<div dir="ltr">Hi Paul,<div><br></div><div>Do you have any insight on this one?</div><div><br></div><div>I've been playing with accept_redirects, send_redirects, secure_redirects and rp_filter and have turned everything off, but it doesn't change anything.</div><div><br></div><div>I'm limping along for now by sending syslog traffic from the AWS host to the other end to keep the ability of the other end to ping the AWS host, but it's not really regular enough to be reliable.</div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature"><div dir="ltr"><font face="Tahoma">Cheers,<br><br><font style="FONT-SIZE:10pt">Paul Moore</font></font><div><font style="FONT-SIZE:10pt"><font face="Tahoma">Astute Systems</font></font></div><div><a href="mailto:pmoore@astute-systems.com" style="font-family:Tahoma;font-size:13.600000381469727px" target="_blank">pmoore@astute-systems.com</a><span style="font-family:Tahoma;font-size:13.600000381469727px"> </span><font style="FONT-SIZE:10pt"><font face="Tahoma"> </font></font><span style="font-family:Tahoma;font-size:13.600000381469727px">0481 268 522</span><span style="font-family:Tahoma;font-size:10pt"> </span><a href="http://www.linkedin.com/profile/view?id=465982" style="font-family:Tahoma;font-size:10pt" target="_blank"><img src="http://www.linkedin.com/img/webpromo/btn_in_20x15.png">View my profile</a></div></div></div></div>
<br><div class="gmail_quote">On 20 March 2015 at 15:57, Paul Moore <span dir="ltr"><<a href="mailto:pmoore@astute-systems.com" target="_blank">pmoore@astute-systems.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi Paul,<div><br></div><div>Thanks for your reply.</div><div><br></div><div><div>Before changing any configuration, I've pasted the output of the ipsec initiator at <a href="http://pastebin.com/ct532Ewc" target="_blank">http://pastebin.com/ct532Ewc</a> and the ipsec responder at <a href="http://pastebin.com/1bzGcq1d" target="_blank">http://pastebin.com/1bzGcq1d</a></div></div><span class=""><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span style="font-size:13px">Does the server have one interface in the </span><a href="http://10.1.2.0/24" style="font-size:13px" target="_blank">10.1.2.0/24</a><span style="font-size:13px"> network? If so,<br></span><span style="font-size:13px">can you add leftsourceip=10.1.2.x to that? (where 10.1.2.x is the<br></span><span style="font-size:13px">IP the server has in the </span><a href="http://10.1.2.0/24" style="font-size:13px" target="_blank">10.1.2.0/24</a><span style="font-size:13px"> network?)</span></blockquote></blockquote><div><span style="font-size:13px"><br></span></div></span><div><span style="font-size:13px">The ipsec initiator (mdserver) has it's only ethernet address as <a href="http://10.1.2.2/24" target="_blank">10.1.2.2/24</a> on the internal network.</span></div><div><span style="font-size:13px"><br></span></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><b>[root@mdserver ~]# ifconfig</b></div></div><div><div><b>enp0s29f0u2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500</b></div></div><div><div><b> ether 02:21:5e:0a:a9:1f txqueuelen 1000 (Ethernet)</b></div></div><div><div><b> RX packets 39263 bytes 2555803 (2.4 MiB)</b></div></div><div><div><b> RX errors 0 dropped 0 overruns 0 frame 0</b></div></div><div><div><b> TX packets 0 bytes 0 (0.0 B)</b></div></div><div><div><b> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</b></div></div><div><div><b><br></b></div></div><div><div><b>enp11s0f0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500</b></div></div><div><div><b> inet 10.1.2.2 netmask 255.255.255.0 broadcast 10.1.2.255</b></div></div><div><div><b> inet6 fe80::221:5eff:fe09:a91c prefixlen 64 scopeid 0x20<link></b></div></div><div><div><b> ether 00:21:5e:09:a9:1c txqueuelen 1000 (Ethernet)</b></div></div><div><div><b> RX packets 184092 bytes 41376693 (39.4 MiB)</b></div></div><div><div><b> RX errors 0 dropped 29 overruns 0 frame 0</b></div></div><div><div><b> TX packets <a href="tel:138809" value="+61138809" target="_blank">138809</a> bytes 43058412 (41.0 MiB)</b></div></div><div><div><b> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</b></div></div><div><div><b><br></b></div></div><div><div><b>enp11s0f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500</b></div></div><div><div><b> ether 00:21:5e:09:a9:1e txqueuelen 1000 (Ethernet)</b></div></div><div><div><b> RX packets 0 bytes 0 (0.0 B)</b></div></div><div><div><b> RX errors 0 dropped 0 overruns 0 