[Openswan Users] build openswan 2.6.26 rpm with klips kernel module

Michael H. Warfield mhw at WittsEnd.com
Thu Jun 3 18:14:02 EDT 2010


On Thu, 2010-06-03 at 14:40 -0700, Steve Zeng wrote: 
> > IPSec is policy based, not just Openswan.
> 
> Good point. Thus I don't see any feasibility here if what amazon guys
> said is true. "All traffic to/from instances in your VPC flows through
> the VPN Connection". 

To me, he's just using imprecise terminology.  He really doesn't
understand the nitty gritty under the hood details of how it works.
He's just describing it from and end user view.  I don't see anything
inconsistent with that and I may be being overly precise in my
terminology and confusing the issues.

> When openswan is up and running it give us the following 4 tunnels:
> 169.254.255.0/30===x.x.x.x[+S=C]...y.y.y.y[+S=C]===169.254.255.0/30; erouted;
> 169.254.255.0/30===x.x.x.x[+S=C]...y.y.y.y[+S=C]===10.0.0.0/24; erouted;
> 192.168.1.0/24===x.x.x.x[+S=C]...y.y.y.y[+S=C]===169.254.255.0/30; erouted;
> 169.254.255.0/30===x.x.x.x[+S=C]...y.y.y.y[+S=C]===10.0.0.0/24; erouted;

> what amazon needs sounds like as follows: 
> 192.168.1.0/24 -->  169.254.255.0/30===x.x.x.x[+S=C]...y.y.y.y[+S=C]===169.254.255.0/30 --> 10.0.0.0/24

> I don't see how it will happen. 

I think you'll find that it happens.  As it so happens, if it didn't
work, you won't have gotten this far and those 4 Openswan tunnels would
not be up.  The fact that they're up tells me that pluto successfully
negotiated the necessary connections with Amazon.

> With our configurations, However, we do get about 50% ping packets back... sorry, I could not explain it.  :-)

Now that I can't understand, either, but that seems to be Openswan
version dependent from what I read in another of your messages, correct?

> Steve

Regards,
Mike 

> -----Original Message-----
> From: Michael H. Warfield [mailto:mhw at WittsEnd.com] 
> Sent: June 3, 2010 12:15 PM
> To: Steve Zeng
> Cc: mhw at WittsEnd.com; Paul Wouters; Users at openswan.org
> Subject: RE: [Openswan Users] build openswan 2.6.26 rpm with klips kernel module
> 
> On Thu, 2010-06-03 at 11:01 -0700, Steve Zeng wrote: 
> > I Finally got feedback from amazon guys regarding this problem:
> >   1) All traffic to/from instances in your VPC flows through the VPN Connection (169.254.255.0/30); no other IPSec tunnels are involved
> >   2) There is no NAT involved from the instance in your VPC to your network
> >   3) Could you verify that there is a route in the workstation ( 192.168.1.39 ) within your network that directs traffic addressed to your VPC into the tunnel interface?
> > 
> > I do have a route entry established by BGP that directs traffic to 
> > amazon VPC into the tunnel IP (but not tunnel interface since I don't 
> > have one). It sounds like amazon needs only one tunnel:
> > 169.254.255.2(my end) <==> 169.254.255.2 (amazon end). I remember mike 
> > mentioned Openswan is policy-based vpn instead of route based. Does it 
> > mean it may not be doable with linux/openswan?
> 
> A slight misunderstanding.  IPSec is policy based, not just Openswan.
> IOW, it works on a fully specified match of source and destination addresses (host or network) not merely the destination address (route).
> It means that when a packet matches a policy in the policy database, an action takes place based on that, which may be to encapsulate a packet for a particular tunnel or to bypass the encapsulation.  The encapsulated (encrypted) packet is then routed through the normal routing mechanisms to the other end-point where a matching security association then triggers the de-encapsulation.  This is why merely routing a packet through an interface doesn't work.  It doesn't trigger a policy to encapsulate the packet or associate that packet with a security association.  You could sort of think of a routed VPN as the degenerate case of a policy VPN where the source address specifier is 0.0.0.0/0, sort of kind of, but not really...
> 
> > Thanks for any thoughts,
> 
> > Steve
> 
> Regards,
> Mike
> 
> > -----Original Message-----
> > From: Paul Wouters [mailto:paul at xelerance.com]
> > Sent: May 28, 2010 5:38 PM
> > To: Steve Zeng
> > Cc: mhw at wittsend.com; Users at openswan.org
> > Subject: Re: [Openswan Users] build openswan 2.6.26 rpm with klips 
> > kernel module
> > 
> > On Fri, 28 May 2010, Steve Zeng wrote:
> > 
> > > the problem for this config is, ping between 169.254.255.2 and 169.254.255.1 got about 50% loss. The good thing is, I will be able to ping from my network (192.168.1.0/24) to amazon vpc (10.0.0.0/24) with 50% packet loss as well.
> > >
> > > If I replace leftsubnets= and rightsubnets= with the following configs:
> > >
> > > #        leftsubnets=    {169.254.255.2/30,192.168.1.0/24}
> > > #        rightsubnets=   {169.254.255.1/30,10.0.0.0/24}
> > >       leftsubnet=    169.254.255.2/30
> > >       rightsubnet=   169.254.255.1/30
> > >
> > > the ping test between 169.254.255.2 and 169.254.255.1 is 100% success. BGP still works. but I lose the ability to ping from my network (192.168.1.0/24) to amazon vpc (10.0.0.0/24). It is a puzzle to me.
> > 
> > Odd. I guess you can try making 4 seperate conns with all combinations 
> > of left/right and see how that works.
> > 
> > Paul
> > 
> 
> --
> Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
>    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
>    NIC whois: MHW9          | An optimist believes we live in the best of all
>  PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
> 

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/users/attachments/20100603/cac47126/attachment.bin 


More information about the Users mailing list