[Openswan Users] SPI - bogus implementation
Paul Wouters
paul at xelerance.com
Thu May 27 10:46:51 EDT 2010
On Wed, 26 May 2010, Steve Zeng wrote:
> Thought I should create a new thread. thanks Paul for solving a couple of config problems.
> When I ping from a workstation within my_network to an instance within amazon VPC, I got half packet loss. i.e. 10 packets got response and another 10 packets got NO response. And then next 10 packets got response again, and so on. No firewall is enabled for this testing.
> May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/1x2" #220: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #217 {using isakmp#1 msgid:19cd4af5 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
> May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/2x2" #1: received Delete SA payload: replace IPSEC State #218 in 10 seconds
Two connections are racing each other, and you are continiously rekeying, which
is causing your packet loss.
Make sure the amazon end (behind NAT) has rekey=no and auto=add, and that the other
end has rekey=yes and auto=start.
Paul
More information about the Users
mailing list