[Openswan Users] ipsec routing issue with amazon vpc

Luc Paulin paulinster at gmail.com
Wed May 4 13:33:21 EDT 2011


2011/5/4 Neal Murphy <neal.p.murphy at alum.wpi.edu>

> On Wednesday 04 May 2011 11:31:43 Luc Paulin wrote:
> > internal's ip (169.254.255.x), however when I try to ping the other
> side's
> > network, the I amd getting  destination host unreachable. The routing
> > table does properly show and entry to route the network through the
> > correct gateway (amazon's internal ip).
> >
> > Not sure If I did the right thing but I assign the internal ip adresses
> > 169.254.255.2 and 169.254.255.6 to the interface eth0 of our vpn server,
> > which is the public facing interface. I actually did an almost same copy
> > as per this email thread setup
> > (http://lists.openswan.org/pipermail/users/2010-May/018829.html).
> >
> >
> >
> > After doing more testing, I found the proper configuration to make
> > end-to-end ping connectivity. However, over 50% of the packet are getting
> > lost, configuration is as follow...
> >
> > conn amazonvpc1
> >      type= tunnel
> >     authby=secret
> >     left=207.96.182.176
> >     leftsubnets={169.254.255.2/32,192.168.0.0/16}
> >     right=72.21.209.225
> >     rightsubnets={169.254.255.1/32,10.0.0.0/8}
>
> Shouldn't most routers refuse to route link-local addresses (those in
> 169.254.0.0/16) because they have no meaning outside the immediate
> link/context? If you assign link-local addresses to the VPN endpoints, you
> shouldn't be able to reference those addresses from anywhere else, mainly
> because the addresses you chose can be duplicated anywhere and everywhere
> else.
>


Well I have no control on amazon's side. The only information provided from
them is the following...

================================================================================
#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key
  - Pre-Shared Key           : <PRE-SHARED_KEY>
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1396 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption

#3: Tunnel Interface Configuration

Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the VPN Gateway.

Additionally, the VPN Gateway and Customer Gateway establish the BGP
peering from your tunnel interface.

The Customer Gateway and VPN Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.

The Customer Gateway outside IP address was provided when the Customer
Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.

The Customer Gateway inside IP address should be configured on your tunnel
interface.

Outside IP Addresses:
  - Customer Gateway:        : <MY_PUBLIC_IP>
  - VPN Gateway              : 72.21.209.225

Inside IP Addresses
  - Customer Gateway         : 169.254.255.2/30
  - VPN Gateway              : 169.254.255.1/30

Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU     : 1436 bytes

#4: Border Gateway Protocol (BGP) Configuration:

The Border Gateway Protocol (BGPv4) is used within the tunnel, between the
inside
IP addresses, to exchange routes from the VPC to your home network. Each
BGP router has an Autonomous System Number (ASN). Your ASN was provided
to AWS when the Customer Gateway was created.

BGP Configuration Options:
  - Customer Gateway ASN     : 65000
  - VPN Gateway ASN          : 7224
  - Neighbor IP Address      : 169.254.255.1
  - Neighbor Hold Time       : 30

Configure BGP to announce the default route (0.0.0.0/0) to the VPN
Connection
Gateway. The VPN Gateway will announce prefixes to your Customer
Gateway based upon the prefixes assigned in the creation of the VPC.
================================================================================




-- 
                         !!!!!
                       ( o o )
 --------------oOO----(_)----OOo--------------
Luc Paulin  |  paulinster(at)gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20110504/42efd30b/attachment.html 


More information about the Users mailing list