[Openswan Users] build openswan 2.6.26 rpm with klips kernel module

Steve Zeng SteveZ at airg.com
Thu Jun 3 14:01:41 EDT 2010 

I Finally got feedback from amazon guys regarding this problem:
  1) All traffic to/from instances in your VPC flows through the VPN Connection (169.254.255.0/30); no other IPSec tunnels are involved
  2) There is no NAT involved from the instance in your VPC to your network
  3) Could you verify that there is a route in the workstation ( 192.168.1.39 ) within your network that directs traffic addressed to your VPC into the tunnel interface?

I do have a route entry established by BGP that directs traffic to amazon VPC into the tunnel IP (but not tunnel interface since I don't have one). It sounds like amazon needs only one tunnel: 169.254.255.2(my end) <==> 169.254.255.2 (amazon end). I remember mike mentioned Openswan is policy-based vpn instead of route based. Does it mean it may not be doable with linux/openswan? 

Thanks for any thoughts,

Steve

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: May 28, 2010 5:38 PM
To: Steve Zeng
Cc: mhw at wittsend.com; Users at openswan.org
Subject: Re: [Openswan Users] build openswan 2.6.26 rpm with klips kernel module

On Fri, 28 May 2010, Steve Zeng wrote:

> the problem for this config is, ping between 169.254.255.2 and 169.254.255.1 got about 50% loss. The good thing is, I will be able to ping from my network (192.168.1.0/24) to amazon vpc (10.0.0.0/24) with 50% packet loss as well.
>
> If I replace leftsubnets= and rightsubnets= with the following configs:
>
> #        leftsubnets=    {169.254.255.2/30,192.168.1.0/24}
> #        rightsubnets=   {169.254.255.1/30,10.0.0.0/24}
>       leftsubnet=    169.254.255.2/30
>       rightsubnet=   169.254.255.1/30
>
> the ping test between 169.254.255.2 and 169.254.255.1 is 100% success. BGP still works. but I lose the ability to ping from my network (192.168.1.0/24) to amazon vpc (10.0.0.0/24). It is a puzzle to me.

Odd. I guess you can try making 4 seperate conns with all combinations of left/right and
see how that works.

Paul

More information about the Users mailing list