I am working on a project for my engineering degree that requires me to interface with some pre-existing equipment, so I am rather limited on my options. I'm rather new to VPN and ipsec for that matter. If I've got it completely wrong, please fill me in. I've done my best to read manpages and documentation.
I am attempting to connect a cellular 3G router (Moxa OnCell 5104-HSPA) to my VPN server in the Amazon EC2 cloud, to provide end-to-end access between two devices on either network. The 3G router supports IPSec VPN with PSK. The challenging part, is that I do not currently have a static, public facing IP for the cellular router. Getting that IP is in the works, but I am trying to see if I can make it work in the meantime. If this isn't doable without a public, static IP address, let me know.
[ Openswan VPN Server ] ---> internet ---> Cellular NAT(s) ---> [ Cellular Router ]
^ ^
| |
[ End User ] [ Remote Device ]
The Cellular router appears to only support site-to-site VPN configurations. I have it successfully connected (see below) to the VPN network, but I'm not sure how to get packets routing from either end of the VPN.
Confirmed connection from /var/log/auth.log (Changed IPs, in this example:
172.31.0.1 = EC2 IP (VPN server)
22.22.22.22 = Cellular NAT
10.185.42.114 = 3G Router
pluto[11336]: "RWConn"[7] 22.22.22.22 #11: responding to Main Mode from unknown peer 22.22.22.22
pluto[11336]: "RWConn"[7] 22.22.22.22 #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
pluto[11336]: "RWConn"[7] 22.22.22.22 #11: STATE_MAIN_R1: sent MR1, expecting MI2
pluto[11336]: "RWConn"[7] 22.22.22.22 #11: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
pluto[11336]: "RWConn"[7] 22.22.22.22 #11: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
pluto[11336]: "RWConn"[7] 22.22.22.22 #11: STATE_MAIN_R2: sent MR2, expecting MI3
pluto[11336]: "RWConn"[7] 22.22.22.22 #11: Main mode peer ID is ID_IPV4_ADDR: '10.185.42.114'
pluto[11336]: "RWConn"[7] 22.22.22.22 #11: switched from "RWConn" to "RWConn"
pluto[11336]: "RWConn"[8] 22.22.22.22 #11: deleting connection "RWConn" instance with peer 22.22.22.22 {isakmp=#0/ipsec=#0}
pluto[11336]: "RWConn"[8] 22.22.22.22 #11: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
pluto[11336]: "RWConn"[8] 22.22.22.22 #11: new NAT mapping for #11, was 22.22.22.22:52862, now 22.22.22.22:46828
pluto[11336]: "RWConn"[8] 22.22.22.22 #11: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
pluto[11336]: "RWConn"[8] 22.22.22.22 #11: Dead Peer Detection (RFC 3706): enabled
pluto[11336]: "RWConn"[8] 22.22.22.22 #11: the peer proposed: 10.0.1.0/24:17/1701 -> 10.0.50.0/24:17/0
pluto[11336]: "RWConn"[8] 22.22.22.22 #12: responding to Quick Mode proposal
pluto[11336]: "RWConn"[8] 22.22.22.22 #12: us: 172.31.0.1/32===172.31.0.1<172.31.0.1>:17/1701---172.31.0.1
pluto[11336]: "RWConn"[8] 22.22.22.22 #12: them: 22.22.22.22[10.185.42.114]:17/0
pluto[11336]: "RWConn"[8] 22.22.22.22 #12: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
pluto[11336]: "RWConn"[8] 22.22.22.22 #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
pluto[11336]: "RWConn"[8] 22.22.22.22 #12: Dead Peer Detection (RFC 3706): enabled
pluto[11336]: "RWConn"[8] 22.22.22.22 #12: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
pluto[11336]: "RWConn"[8] 22.22.22.22 #12: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x********* <0x********** xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=22.22.22.22:46828 DPD=enabled}
** So, at this point, I believe I have the VPN client connected properly, but I'm not sure where to go next in order to setup packet forwarding between the devices **
ipsec.conf, and related files can be provided as needed. I want to keep my initial post concise.
