><br></div><div>On the ipsec initiator (hmserver), ipsec barf said:</div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><b><br></b></div><div><div><b>+ _________________________ ipsec_verify</b></div></div><div><div><b>+ ipsec verify --nocolour</b></div></div><div><div><b>Verifying installed system and configuration files</b></div></div><div><div><b><SNIP></b></div></div><div><div><b>Two or more interfaces found, checking IP forwarding [FAILED]</b></div></div><div><div><b>[root@mdserver ~]# cat /proc/sys/net/ipv4/ip_forward </b></div></div><div><div><b>0</b></div></div><div><div><b>[root@mdserver ~]#</b></div></div><div><br></div></blockquote></div><div>So I added "net.ipv4.ip_forward=1" to "/etc/sysctl.d/92-ipsec.conf" and ran "sysctl --system" so that:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><b>[root@mdserver ~]# cat /proc/sys/net/ipv4/ip_forward </b></div></div><div><div><b>1</b></div></div><div><div><b>[root@mdserver ~]# </b></div></div></blockquote><div><br></div><div>On the ipsec responder (core <span style="font-size:13px">- ip-172-31-6-188), I changed the alias for 10.1.0.1 from the ethernet device to the lo device:</span></div><div><span style="font-size:13px"><br></span></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div style><b>[root@ip-172-31-6-188 ~]# ip addr</b></div></div><div><div style><b>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN </b></div></div><div><div style><b> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</b></div></div><div><div style><b> inet <a href="http://127.0.0.1/8">127.0.0.1/8</a> scope host lo</b></div></div><div><div style><b> valid_lft forever preferred_lft forever</b></div></div><div><div style><b> inet6 ::1/128 scope host </b></div></div><div><div style><b> valid_lft forever preferred_lft forever</b></div></div><div><div style><b>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000</b></div></div><div><div style><b> link/ether 02:1b:09:ed:fb:c8 brd ff:ff:ff:ff:ff:ff</b></div></div><div><div style><b> inet <a href="http://172.31.6.188/20">172.31.6.188/20</a> brd 172.31.15.255 scope global dynamic eth0</b></div></div><div><div style><b> valid_lft 2016sec preferred_lft 2016sec</b></div></div><div><div style><b> inet <a href="http://10.1.0.1/32">10.1.0.1/32</a> scope global eth0</b></div></div><div><div style><b> valid_lft forever preferred_lft forever</b></div></div><div><div style><b> inet6 fe80::1b:9ff:feed:fbc8/64 scope link </b></div></div><div><div style><b> valid_lft forever preferred_lft forever</b></div></div><div><div style><b>[root@ip-172-31-6-188 ~]# ip addr del <a href="http://10.1.0.1/32">10.1.0.1/32</a> dev eth0</b></div></div><div><div style><b>[root@ip-172-31-6-188 ~]# ip addr add <a href="http://10.1.0.1/32">10.1.0.1/32</a> dev lo</b></div></div><div><div style><b>[root@ip-172-31-6-188 ~]# ip addr</b></div></div><div><div style><b>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN </b></div></div><div><div style><b> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</b></div></div><div><div style><b> inet <a href="http://127.0.0.1/8">127.0.0.1/8</a> scope host lo</b></div></div><div><div style><b> valid_lft forever preferred_lft forever</b></div></div><div><div style><b> inet <a href="http://10.1.0.1/32">10.1.0.1/32</a> scope global lo</b></div></div><div><div style><b> valid_lft forever preferred_lft forever</b></div></div><div><div style><b> inet6 ::1/128 scope host </b></div></div><div><div style><b> valid_lft forever preferred_lft forever</b></div></div><div><div style><b>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000</b></div></div><div><div style><b> link/ether 02:1b:09:ed:fb:c8 brd ff:ff:ff:ff:ff:ff</b></div></div><div><div style><b> inet <a href="http://172.31.6.188/20">172.31.6.188/20</a> brd 172.31.15.255 scope global dynamic eth0</b></div></div><div><div style><b> valid_lft 1932sec preferred_lft 1932sec</b></div></div><div><div style><b> inet6 fe80::1b:9ff:feed:fbc8/64 scope link </b></div></div><div><div style><b> valid_lft forever preferred_lft forever</b></div></div><div><div style><b>[root@ip-172-31-6-188 ~]# </b></div></div></blockquote><div style><br></div><div style><br></div><div style>I also changed the configuration in the ipsec initiator to use the same left/right identies as the ipsec responder.</div><div style><br></div><div style>Based on your comment below in <a href="https://lists.libreswan.org/pipermail/swan/2015/001099.html">https://lists.libreswan.org/pipermail/swan/2015/001099.html</a>, I also changed the "leftid" and "rightid" entries in all config and secrets files.</div><div style><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div style><br></div><div style><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">If using two libreswan installs, just set the ids using leftid=@something and rightid=@somethingelse</blockquote></div><div style><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> </blockquote></div><div style><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">That avoids using or defaulting to IPs being used as IDs, which is trick when NAT is involved (or when a remote endpoint is on dynamic IP)</blockquote></div><div style><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> </blockquote></div><div style><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Don't use leftid=@ipaddress, but use leftid=@somestring.