[Openswan Users] SPI - bogus implementation
Steve Zeng
SteveZ at airg.com
Wed May 26 17:07:36 EDT 2010
Thought I should create a new thread. thanks Paul for solving a couple of config problems.
I am currently using openswan-2.6.24rc5-1 on centos 5.1 to implement IPSec vpn between Amazon VPC and our company network. The topology is as follows:
My_netwrok(192.168.1.0/24) -- my_vpn_gateway -- internet -- amazon_vpn_gateway -- vpc (10.0.0.0/24)
What amazon needs for the tunnel interfaces is:
my_vpn_gateway(left) -- IPSec tunel -- amazon_vpn_gateway(right)
(169.254.255.2) (169.254.255.1)
So all traffic between my_network and VPC is going though the tunnel. I have ipsec.conf as below:
config setup
interfaces=%defaultroute
protostack=netkey
klipsdebug=none
plutodebug=none
conn ec2-tunnel-01
type= tunnel
authby= secret
auth= esp
keyexchange= ike
ike= aes128-sha1-modp1024
ikelifetime= 28800s
pfs= yes
esp= aes128-sha1
salifetime= 3600s
dpdtimeout= 10
dpddelay= 3
left= xxx.xxx.xxx.xxx
right= yyy.yyy.yyy.yyy
leftsubnets= {169.254.255.0/30,192.168.1.0/24}
rightsubnets= {169.254.255.0/30,10.0.0.0/24}
auto= start
When I ping from a workstation within my_network to an instance within amazon VPC, I got half packet loss. i.e. 10 packets got response and another 10 packets got NO response. And then next 10 packets got response again, and so on. No firewall is enabled for this testing.
If I run "ipsec auto --status" I got no errors but the following eroutes:
000 "ec2-tunnel-01/1x1": 169.254.255.0/30===xxx.xxx.xxx.xxx<xxx.xxx.xxx.xxx>[+S=C]...yyy.yyy.yyy.yyy<yyy.yyy.yyy.yyy>[+S=C]===169.254.255.0/30; erouted; eroute owner: #183
000 "ec2-tunnel-01/1x2": 169.254.255.0/30===xxx.xxx.xxx.xxx<xxx.xxx.xxx.xxx>[+S=C]...yyy.yyy.yyy.yyy<yyy.yyy.yyy.yyy>[+S=C]===10.0.0.0/24; erouted; eroute owner: #182
000 "ec2-tunnel-01/2x1": 192.168.1.0/24===xxx.xxx.xxx.xxx<xxx.xxx.xxx.xxx>[+S=C]...yyy.yyy.yyy.yyy<yyy.yyy.yyy.yyy>[+S=C]===169.254.255.0/30; erouted; eroute owner: #180
000 "ec2-tunnel-01/2x2": 192.168.1.0/24===xxx.xxx.xxx.xxx<xxx.xxx.xxx.xxx>[+S=C]...yyy.yyy.yyy.yyy<yyy.yyy.yyy.yyy>[+S=C]===10.0.0.0/24; erouted; eroute owner: #181
The only errors I could catch is from /var/log/secure:
May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/1x2" #220: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #217 {using isakmp#1 msgid:19cd4af5 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/1x2" #220: Dead Peer Detection (RFC 3706): enabled
May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/1x2" #220: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/1x2" #220: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xa45e46c1 <0xdb70ef29 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/2x2" #1: received Delete SA payload: replace IPSEC State #218 in 10 seconds
May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/2x2" #1: received and ignored informational message
May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/2x2" #1: ignoring Delete SA payload: PROTO_IPSEC_ESP SA(0x62afd213) not found (our SPI - bogus implementation)
May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/2x2" #1: received and ignored informational message
May 26 20:55:57 fw1 pluto[7999]: "ec2-tunnel-01/2x1" #221: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #218 {using isakmp#1 msgid:329a1415 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
May 26 20:55:57 fw1 pluto[7999]: "ec2-tunnel-01/2x1" #221: Dead Peer Detection (RFC 3706): enabled
May 26 20:55:57 fw1 pluto[7999]: "ec2-tunnel-01/2x1" #221: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
May 26 20:55:57 fw1 pluto[7999]: "ec2-tunnel-01/2x1" #221: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x658bfeeb <0x77851c10 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=enabled}
I suspect it is a ipsec eroute problem. but no clue to troubleshoot it. thanks in advance for any hints.
Steve
More information about the Users
mailing list