Openswan IPSec compatibility


#1

​Can Balance 380 IPSec interop with Openswan? We have a VPC in AWS we’d like to VPN in.


#2

We support IPSec implementations with Cisco and Juniper, not sure if it will work with the VPC in AWS.

Of course we support IPSec passthrough, and the tunnel could terminate on a device behind the Balance.


#3

If you are using OpenSWAN as a network-to-network IPsec VPN connection, technically this should work with Balance 380. However, there are too many factors that may affect the compatibility and we cannot say it will work for 100%, and in your case, the setup runs on the Amazon VPC, and we’re not sure how will it goes in this environment.


#4

Thanks! I’m testing outside of aws/vpc on a baremetal box with a direct static WAN IP, just to get things started.

Any pointers on configuration of OpenSWAN for Interop with Peplink? Sure, no warranties / guarantees / etc., I already bought a Peplink box to test and surely will be purchasing more if this works right :slight_smile:


#5

Thus far my attempts have returned ‘No acceptable response, please verify the settings.’ on the Peplink. I’m digging into logs on the Ubuntu box, is there a way to dig further on the Peplink beyond that error message?


#6

Check that… I’m actually able to get a one-way connection (from the Peplink network to the Ubuntu machine). However, I cannot ping from the Ubuntu machine to the Peplink. The Peplink shows ‘connected’ with proper subnets on the Status > IPsec VPN page.

On the Peplink, the IPsec Event Log states ‘IKE Proposal refused, please verify Phase 1 (IKE) settings’.

The ubuntu machine has the following relevant info in the connection in ipsec.conf:
esp=aes
keyexchange=ike
ike=aes
pfs=no
auth=esp

The IPSec VPN is set to AES256 & SHA1 for both IKE and ESP, and the logs on the Ubuntu box suggest we should have matches (in that 000 means it should match 256/128/etc):
00 “vpn”: IKE algorithms wanted: AES_CBC(7)_000-MD5(1)_000-MODP1536(5), AES_CBC(7)_000-SHA1(2)_000-MODP1536(5), AES_CBC(7)_000-MD5(1)_000-MODP1024(2), AES_CBC(7)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 “vpn”: IKE algorithms found: AES_CBC(7)_128-MD5(1)_128-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-MD5(1)_128-MODP1024(2), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2)
000 “vpn”: IKE algorithm newest: AES_CBC_256-SHA1-MODP1024
000 “vpn”: ESP algorithms wanted: AES(12)_000-MD5(1)_000, AES(12)_000-SHA1(2)_000; flags=-strict
000 “vpn”: ESP algorithms loaded: AES(12)_128-MD5(1)_128, AES(12)_128-SHA1(2)_160
000 “vpn”: ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<N/A>

Any ideas?


#7

Is it possible to post your full OpenSWAN “ipsec.conf” file and the Diagnostic Report from Peplink device here so we can have more information?

For your reference, if you are using default IPsec settings on Peplink, the following configuration file should work.

Assuming the Peplink device and Ubuntu machine have IP 10.1.1.1 and 10.2.1.1 respectively.

~ # cat /etc/ipsec.conf
version 2.1
config setup
protostack=netkey
nat_traversal=off
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=no
uniqueids=yes
nhelpers=0
plutodebug=none

conn IPSEC1
type=tunnel
authby=secret
left=10.1.1.1
leftsubnets={192.168.1.1/24}
right=10.2.1.1
rightsubnets={192.168.2.1/24}
ike=aes256-sha1;modp1024
phase2alg=aes256-sha1
pfs=no
forceencaps=off
ikev2=no
aggrmode=off
salifetime=28800s
ikelifetime=3600s
dpddelay=10
dpdtimeout=30
dpdaction=restart_by_peer
rekey=yes
keyingtries=%forever
auto=start


#8

Did you ever get a Balance -> Amazon VPC site-to-site tunnel working?

Thanks,
Ben


#9

Hi Ben,

Do you have your own IPsec gateway hosted in Amazon VPC (say, an Openswan on Linux)? or you are referring to the VPN Connections on Amazon VPC Dashboard?


#10

Currently I have some hosted AWS servers, and am looking at whether or not I
would be able to create a site to site vpn tunnel into these servers. So i suppose
I could go either way. Does it not work with the vpn vpc console? (standard ipsec tunnel w/shared key)?

Thanks for responding
Ben


#11

I’d suggest you to host your own IPsec gateway (e.g. Openswan on Linux) at this moment, we’re not fully supporting Amazon VPC VPN Connection yet, although I don’t have a schedule for you, but this is under development.


#12

If Peplink is considering to add further compatibility of its IPSec, then I would like to request the ability to connect IPSec to IIS and a Windows server please.

thanks