[Openswan Users] build openswan 2.6.26 rpm with klips kernel module

Steve Zeng SteveZ at airg.com
Thu Jun 3 17:40:45 EDT 2010 

> IPSec is policy based, not just Openswan.

Good point. Thus I don't see any feasibility here if what amazon guys said is true. "All traffic to/from instances in your VPC flows through the VPN Connection". 

When openswan is up and running it give us the following 4 tunnels:
169.254.255.0/30===x.x.x.x[+S=C]...y.y.y.y[+S=C]===169.254.255.0/30; erouted;
169.254.255.0/30===x.x.x.x[+S=C]...y.y.y.y[+S=C]===10.0.0.0/24; erouted;
192.168.1.0/24===x.x.x.x[+S=C]...y.y.y.y[+S=C]===169.254.255.0/30; erouted;
169.254.255.0/30===x.x.x.x[+S=C]...y.y.y.y[+S=C]===10.0.0.0/24; erouted;

what amazon needs sounds like as follows: 
192.168.1.0/24 -->  169.254.255.0/30===x.x.x.x[+S=C]...y.y.y.y[+S=C]===169.254.255.0/30 --> 10.0.0.0/24

I don't see how it will happen. 

With our configurations, However, we do get about 50% ping packets back... sorry, I could not explain it.  :-)

Steve
 
-----Original Message-----
From: Michael H. Warfield [mailto:mhw at WittsEnd.com] 
Sent: June 3, 2010 12:15 PM
To: Steve Zeng
Cc: mhw at WittsEnd.com; Paul Wouters; Users at openswan.org
Subject: RE: [Openswan Users] build openswan 2.6.26 rpm with klips kernel module

On Thu, 2010-06-03 at 11:01 -0700, Steve Zeng wrote: 
> I Finally got feedback from amazon guys regarding this problem:
>   1) All traffic to/from instances in your VPC flows through the VPN Connection (169.254.255.0/30); no other IPSec tunnels are involved
>   2) There is no NAT involved from the instance in your VPC to your network
>   3) Could you verify that there is a route in the workstation ( 192.168.1.39 ) within your network that directs traffic addressed to your VPC into the tunnel interface?
> 
> I do have a route entry established by BGP that directs traffic to 
> amazon VPC into the tunnel IP (but not tunnel interface since I don't 
> have one). It sounds like amazon needs only one tunnel:
> 169.254.255.2(my end) <==> 169.254.255.2 (amazon end). I remember mike 
> mentioned Openswan is policy-based vpn instead of route based. Does it 
> mean it may not be doable with linux/openswan?

A slight misunderstanding.  IPSec is policy based, not just Openswan.
IOW, it works on a fully specified match of source and destination addresses (host or network) not merely the destination address (route).
It means that when a packet matches a policy in the policy database, an action takes place based on that, which may be to encapsulate a packet for a particular tunnel or to bypass the encapsulation.  The encapsulated (encrypted) packet is then routed through the normal routing mechanisms to the other end-point where a matching security association then triggers the de-encapsulation.  This is why merely routing a packet through an interface doesn't work.  It doesn't trigger a policy to encapsulate the packet or associate that packet with a security association.  You could sort of think of a routed VPN as the degenerate case of a policy VPN where the source address specifier is 0.0.0.0/0, sort of kind of, but not really...

> Thanks for any thoughts,

> Steve

Regards,
Mike

> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: May 28, 2010 5:38 PM
> To: Steve Zeng
> Cc: mhw at wittsend.com; Users at openswan.org
> Subject: Re: [Openswan Users] build openswan 2.6.26 rpm with klips 
> kernel module
> 
> On Fri, 28 May 2010, Steve Zeng wrote:
> 
> > the problem for this config is, ping between 169.254.255.2 and 169.254.255.1 got about 50% loss. The good thing is, I will be able to ping from my network (192.168.1.0/24) to amazon vpc (10.0.0.0/24) with 50% packet loss as well.
> >
> > If I replace leftsubnets= and rightsubnets= with the following configs:
> >
> > #        leftsubnets=    {169.254.255.2/30,192.168.1.0/24}
> > #        rightsubnets=   {169.254.255.1/30,10.0.0.0/24}
> >       leftsubnet=    169.254.255.2/30
> >       rightsubnet=   169.254.255.1/30
> >
> > the ping test between 169.254.255.2 and 169.254.255.1 is 100% success. BGP still works. but I lose the ability to ping from my network (192.168.1.0/24) to amazon vpc (10.0.0.0/24). It is a puzzle to me.
> 
> Odd. I guess you can try making 4 seperate conns with all combinations 
> of left/right and see how that works.
> 
> Paul
> 

--
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!

More information about the Users mailing list