<div dir="ltr">Hello,<div><br></div><div>I have the same setup working in AWS VPC.</div><div>Do you interconnect your VPC's via VPC peering connections or via their public IP's?</div><div>Do you allow inbound connections in security groups of both VPN nodes?</div><div>You need:</div><div>UDP/500, UDP/4500, IP protocol 50 (ESP)</div><div><br></div><div>As first thing, I would try to send packets from node vpc1 to node vpc2 (UDP port 500) and vice versa and see whether they arrive.</div><div>vpc1 # nmap -sU -p500 -Pn vpc2</div><div>vpc2 # sudo tcpdump udp port 500</div><div>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode</div><div>listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes</div><div>05:52:31.153768 IP vpc1.38874 > vpc2.isakmp: isakmp: phase 1 I ident</div><div><br></div><div>If you use public IP's then UDP/4500 has to be opened as well, for NAT traversal. I prefer to use VPC Peering Connections.</div><div><br></div><div>BR,</div><div>Miroslav</div><div><br>On Thursday, April 30, 2015 at 12:57:08 AM UTC+2, Noel Kuntze wrote:<blockquote class="gmail_quote" style="margin: 0;margin-left: 0.8ex;border-left: 1px #ccc solid;padding-left: 1ex;"><br>-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA256<p>Hello Oliver,</p><p>As you censored the local IP, I cannot tell if you do this, but<br>you can only send packets from IPs, which you have locally<br>installed on an interface. So do not put your public IP in there,<br>unless you have it on a local interface.</p><p>Make sure your firewall rules (and those of the instance) allow UDP<br>port 500 and 4500 and double check your IPs.</p><p>Mit freundlichen Grüßen/Kind Regards,<br>Noel Kuntze</p><p>GPG Key ID: 0x63EC6658<br>Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658</p><p>Am 29.04.2015 um 11:51 schrieb Oliver Asuncion Rojo .:<br>> Hi,<br>><br>> I would like to ask your help regarding my issue with strongswan. I am planning to setup site-to-site vpn between 2 Amazon VPCs using strongswan-5.3.0 on CentOS 7.0. I can ping end-to-end IP addresses and I didn't enable firewall between two servers. Both has the same ipsec.secrets file.<br>><br>> === My ipsec.conf file =====<br>><br>> config setup<br>>         # strictcrlpolicy=yes<br>>         # uniqueids = no<br>><br>> conn %default<br>>         ikelifetime=60m<br>>         keylife=20m<br>>         rekeymargin=3m<br>>         keyingtries=1<br>>         authby=secret<br>>         ike=3des,sha1,modp1024<br>>         keyexchange=ikev2<br>>         mobike=no<br>><br>> conn vpc1tovpc2<br>>         left=xx.xx.xxx.xx<br>>         leftsubnet=<a href="http://170.44.98.128/27" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F170.44.98.128%2F27\46sa\75D\46sntz\0751\46usg\75AFQjCNG5cQ52ZJeMQf0xJpfIKeMv9kW8xA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F170.44.98.128%2F27\46sa\75D\46sntz\0751\46usg\75AFQjCNG5cQ52ZJeMQf0xJpfIKeMv9kW8xA';return true;">170.44.98.128/27</a> <<a href="http://170.44.98.128/27" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F170.44.98.128%2F27\46sa\75D\46sntz\0751\46usg\75AFQjCNG5cQ52ZJeMQf0xJpfIKeMv9kW8xA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F170.44.98.128%2F27\46sa\75D\46sntz\0751\46usg\75AFQjCNG5cQ52ZJeMQf0xJpfIKeMv9kW8xA';return true;">http://170.44.98.128/27</a>><br>>         leftid=@vpc1<br>>         leftfirewall=yes<br>>         right=xx.xx.xx.xxx<br>>         rightsubnet=<a href="http://172.16.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F172.16.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG5UTSUdxMQNs7qMlklNWWjD2BvIA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F172.16.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG5UTSUdxMQNs7qMlklNWWjD2BvIA';return true;">172.16.0.0/24</a> <<a href="http://172.16.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F172.16.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG5UTSUdxMQNs7qMlklNWWjD2BvIA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F172.16.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG5UTSUdxMQNs7qMlklNWWjD2BvIA';return true;">http://172.16.0.0/24</a>><br>>         rightid=@vpc2<br>>         auto=start<br>><br>> My statusall results:<br>> Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.10.0-229.1.2.el7.x86_64, x86_64):<br>>   uptime: 71 minutes, since Apr 29 08:38:53 2015<br>>   malloc: sbrk 2568192, mmap 0, used 484832, free 2083360<br>>   worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0<br>>   loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp<br>> Listening IP addresses:<br>>   172.16.0.101<br>> Connections:<br>>     vpc1tovpc2:  xx.xx.xx.xxx...xx.xx.xx.xxx  IKEv2<br>>     vpc1tovpc2:   local:  [qa] uses pre-shared key authentication<br>>     vpc1tovpc2:   remote: [wellsfargo] uses pre-shared key authentication<br>>     vpc1tovpc2:   child:  <a href="http://172.16.