frame 0</b></div></div><div><div><b> TX packets 0 bytes 0 (0.0 B)</b></div></div><div><div><b> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</b></div></div><div><div><b><br></b></div></div><div><div><b>lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536</b></div></div><div><div><b> inet 127.0.0.1 netmask 255.0.0.0</b></div></div><div><div><b> inet6 ::1 prefixlen 128 scopeid 0x10<host></b></div></div><div><div><b> loop txqueuelen 0 (Local Loopback)</b></div></div><div><div><b> RX packets <a href="tel:165379" value="+61165379" target="_blank">165379</a> bytes 52434556 (50.0 MiB)</b></div></div><div><div><b> RX errors 0 dropped 0 overruns 0 frame 0</b></div></div><div><div><b> TX packets <a href="tel:165379" value="+61165379" target="_blank">165379</a> bytes 52434556 (50.0 MiB)</b></div></div><div><div><b> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</b></div></div><div><div><b><br></b></div></div><div><div><b>[root@mdserver ~]# </b></div></div></blockquote><div><br></div><div>I've added "leftsourceip" but changed it to "rightsourceip" to both the ipsec initiator (hmserver) and the ipsec responder (core - ip-172-31-6-188) configuration.</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><b>[root@mdserver ~]# cat /etc/ipsec.d/amazoncore.conf </b></div></div><span class=""><div><div><b>conn amazoncore</b></div></div><div><div><b> type=tunnel</b></div></div><div><div><b> authby=secret</b></div></div><div><div><b> auto=start</b></div></div><div><div><b> ike=aes256-sha1;modp1536,3des-md5;modp1024</b></div></div><div><div><b> forceencaps=yes</b></div></div></span><div><div><b> left=54.66.129.223</b></div></div><div><div><b> leftid=@blender</b></div></div><div><div><b> leftsourceip=10.1.0.1</b></div></div><div><div><b> leftsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a></b></div></div><div><div><b> right=%defaultroute</b></div></div><div><div><b> rightid=@potatoe</b></div></div><div><div><b> rightsourceip=10.1.2.2</b></div></div><div><div><b> rightsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a></b></div></div><div><div><b>[root@mdserver ~]# </b></div></div><div><b><br></b></div><div><b><br></b></div><div><div><b>[root@ip-172-31-6-188 ~]# cat /etc/ipsec.d/forestlake.conf </b></div></div><span class=""><div><div><b>conn forestlake</b></div></div><div><div><b> type=tunnel</b></div></div><div><div><b> authby=secret</b></div></div><div><div><b> auto=add</b></div></div><div><div><b> ike=aes256-sha1;modp1536,3des-md5;modp1024</b></div></div><div><div><b> forceencaps=yes</b></div></div><div><div><b> left=%defaultroute</b></div></div></span><div><div><b> leftid=@blender</b></div></div><div><div><b> leftsourceip=10.1.0.1</b></div></div><div><div><b> leftsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a></b></div></div><div><div><b> right=%any</b></div></div><div><div><b> rightid=@potatoe</b></div></div><div><div><b> rightsourceip=10.1.2.2</b></div></div><div><div><b> rightsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a></b></div></div><div><div><b>[root@ip-172-31-6-188 ~]# </b></div></div><div><br></div></blockquote><div><br></div><div>Based on your comments I've subsequently changed a few things which did not fix the problem and the same behaviour occurs, but might help get us closer.<br></div><div><br></div><div>On the ipsec initiator (hmserver), ipsec barf said:</div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><b><br></b></div><div><div><b>+ _________________________ ipsec_verify</b></div></div><div><div><b>+ ipsec verify --nocolour</b></div></div><div><div><b>Verifying installed system and configuration files</b></div></div><div><div><b><SNIP></b></div></div><div><div><b>Two or more interfaces found, checking IP forwarding [FAILED]</b></div></div><div><div><b>[root@mdserver ~]# cat /proc/sys/net/ipv4/ip_forward </b></div></div><div><div><b>0</b></div></div><div><div><b>[root@mdserver ~]#</b></div></div><div><br></div></blockquote></div><div>So I added "net.ipv4.ip_forward=1" to "/etc/sysctl.d/92-ipsec.conf" and ran "sysctl --system" so that:</div><div><br></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><b>[root@mdserver ~]# cat /proc/sys/net/ipv4/ip_forward </b></div></div><div><div><b>1</b></div></div><div><div><b>[root@mdserver ~]# </b></div></div></blockquote><div><br></div><div>On the ipsec responder (core <span style="font-size:13px">- ip-172-31-6-188), I changed the alias for 10.1.0.1 from the ethernet device to the lo device:</span></div><div><span