[Openswan Users] Openswan between amazon instances advise

Paul Wouters paul at xelerance.com
Thu Aug 25 11:09:37 EDT 2011

I found this link which I thought would be good to share. Though I have not
verified it, it seems to talk from experience.



openswan ipsec in ec2
Posted by peter on August 24, 2011

This may be totally invalid given amazon rolling out cross-region VPC
a few weeks ago, but for those who still insist on rolling their own…

I was dealing with setting up ipsec (openswan) in EC2 for some folk which
included, among other things, cross region EC2-instance-to-EC2-instance
links. We had endless trouble with connections just suddenly dying. UDP
isn’t the easiest thing to get right with NAT, and though it’s hard
to be conclusive (especially when debugging linux ipsec- not the easiest
thing to follow in and out of the kernel), I point my blame-finger at
bad interactions with double-NAT between EC2 regions causing trouble.

Problem was eventually solved with a combination of aggressive dead
peer detection settings (dpddelay=4 dpdtimeout=16) and (the trickier
setting to find) by adding disable_port_floating=yes to the config setup
region of ipsec.conf. That setting stops pluto from changing what port
it communicates on, which, I assume, makes an easier job for Amazon’s
NAT. This also means NAT-T behavior is probably not going to work with
other vendors’ implementations in this setup, as pluto doesn’t listen
on 4500 anymore, but we’re openswan everywhere, and it’s made our
links stable.

More information about the Users mailing list