openswan ipsec in ec2 4

Posted by peter on August 24, 2011

This may be totally invalid given amazon rolling out cross-region VPC a few weeks ago, but for those who still insist on rolling their own…

I was dealing with setting up ipsec (openswan) in EC2 for some folk which included, among other things, cross region EC2-instance-to-EC2-instance links. We had endless trouble with connections just suddenly dying. UDP isn’t the easiest thing to get right with NAT, and though it’s hard to be conclusive (especially when debugging linux ipsec- not the easiest thing to follow in and out of the kernel), I point my blame-finger at trouble caused by bad interactions with double-NAT between EC2 regions.

Problem was eventually solved with a combination of aggressive dead peer detection settings (dpddelay=4 dpdtimeout=16) and (the trickier setting to find) by adding disable_port_floating=yes to the config setup region of ipsec.conf. That setting stops pluto from changing what port it communicates on, which, I assume, makes an easier job for Amazon’s NAT. This also means NAT-T behavior is probably not going to work with other vendors’ implementations in this setup, as pluto doesn’t listen on 4500 anymore, but we’re openswan everywhere, and it’s made our links stable.


Use this link to trackback from your own site.


Leave a response

  1. tiffany money clips jewelry Fri, 20 Nov 2015 01:52:54 UTC

    [Wet Republic] is my favorite pool.
    tiffany money clips jewelry

  2. tiffany charms jewelry Fri, 20 Nov 2015 01:53:24 UTC

    In all, ICEs Operation In Our Sites has seized 1,630 alleged pirate sites, which is no small number.
    tiffany charms jewelry

  3. Shan Sun, 13 Dec 2015 18:49:12 UTC

    Hello Craig,I actually done this quite a while ago so I can’t reebmemr the exact steps, but recently I got another RPS (I canceled my old one, as I only needed it for one month). I’ll be trying to install a custom kernel on there too, so I’ll write a mini-tutorial in a few days on how to do it.RegardsHamzah

  4. seo Wed, 15 Jun 2016 11:47:35 UTC

    Click here for the greatest web design india now available on the market and at great prices..