style="font-size:13px"><br></span></div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><div><b>[root@ip-172-31-6-188 ~]# ip addr</b></div></div><div><div><b>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN </b></div></div><div><div><b> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</b></div></div><div><div><b> inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> scope host lo</b></div></div><div><div><b> valid_lft forever preferred_lft forever</b></div></div><div><div><b> inet6 ::1/128 scope host </b></div></div><div><div><b> valid_lft forever preferred_lft forever</b></div></div><div><div><b>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000</b></div></div><div><div><b> link/ether 02:1b:09:ed:fb:c8 brd ff:ff:ff:ff:ff:ff</b></div></div><div><div><b> inet <a href="http://172.31.6.188/20" target="_blank">172.31.6.188/20</a> brd 172.31.15.255 scope global dynamic eth0</b></div></div><div><div><b> valid_lft 2016sec preferred_lft 2016sec</b></div></div><div><div><b> inet <a href="http://10.1.0.1/32" target="_blank">10.1.0.1/32</a> scope global eth0</b></div></div><div><div><b> valid_lft forever preferred_lft forever</b></div></div><div><div><b> inet6 fe80::1b:9ff:feed:fbc8/64 scope link </b></div></div><div><div><b> valid_lft forever preferred_lft forever</b></div></div><div><div><b>[root@ip-172-31-6-188 ~]# ip addr del <a href="http://10.1.0.1/32" target="_blank">10.1.0.1/32</a> dev eth0</b></div></div><div><div><b>[root@ip-172-31-6-188 ~]# ip addr add <a href="http://10.1.0.1/32" target="_blank">10.1.0.1/32</a> dev lo</b></div></div><div><div><b>[root@ip-172-31-6-188 ~]# ip addr</b></div></div><div><div><b>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN </b></div></div><div><div><b> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00</b></div></div><div><div><b> inet <a href="http://127.0.0.1/8" target="_blank">127.0.0.1/8</a> scope host lo</b></div></div><div><div><b> valid_lft forever preferred_lft forever</b></div></div><div><div><b> inet <a href="http://10.1.0.1/32" target="_blank">10.1.0.1/32</a> scope global lo</b></div></div><div><div><b> valid_lft forever preferred_lft forever</b></div></div><div><div><b> inet6 ::1/128 scope host </b></div></div><div><div><b> valid_lft forever preferred_lft forever</b></div></div><div><div><b>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000</b></div></div><div><div><b> link/ether 02:1b:09:ed:fb:c8 brd ff:ff:ff:ff:ff:ff</b></div></div><div><div><b> inet <a href="http://172.31.6.188/20" target="_blank">172.31.6.188/20</a> brd 172.31.15.255 scope global dynamic eth0</b></div></div><div><div><b> valid_lft 1932sec preferred_lft 1932sec</b></div></div><div><div><b> inet6 fe80::1b:9ff:feed:fbc8/64 scope link </b></div></div><div><div><b> valid_lft forever preferred_lft forever</b></div></div><div><div><b>[root@ip-172-31-6-188 ~]# </b></div></div></blockquote><div><br></div><div><br></div><div>I also changed the configuration in the ipsec initiator to use the same left/right identies as the ipsec responder.</div><div><br></div><div>Based on your comment below in <a href="https://lists.libreswan.org/pipermail/swan/2015/001099.html" target="_blank">https://lists.libreswan.org/pipermail/swan/2015/001099.html</a>, I also changed the "leftid" and "rightid" entries in all config and secrets files.</div><div><blockquote style="margin:0px 0px 0px 40px;border:none;padding:0px"><div><br></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">If using two libreswan installs, just set the ids using leftid=@something and rightid=@somethingelse</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> </blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">That avoids using or defaulting to IPs being used as IDs, which is trick when NAT is involved (or when a remote endpoint is on dynamic IP)</blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"> </blockquote></div><div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">Don't use leftid=@ipaddress, but use leftid=@somestring.</blockquote></div></blockquote></div><div><div><br></div></div><div>After making all the above changes the problem persists.</div><div><br></div></div><div class="gmail_extra"><span class=""><br clear="all"><div><div><div dir="ltr"><font face="Tahoma">Cheers,<br><br><font style="FONT-SIZE:10pt">Paul Moore</font></font><div><font style="FONT-SIZE:10pt"><font face="Tahoma">Astute Systems</font></font></div><div><a href="mailto:pmoore@astute-systems.com" style="font-family:Tahoma;font-size:13.600000381469727px" target="_blank">pmoore@astute-systems.com</a><span style="font-family:Tahoma;font-size:13.600000381469727px"> </span><font style="FONT-SIZE:10pt"><font face="Tahoma"> </font></font><span style="font-family:Tahoma;font-size:13.600000381469727px"><a href="tel:0481%20268%20522" value="+61481268522" target="_blank">0481 268 522</a></span><span style="font-family:Tahoma;font-size:10pt"> </span><a href="http://www.linkedin.com/profile/view?id=465982" style="font-family:Tahoma;font-size:10pt" target="_blank"><img src="http://www.linkedin.com/img/webpromo/btn_in_20x15.png">View my profile</a></div></div></div></div>
