[Discuss] OpenSWAN VPN

Matt Shields matt at mattshields.org
Thu Jul 9 10:44:37 EDT 2015 

Does anyone have a working OpenSWAN config or can you see what the issue
might be below?  Current test environment is two Amazon VPC's with a VPN
server NAT'd behind firewall, UDP ports 500 & 4500 are being forwarded.
I'm using the config below and it "seems" to connect, but can't ping/ssh to
anything on either side.

DC1:
 - External IP x.x.x.x
 - Internal Subnet 10.10.0.0/16

DC2:
 - External IP y.y.y.y
 - Internal Subnet 192.168.0.0/24

#this config resides on DC1 vpn server
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
#       interfaces=%defaultroute
        klipsdebug=none
#       nhelpers=0
        plutodebug=none
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.10.0.0/16,%v4:!192.168.0.0/24
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0
#       forceencaps=yes
conn dc1-to-dc2
        auto=start
        type=tunnel

        left=10.10.10.43
        leftsourceip=x.x.x.x
        leftsubnet=10.10.0.0/16
        leftid=x.x.x.x

        right=y.y.y.y
        rightsubnet=192.168.0.0/24
        rightid=y.y.y.y

        #phase 1 encryption-integrity-DiffieHellman
        keyexchange=ike
        ike=3des-md5-modp1024,aes256-sha1-modp1024
        ikelifetime=86400s
        authby=secret #use presharedkey
        rekey=yes  #should we rekey when key lifetime is about to expire

        #phase 2 encryption-pfsgroup
        phase2=esp #esp for encryption | ah for authentication only
        phase2alg=3des-md5;modp1024
        pfs=no
        forceencaps=yes

#this config resides on DC2 vpn server
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
#       interfaces=%defaultroute
        klipsdebug=none
#       nhelpers=0
        plutodebug=none
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:192.168.0.0/24,%v4:!10.10.0.0/16
        oe=off
        # Enable this if you see "failed to find any available worker"
        # nhelpers=0
#       forceencaps=yes
conn dc2-to-dc1
        auto=start
        type=tunnel

        left=192.168.0.22
        leftsourceip=y.y.y.y
        leftsubnet=192.168.0.0/24
        leftid=y.y.y.y

        right=x.x.x.x
        rightsubnet=10.10.0.0/16
        rightid=x.x.x.x

        #phase 1 encryption-integrity-DiffieHellman
        keyexchange=ike
        ike=3des-md5-modp1024,aes256-sha1-modp1024
        ikelifetime=86400s
        authby=secret #use presharedkey
        rekey=yes  #should we rekey when key lifetime is about to expire

        #phase 2 encryption-pfsgroup
        phase2=esp #esp for encryption | ah for authentication only
        phase2alg=3des-md5;modp1024
        pfs=no
        forceencaps=yes

Matt

More information about the Discuss mailing list