[Openswan Users] SPI - bogus implementation

Steve Zeng SteveZ at airg.com
Thu May 27 14:39:21 EDT 2010


I put rekey=no in my end(openswan). I got the same errors. If I put auto=add as well, the tunnel is not up automatically. 

Unfortunately I could not make any configs on amazon end. There may not use openswan either. 

Steve

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: May 27, 2010 7:47 AM
To: Steve Zeng
Cc: Users at openswan.org
Subject: Re: [Openswan Users] SPI - bogus implementation

On Wed, 26 May 2010, Steve Zeng wrote:

> Thought I should create a new thread. thanks Paul for solving a couple of config problems.

> When I ping from a workstation within my_network to an instance within amazon VPC, I got half packet loss. i.e. 10 packets got response and another 10 packets got NO response. And then next 10 packets got response again, and so on. No firewall is enabled for this testing.

> May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/1x2" #220: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW to replace #217 {using isakmp#1 msgid:19cd4af5 proposal=AES(12)_128-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}

> May 26 20:55:47 fw1 pluto[7999]: "ec2-tunnel-01/2x2" #1: received Delete SA payload: replace IPSEC State #218 in 10 seconds

Two connections are racing each other, and you are continiously rekeying, which
is causing your packet loss.

Make sure the amazon end (behind NAT) has rekey=no and auto=add, and that the other
end has rekey=yes and auto=start.

Paul


More information about the Users mailing list