<br><br><div class="gmail_quote">2011/5/2 Luc Paulin <span dir="ltr"><<a href="mailto:paulinster@gmail.com">paulinster@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hi Everyone, <br>Is anyone been successfull in setting up a vpn connection with amazon's VPC service? <br><br>I am trying to setup a vpn connection from our office to amazon's VPC service. The VPN tunnel is coming up fine, however it look like something is not right with the routing. I can successfully ping the other side's internal's ip (169.254.255.x), however when I try to ping the other side's network, the I amd getting destination host unreachable. The routing table does properly show and entry to route the network through the correct gateway (amazon's internal ip). <br>
<br>Not sure If I did the right thing but I assign the internal ip adresses 169.254.255.2 and 169.254.255.6 to the interface eth0 of our vpn server, which is the public facing interface. I actually did an almost same copy as per this email thread setup (<a href="http://lists.openswan.org/pipermail/users/2010-May/018829.html" target="_blank">http://lists.openswan.org/pipermail/users/2010-May/018829.html</a>).<br>
<br></blockquote></div><br><br>After doing more testing, I found the proper configuration to make end-to-end ping connectivity. However, over 50% of the packet are getting lost, configuration is as follow...<br><br>conn amazonvpc1<br>
type= tunnel<br> authby=secret<br> left=207.96.182.176<br> leftsubnets={<a href="http://169.254.255.2/32,192.168.0.0/16">169.254.255.2/32,192.168.0.0/16</a>}<br> right=72.21.209.225<br> rightsubnets={<a href="http://169.254.255.1/32,10.0.0.0/8">169.254.255.1/32,10.0.0.0/8</a>}<br>
auth=esp<br> keyexchange=ike<br> ike= aes128-sha1-modp1024<br> ikelifetime=28800s<br> pfs=yes<br> esp=aes128-sha1<br> salifetime=3600s<br> dpdtimeout=10<br> dpddelay=3<br> auto=ignore<br><br>
<br>With that configuration I see a lot of the following error message in the logs...<br><br>May 4 11:23:37 secip1 pluto[9924]: "amazonvpc1/2x2" #24400: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x74145afc) not found (our SPI - bogus implementation)<br>
<br>If I change leftsubnets value to <br> leftsubnets={<a href="http://169.254.255.2/32">169.254.255.2/32</a>}<br>then the connection is very stable, but I can't ping the remote network on amazon's side (10.0.0.x) and no errors appear in the logs<br>
<br>The following email thread those state the exact same issue, but no answer as how this can be solve. <br><a href="http://lists.openswan.org/pipermail/users/2010-May/018833.html">http://lists.openswan.org/pipermail/users/2010-May/018833.html</a><br>
<br>Anyone can help me solving that issue ? <br><br><br clear="all"><br>-- <br> !!!!!<br> ( o o )<br> --------------oOO----(_)----OOo--------------<br> Luc Paulin | paulinster(at)<a href="http://gmail.com" target="_blank">gmail.com</a><br>
<br><br>