<div dir="ltr">Hi, all,<div><br></div><div>I've set up a site-to-site tunnel with StrongSwan 5.1.2 between two Ubuntu 14.04 (Trusty) instances running on AWS EC2. This tunnel will connect VPC's in two AWS regions. Ultimately, I plan to run two tunnels with hot/cold automatic failover.</div><div><br></div><div>I followed the example in the ikev2/net2net-psk test at <a href="https://www.strongswan.org/testresults.html">https://www.strongswan.org/testresults.html</a>.</div><div><br></div><div>The issue is that the IKE reauth fails, and charon decides to tear the whole thing down.</div><div style="font-size:x-small;font-family:monospace,monospace"><font face="monospace, monospace" size="1"><br></font></div><font face="arial, helvetica, sans-serif">Syslog snipped cleaned of ip address information. The tunnel is named strongswan1.</font><div><font face="monospace, monospace" size="1"><br>Sep 6 17:12:17 ec2vsswp01 charon: 04[IKE] reauthenticating IKE_SA strongswan1[1]<br>Sep 6 17:12:17 ec2vsswp01 charon: 04[IKE] queueing IKE_REAUTH task<br>Sep 6 17:12:17 ec2vsswp01 charon: 04[IKE] activating new tasks<br>Sep 6 17:12:17 ec2vsswp01 charon: 04[IKE] activating IKE_REAUTH task<br>Sep 6 17:12:17 ec2vsswp01 charon: 04[IKE] deleting IKE_SA strongswan1[1] between [ omitted ]<br>Sep 6 17:12:17 ec2vsswp01 charon: 04[IKE] IKE_SA strongswan1[1] state change: ESTABLISHED => DELETING<br>Sep 6 17:12:17 ec2vsswp01 charon: 04[IKE] sending DELETE for IKE_SA strongswan1[1]<br>Sep 6 17:12:17 ec2vsswp01 charon: 04[ENC] generating INFORMATIONAL request 2 [ D ]<br>Sep 6 17:12:17 ec2vsswp01 charon: 04[NET] sending packet: from [ omitted ] to [ omitted ] (76 bytes)<br>Sep 6 17:12:17 ec2vsswp01 charon: 03[NET] sending packet: from [ omitted ] to [ omitted ]<br>Sep 6 17:12:17 ec2vsswp01 charon: 02[NET] received packet: from [ omitted ] to [ omitted ]<br>Sep 6 17:12:17 ec2vsswp01 charon: 02[NET] waiting for data on sockets<br>Sep 6 17:12:17 ec2vsswp01 charon: 09[NET] received packet: from [ omitted ] to [ omitted] (76 bytes)<br>Sep 6 17:12:17 ec2vsswp01 charon: 09[ENC] parsed INFORMATIONAL response 2 [ ]<br>Sep 6 17:12:17 ec2vsswp01 charon: 09[IKE] IKE_SA deleted<br>Sep 6 17:12:17 ec2vsswp01 charon: 09[IKE] unable to reauthenticate IKE_SA, no CHILD_SA to recreate<br>Sep 6 17:12:17 ec2vsswp01 charon: 09[IKE] reauthenticating IKE_SA failed<br>Sep 6 17:12:17 ec2vsswp01 charon: 09[IKE] IKE_SA strongswan1[1] state change: DELETING => DESTROYING</font><div><br></div><div>On each side (A and B), I have /etc/ipsec.conf as:</div><font face="monospace, monospace" size="1"><br>conn %default<br> ikelifetime=60m<br> keylife=20m<br> rekeymargin=3m<br> keyingtries=1<br> keyexchange=ikev2<br> authby=secret<br> mobike=no<br> ike=aes256-sha512-modp4096!<br> esp=aes256-sha512-modp4096!<br><br><br>conn strongswan1<br># ip configuration information omitted; the tunnel establishes fine and fails on ike rekey<br> auto=start<br> type=tunnel</font><div><div><br></div><div>I've increased logging levels in the charondebug line, but perhaps I've missed something simple? Any ideas or pointers would be greatly appreciated.</div><div><br></div><div>Thanks!</div><div><br></div><div>Isaac</div><div><br></div><br>
</div></div></div>