[Openswan Users] ipsec routing issue with amazon vpc

Neal Murphy neal.p.murphy at alum.wpi.edu
Wed May 4 12:35:59 EDT 2011


On Wednesday 04 May 2011 11:31:43 Luc Paulin wrote:
> internal's ip (169.254.255.x), however when I try to ping the other side's
> network, the I amd getting  destination host unreachable. The routing
> table does properly show and entry to route the network through the
> correct gateway (amazon's internal ip).
> 
> Not sure If I did the right thing but I assign the internal ip adresses
> 169.254.255.2 and 169.254.255.6 to the interface eth0 of our vpn server,
> which is the public facing interface. I actually did an almost same copy
> as per this email thread setup
> (http://lists.openswan.org/pipermail/users/2010-May/018829.html).
> 
> 
> 
> After doing more testing, I found the proper configuration to make
> end-to-end ping connectivity. However, over 50% of the packet are getting
> lost, configuration is as follow...
> 
> conn amazonvpc1
>      type= tunnel
>     authby=secret
>     left=207.96.182.176
>     leftsubnets={169.254.255.2/32,192.168.0.0/16}
>     right=72.21.209.225
>     rightsubnets={169.254.255.1/32,10.0.0.0/8}

Shouldn't most routers refuse to route link-local addresses (those in 
169.254.0.0/16) because they have no meaning outside the immediate 
link/context? If you assign link-local addresses to the VPN endpoints, you 
shouldn't be able to reference those addresses from anywhere else, mainly 
because the addresses you chose can be duplicated anywhere and everywhere 
else.


More information about the Users mailing list