</blockquote></div></blockquote></div><div style><div><br></div></div><div style>After making all the above changes the problem persists.</div><div><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><font face="Tahoma">Cheers,<br><br><font style="FONT-SIZE:10pt">Paul Moore</font></font><div><font style="FONT-SIZE:10pt"><font face="Tahoma">Astute Systems</font></font></div><div><a href="mailto:pmoore@astute-systems.com" style="font-family:Tahoma;font-size:13.600000381469727px" target="_blank">pmoore@astute-systems.com</a><span style="font-family:Tahoma;font-size:13.600000381469727px"> </span><font style="FONT-SIZE:10pt"><font face="Tahoma"> </font></font><span style="font-family:Tahoma;font-size:13.600000381469727px">0481 268 522</span><span style="font-family:Tahoma;font-size:10pt"> </span><a href="http://www.linkedin.com/profile/view?id=465982" style="font-family:Tahoma;font-size:10pt" target="_blank"><img src="http://www.linkedin.com/img/webpromo/btn_in_20x15.png">View my profile</a></div></div></div></div>
<br><div class="gmail_quote">On 20 March 2015 at 13:30, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Fri, 20 Mar 2015, Paul Moore wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
This is my first post to this list and I've been trying to figure out this problem for a few weeks<br>
without asking for help because I thought I must be doing something stupid.<br>
</blockquote>
<br></span>
to everyone: please never feel your question is too stupid. If something<br>
is unclear after a google search, it is our problem in the<br>
documentation. Please feel free to ask!<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
me to say "me too". Just like Dave, please also forgive me if I'm doing something wrong or breaking<br>
mailing list etiquette.<br>
</blockquote>
<br></span>
The only etiquette is to treat others as you like to be treated<br>
yourself.<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The basic problem is that a ping sent from the machine that initiated the tunnel (we'll call this the<br>
ipsec initiatiator) and to the machine at the other end (we'll call this the ipsec responder) does not<br>
work until a ping first comes from the ipsec responder back to the ipsec initiator. At that point, ping<br>
responds only if the tunnel has had traffic pass through it in the last 30 seconds. Also, while the ping<br>
from the ipsec initiator to the ipsec responder does not work, the ipsec initiatiator cannot even ping<br>
itself.<br>
</blockquote>
<br></span>
That's very odd. Did you observe if any of these pings were encrypted or<br>
leaked in plaintext?<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
# ==== Output of mdserver command: "cat /etc/ipsec.d/*conf"<br>
conn amazoncore<br>
type=tunnel<br>
authby=secret<br>
auto=start<br>
ike=aes256-sha1;modp1536,3des-<u></u>md5;modp1024<br>
forceencaps=yes<br>
left=%defaultroute<br>
leftid=10.1.2.2<br>
leftsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a><br>
right=54.66.129.223<br>
rightid=54.66.129.223<br>
rightsourceip=10.1.0.1<br>
rightsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a><br>
</blockquote>
<br></span>
Does the server have one interface in the <a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a> network? If so,<br>
can you add leftsourceip=10.1.2.x to that? (where 10.1.2.x is the<br>
IP the server has in the <a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a> network?)<span class=""><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn forestlake<br>
type=tunnel<br>
authby=secret<br>
auto=add<br>
ike=aes256-sha1;modp1536,3des-<u></u>md5;modp1024<br>
forceencaps=yes<br>
left=%defaultroute<br>
leftid=54.66.129.223<br>
leftsourceip=10.1.0.1<br>
leftsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a><br>
right=%any<br>
rightid=10.1.2.2<br>
rightsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a><br>
</blockquote>
<br></span>
(note normally we don't flip "left" and "right" on both ends of a<br>
connection. That is why we call it left/right and not source/dest :)<br>
<br>
Also just to verify, I assume 10.1.0.1 is actually configured on the<br>
amazon machine running libreswan, eg as alias on loopback or on an ethX device?<br>
And not on another amazon located machine near the libreswan box?<br>
<br>
to better understand what is happening, we would need to see the log<br>
files produced by pluto. Running "ipsec barf" while libreswan is<br>
running should give us the system config and the log files, so if you<br>
can post that to a pastebin and give us the link, we could look into<br>
this in more detail.<span class="HOEnZb"><font color="#888888"><br>
<br>
Paul<br>
<br>
</font></span></blockquote></div><br></div>