<br></span><div><div class="h5"><div class="gmail_quote">On 20 March 2015 at 13:30, Paul Wouters <span dir="ltr"><<a href="mailto:paul@nohats.ca" target="_blank">paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Fri, 20 Mar 2015, Paul Moore wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
This is my first post to this list and I've been trying to figure out this problem for a few weeks<br>
without asking for help because I thought I must be doing something stupid.<br>
</blockquote>
<br></span>
to everyone: please never feel your question is too stupid. If something<br>
is unclear after a google search, it is our problem in the<br>
documentation. Please feel free to ask!<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
me to say "me too". Just like Dave, please also forgive me if I'm doing something wrong or breaking<br>
mailing list etiquette.<br>
</blockquote>
<br></span>
The only etiquette is to treat others as you like to be treated<br>
yourself.<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
The basic problem is that a ping sent from the machine that initiated the tunnel (we'll call this the<br>
ipsec initiatiator) and to the machine at the other end (we'll call this the ipsec responder) does not<br>
work until a ping first comes from the ipsec responder back to the ipsec initiator. At that point, ping<br>
responds only if the tunnel has had traffic pass through it in the last 30 seconds. Also, while the ping<br>
from the ipsec initiator to the ipsec responder does not work, the ipsec initiatiator cannot even ping<br>
itself.<br>
</blockquote>
<br></span>
That's very odd. Did you observe if any of these pings were encrypted or<br>
leaked in plaintext?<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
# ==== Output of mdserver command: "cat /etc/ipsec.d/*conf"<br>
conn amazoncore<br>
type=tunnel<br>
authby=secret<br>
auto=start<br>
ike=aes256-sha1;modp1536,3des-<u></u>md5;modp1024<br>
forceencaps=yes<br>
left=%defaultroute<br>
leftid=10.1.2.2<br>
leftsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a><br>
right=54.66.129.223<br>
rightid=54.66.129.223<br>
rightsourceip=10.1.0.1<br>
rightsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a><br>
</blockquote>
<br></span>
Does the server have one interface in the <a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a> network? If so,<br>
can you add leftsourceip=10.1.2.x to that? (where 10.1.2.x is the<br>
IP the server has in the <a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a> network?)<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
conn forestlake<br>
type=tunnel<br>
authby=secret<br>
auto=add<br>
ike=aes256-sha1;modp1536,3des-<u></u>md5;modp1024<br>
forceencaps=yes<br>
left=%defaultroute<br>
leftid=54.66.129.223<br>
leftsourceip=10.1.0.1<br>
leftsubnet=<a href="http://10.1.0.0/16" target="_blank">10.1.0.0/16</a><br>
right=%any<br>
rightid=10.1.2.2<br>
rightsubnet=<a href="http://10.1.2.0/24" target="_blank">10.1.2.0/24</a><br>
</blockquote>
<br></span>
(note normally we don't flip "left" and "right" on both ends of a<br>
connection. That is why we call it left/right and not source/dest :)<br>
<br>
Also just to verify, I assume 10.1.0.1 is actually configured on the<br>
amazon machine running libreswan, eg as alias on loopback or on an ethX device?<br>
And not on another amazon located machine near the libreswan box?<br>
<br>
to better understand what is happening, we would need to see the log<br>
files produced by pluto. Running "ipsec barf" while libreswan is<br>
running should give us the system config and the log files, so if you<br>
can post that to a pastebin and give us the link, we could look into<br>
this in more detail.<span><font color="#888888"><br>
<br>
Paul<br>
<br>
</font></span></blockquote></div><br></div></div></div>
</blockquote></div><br></div></div>