<HTML><HEAD>
<META content="text/html; charset=utf-8" http-equiv=Content-Type>
<META name=GENERATOR content="MSHTML 10.00.9200.17148"></HEAD>
<BODY style="FONT: 10pt Segoe UI; MARGIN: 4px 4px 1px">
<DIV>Hi Florin,</DIV>
<DIV> </DIV>
<DIV>We also use Strongswan to connect to our AWS environments. We run it on CentOS6. Whenever we tried CentOS7 we consistently lost around 3% of the packets. I've got a case open with AWS and they've been pretty stumped so far but are continuing to work with me on it and are being pretty helpful. I just wondered whether you'd noticed any packet loss?</DIV>
<DIV> </DIV>
<DIV>We've confirmed that the packets make it over the VPN connection from our site to AWS and appear to leave the CentOS7 instance (which is also routing) bound for the far end device within AWS but they never arrive there. Hopefully this isn't affecting you but I'd be interested to know if it is.</DIV>
<DIV> </DIV>
<DIV>Cheers,</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Tormod<BR><BR>>>> Florin Andrei <florin@andrei.myip.org> 19/05/2015 02:35 >>><BR>Noel,<BR><BR>That's it. The PSK was wrong. Also, the other side uses IKEv1, whereas <BR>the implicit default with Strongswan is IKEv2. I've explicitly enforced <BR>IKEv1. Works great now.<BR><BR>Other potential issues: The other side is picky about cipher suites, so <BR>I had to add some explicit cipher suite lists. Also, we're running <BR>Strongswan in Amazon, and AWS is doing 1:1 NAT for our instances, so I <BR>added some conf items for that. Key lifetimes were also important to <BR>tweak.<BR><BR>Not sure if all the config lines here are mandatory, but anyway, this is <BR>what works for us now:<BR><BR>########################################<BR>config setup<BR> nat_traversal=yes<BR><BR>conn %default<BR><BR>conn us2them<BR> authby=psk<BR> left=%any<BR> leftsubnet=our_subnet/netmask<BR> leftid=private.ip.of.our.VPN.instance<BR> right=ip.of.their.VPN.gateway<BR> rightsubnet=their_subnet/netmask<BR> rightid=ip.of.their.VPN.gateway<BR> auto=start<BR> ike = some-list-of-ciphers-that-works<BR> esp = some-other-list-of-ciphers-that-works<BR> ikelifetime = some-lifetime-interval<BR> lifetime = some-other-lifetime-interval<BR> forceencaps = yes<BR> keyexchange=ikev1<BR>########################################<BR><BR>Again, this is for Strongswan in the AWS cloud, connecting to Cisco 72xx <BR>with some custom settings.<BR><BR>Thank you.<BR><BR>-- <BR>Florin Andrei<BR><A href="https://urldefense.proofpoint.com/v2/url?u=http-3A__florin.myip.org_&d=BQICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=Jr4atqVkXS4Qv5TtvYkK3shxyHw5mu1maC_nWQNfG8Q&m=2k4OvTVvIcBT7-3S2WyR4g&s=GCMDvjNmN80LVT22fg-6SFVpgA1hy4kkTUCtbme0M7E&e=">https://urldefense.proofpoint.com/v2/url?u=http-3A__florin.myip.org_&d=BQICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=Jr4atqVkXS4Qv5TtvYkK3shxyHw5mu1maC_nWQNfG8Q&m=2k4OvTVvIcBT7-3S2WyR4g&s=GCMDvjNmN80LVT22fg-6SFVpgA1hy4kkTUCtbme0M7E&e=</A> <BR><BR>_______________________________________________<BR>Users mailing list<BR>Users@lists.strongswan.org<BR><A href="https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.strongswan.org_mailman_listinfo_users&d=BQICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=Jr4atqVkXS4Qv5TtvYkK3shxyHw5mu1maC_nWQNfG8Q&m=2k4OvTVvIcBT7-3S2WyR4g&s=0RoW30Dutl9uFWKcdaMYGqHMT0WCdCFaOcAKn9Wnqx4&e=">https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.strongswan.org_mailman_listinfo_users&d=BQICAg&c=euGZstcaTDllvimEN8b7jXrwqOf-v5A_CdpgnVfiiMM&r=Jr4atqVkXS4Qv5TtvYkK3shxyHw5mu1maC_nWQNfG8Q&m=2k4OvTVvIcBT7-3S2WyR4g&s=0RoW30Dutl9uFWKcdaMYGqHMT0WCdCFaOcAKn9Wnqx4&e=</A> <BR></DIV><BR>
<div>
<div>
<div>
<font face="Arial" size="2" color="#008000">Please consider the
environment before printing this email</font><font face="Arial" size="2">
</font> </div>
</div>
</div>
<div>
<font face="Arial" size="2">
</font> </div>
<span class="f133 controlstyle" id="F133"><font face="Arial" size="2">*********************************************************************
</font></span><font face="Arial" size="2"><br><span class="f133 controlstyle" id="F133"><br>This
e-mail and any attachments are confidential. If it is not for you, please
inform us and delete it immediately without disclosing, copying, or
distributing it.<br><br>If the content is not about the business of
PayWizard Group PLC or its clients, then it is neither from nor sanctioned
by PayWizard Group PLC. Use of this or any other PayWizard Group PLC
e-mail facility signifies consent to interception by PayWizard Group PLC.
The views expressed in this email or any attachments may not reflect the
views and opinions of PayWizard Group PLC.<br><br>This message has been
scanned for viruses and dangerous content by MailScanner, but PayWizard
Group PLC accepts no liability for any damage caused by the transmission
of any viruses.<br><br>PayWizard Group PLC is a public limited company
registered in Scotland (SC175703) with its registered office at Cluny
Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ.<br><br>*******************************************************************</span>*</font>
</BODY></HTML>