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F172.16.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG5UTSUdxMQNs7qMlklNWWjD2BvIA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F172.16.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG5UTSUdxMQNs7qMlklNWWjD2BvIA';return true;">172.16.0.0/24</a> <<a href="http://172.16.0.0/24" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F172.16.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG5UTSUdxMQNs7qMlklNWWjD2BvIA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F172.16.0.0%2F24\46sa\75D\46sntz\0751\46usg\75AFQjCNG5UTSUdxMQNs7qMlklNWWjD2BvIA';return true;">http://172.16.0.0/24</a>> === <a href="http://170.44.98.128/27" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F170.44.98.128%2F27\46sa\75D\46sntz\0751\46usg\75AFQjCNG5cQ52ZJeMQf0xJpfIKeMv9kW8xA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F170.44.98.128%2F27\46sa\75D\46sntz\0751\46usg\75AFQjCNG5cQ52ZJeMQf0xJpfIKeMv9kW8xA';return true;">170.44.98.128/27</a> <<a href="http://170.44.98.128/27" target="_blank" rel="nofollow" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2F170.44.98.128%2F27\46sa\75D\46sntz\0751\46usg\75AFQjCNG5cQ52ZJeMQf0xJpfIKeMv9kW8xA';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2F170.44.98.128%2F27\46sa\75D\46sntz\0751\46usg\75AFQjCNG5cQ52ZJeMQf0xJpfIKeMv9kW8xA';return true;">http://170.44.98.128/27</a>> TUNNEL<br>> Security Associations (0 up, 0 connecting):<br>>   none<br>><br>><br>> When starting connection between strongswan servers (strongswan up vpc1tovpc2) , I'm getting below errors:<br>><br>> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]<br>> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)<br>> retransmit 1 of request with message ID 0<br>> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)<br>> retransmit 2 of request with message ID 0<br>> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)<br>> retransmit 3 of request with message ID 0<br>> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)<br>> retransmit 4 of request with message ID 0<br>> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)<br>> retransmit 5 of request with message ID 0<br>> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)<br>> giving up after 5 retransmits<br>> establishing IKE_SA failed, peer not responding<br>> establishing connection 'vpc1tovpc2' failed<br>><br>> I appreciate your response. Thanks!<br>><br>> Oliver<br>><br>><br>> ______________________________<wbr>_________________<br>> Users mailing list<br>> <a href="mailto:Users@lists.strongswan.org" target="_blank" rel="nofollow" onmousedown="this.href='mailto:Users@lists.strongswan.org';return true;" onclick="this.href='mailto:Users@lists.strongswan.org';return true;">Users@lists.strongswan.org</a><br>> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a></p><p>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v2</p><p>iQIcBAEBCAAGBQJVQWG7AAoJEDg5KY<wbr>9j7GZYpHAP+<wbr>gJqP3Ol2RBsiDlGZ3F0j8Zo<br>j9T5QNWSYDce/<wbr>5RsOZ0ON6OqcL0RL3iJ4ZZWOzIQFvB<wbr>MEkBy1tj97sCVZrZeB6jd<br>13Zq+lUtOCbI2m+<wbr>2d6qllvmUKk8RPET83RGv7u4Uu6cw1<wbr>3k4ATIq6YZ4N5Osp44g<br>ZXXFHuAimMiUta4kYGg372M0J+<wbr>J22RvZP18vbuPyIyqICOdN0+<wbr>qnhCCjZ1x+kEUS<br>Cl66YQ2EEsKsNFSf8ovy/<wbr>NWYGTIX5NHDql+<wbr>Jj1liMse3L35wzUzc8CkjyiI6A58y<br>FJnpMbeM+a/QLAvDRhPo4G9DA12/<wbr>wcF13Ixct8JdYX4AsJroC4h44AAZsD<wbr>SCdxPd<br>tbI/YyIjYPgO75w7iTlip+eoC+<wbr>T2DVkwp+qSJYRjgPH93UKamgixw+<wbr>jOGHICLzQC<br>x74aqEUj3ej4sWYoo05mx4HygSgWN4<wbr>3KMqLmL9Hven2RN8tYTR2OHHyDIGnr<wbr>JUOS<br>Ai37ypJkQ0Vzrx5tKrvn8Piw6Vyo4a<wbr>7Utf2o/IqqM54QpfiPlJ++R/<wbr>CiwEzAIMng<br>Cz1k2ojBxFq224Ax0k50ZE9aEXuXea<wbr>EDIo7S3A1qUMrxfx8tMjFTF2c4qATQ<wbr>tzy1<br>snUkC+Q/<wbr>PwT9pGC2RdARRQyfVKujlqISYxV0Nx<wbr>6efyiTwoNr+FQ+GAUdnDnqUzoN<br>ueTcBzR75HyqS0K7K4LO<br>=0sVr<br>-----END PGP SIGNATURE-----</p><p><br>______________________________<wbr>_________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org" target="_blank" rel="nofollow" onmousedown="this.href='mailto:Users@lists.strongswan.org';return true;" onclick="this.href='mailto:Users@lists.strongswan.org';return true;">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank" rel="nofollow" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;" onclick="this.href='https://www.google.com/url?q\75https%3A%2F%2Flists.strongswan.org%2Fmailman%2Flistinfo%2Fusers\46sa\75D\46sntz\0751\46usg\75AFQjCNHpb2EWexg7wtvkBUUWojs4DgFnHQ';return true;">https://lists.strongswan.org/<wbr>mailman/listinfo/users</a></p><p></p><p></p><p></p><p></p><p></p><p></p><p></p><p></p></blockquote></div></div>