[strongSwan] AWS VTI basic connectivity

Tom Harbert tom at campaignmonitor.com
Wed Aug 26 03:53:13 CEST 2015 

Hey Guys,

Thanks for your responses.

The layer 3 addressing is definitely dictated by Amazon.  This is non
negotiable and any other engineers familiar with interconnecting to AWS
VPC's will be able to confirm.  Once again it is not routed it is just used
for communicating between the nodes across this link only.  It is not
advertised further.  It is somewhat comparable to the FE80::/10 IPv6 link
local range.  I reviewed RFC 3927 (https://www.ietf.org/rfc/rfc3927.txt)
and maybe the only issue one could take with it being used in this scenario
is that it is not dynamically assigned.

I have resolved my problem.  It turned out to be a possible linux kernel
bug.  Specifically the Linux VTI functionality was broken in 3.16.39 on
Ubuntu 14.04.  It was obscure and hard to pinpoint so hopefully this helps
someone else.  I can confirm it is still broken in 3.19, I went back to
3.16.30 to get around it for now.

https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1467561

Thanks,
Tom.


On Wed, Aug 26, 2015 at 11:21 AM, Nimo <gnimozyu at gmail.com> wrote:

> Hello Tom
>
> Does your strongswan.conf include following parameter ?
>         install_routes = no
>         install_virtual_ip = no
>
> Also, please check proc values.
>   echo 1 > /proc/sys/net/ipv4/conf/vti2/disable_policy
>   echo 1 > /proc/sys/net/ipv4/conf/vti2/disable_xfrm
>
> Thanks,
>
> On Wed, Aug 26, 2015 at 4:01 AM, Noel Kuntze <noel at familie-kuntze.de>
> wrote:
>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> I doubt that the network is really dictated by the side.
>> The use of that network for routing is discouraged. Any professional will
>> tell you that.
>>
>> You should only set mark_out, if you use a VTI, I think.
>>
>> - --
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJV3LuRAAoJEDg5KY9j7GZYzboP/1Ps4ymHKYeNrOU0rhKk4H0W
>> 2aI+faIWe5qR0eeSEfZqEXi71csJFEccayYEb7qo6uqGlIIJzRNvJM+TQo9nluxL
>> OWu1ObfMI+c4kJEsOtBBeTCf207eobjtS4rNONkdsyT952s2abP8+qWHTiQtfBQX
>> LYGJcFBEe5eGREVxAoBQKkakrvrs2WERYX5VZ1DeW3fQI3ZkJmGYqdJkPL1nay3x
>> 2emmY//OhTAZd+5fNuRG1Hzu95o3cVNFvEfpWYIpT0xklmyJWOFFCx6+CwmIKoy8
>> OLiHV3WlsBJaIKGKhlWZucmpG3TKXjW50a/83JlBpyPkF1xMVhh4J0WMmceQEeis
>> wKkuCALbx3/NdN8u8WooxdT32Rzrgu0QZgyfHB6SE035kM/iD0rYKZBT1f9zLR7d
>> CPcDCnSI11Zc2stfwDEUGYA3vzrRhS55HOaRaF0oHXNRcFZhxS1Gzp6NjtFvUD5d
>> qefsaZiDQGjz1SSFXSKShYI1icmRN7H6vd2ffoM7dx1BaKeA11Vz0VQxsMKIfueE
>> ZRkO/OPuTcTnQoZ2aAOeOhppB5mm1mxv6f+3A1azgTFdoDqvfhKB8dnlTXi81ORC
>> pMjJ7xuDStBoULgHsmNMFw321eWTymNKTUHZ9sDO2HhoY5zBuB+g9ncagmkuxTyo
>> wXWhmOo1kttiZ0YJwr8O
>> =5bmY
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150826/773bc582/attachment.html>

More information about the Users mailing list