[Openswan Users] ipsec routing issue with amazon vpc

Luc Paulin paulinster at gmail.com
Wed May 4 11:31:43 EDT 2011 

2011/5/2 Luc Paulin <paulinster at gmail.com>

> Hi Everyone,
> Is anyone been successfull in setting up a vpn connection with amazon's VPC
> service?
>
> I am trying to setup a vpn connection from our office to amazon's VPC
> service. The VPN tunnel is coming up fine, however it look like something is
> not right with the routing. I can successfully ping the other side's
> internal's ip (169.254.255.x), however when I try to ping the other side's
> network, the I amd getting  destination host unreachable. The routing table
> does properly show and entry to route the network through the correct
> gateway (amazon's internal ip).
>
> Not sure If I did the right thing but I assign the internal ip adresses
> 169.254.255.2 and 169.254.255.6 to the interface eth0 of our vpn server,
> which is the public facing interface. I actually did an almost same copy as
> per this email thread setup (
> http://lists.openswan.org/pipermail/users/2010-May/018829.html).
>
>

After doing more testing, I found the proper configuration to make
end-to-end ping connectivity. However, over 50% of the packet are getting
lost, configuration is as follow...

conn amazonvpc1
    type= tunnel
    authby=secret
    left=207.96.182.176
    leftsubnets={169.254.255.2/32,192.168.0.0/16}
    right=72.21.209.225
    rightsubnets={169.254.255.1/32,10.0.0.0/8}
    auth=esp
    keyexchange=ike
    ike= aes128-sha1-modp1024
    ikelifetime=28800s
    pfs=yes
    esp=aes128-sha1
    salifetime=3600s
    dpdtimeout=10
    dpddelay=3
    auto=ignore


With that configuration I see a lot of the following error message in the
logs...

May  4 11:23:37 secip1 pluto[9924]: "amazonvpc1/2x2" #24400: ignoring Delete
SA payload: PROTO_IPSEC_ESP SA(0x74145afc) not found (our SPI - bogus
implementation)

If I change leftsubnets value to
    leftsubnets={169.254.255.2/32}
then the connection is very stable, but I can't ping the remote network on
amazon's side (10.0.0.x) and no errors appear in the logs

The following email thread those state the exact same issue, but no answer
as how this can be solve.
http://lists.openswan.org/pipermail/users/2010-May/018833.html

Anyone can help me solving that issue ?



-- 
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
Luc Paulin  |  paulinster(at)gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110504/306d78c4/attachment.html

More information about the Users mailing list