<div dir="ltr"><div><div class="gmail_signature"><div dir="ltr"><div><div>Hi Guys </div><div><br></div><div>I was wondering if anyone has had this same issue.</div><div><br></div><div>we have a number of servers in a VPC in AWS and we are building IPSEC tunnels with an end customer who are using a Cisco 3845, and we want to establish a site to site connection.</div><div><br></div><div>We are using servers with an Elastic IP, and can establish the tunnel, however I cannot seem to initiate connections from the AWS server running strongswan, out to the Cisco, for example ICMP, or SMPP, however if the Cisco intiates a PING, the tunnel becomes active.</div><div><br></div><div>I notice until that point ip xfrm policy has no content populated, please can someone let me know what I may be missing?</div><div><br></div><div>the status of the strongswan command shows ;</div><div><br></div><div> strongswan statusall</div><div>Status of IKE charon daemon (strongSwan 5.4.0, Linux 3.10.0-327.18.2.el7.x86_64, x86_64):</div><div> uptime: 9 minutes, since Nov 08 17:05:11 2016</div><div> malloc: sbrk 1622016, mmap 0, used 483808, free 1138208</div><div> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4</div><div> loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp</div><div>Listening IP addresses:</div><div> 172.31.12.91</div><div>Connections:</div><div> THW-FW-B: 172.31.12.91...<CustomerPublicIPFirewall> IKEv1, dpddelay=10s</div><div> THW-FW-B: local: [<ElasticIP>] uses pre-shared key authentication</div><div> THW-FW-B: remote: [<CustomerPublicIPFirewall>] uses pre-shared key authentication</div><div> THW-FW-B: child: <ElasticIP>/32 === <CustomerSubnet> TUNNEL, dpdaction=restart</div><div>Security Associations (1 up, 0 connecting):</div><div> THW-FW-B[1]: ESTABLISHED 9 minutes ago, 172.31.12.91[<ElasticIP>]...<CustomerPublicIPFirewall>[<CustomerPublicIP>]</div><div> THW-FW-B[1]: IKEv1 SPIs: 0cc86f09022b466c_i* cfb875944d065524_r, pre-shared key reauthentication in 7 hours</div><div> THW-FW-B[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024</div><div><br></div><div><br></div><div><br></div><div>However As I say, when I try and ping the far side subnet, it doesnt try to go through the tunnel/create a child policy, however if the far end sends a ping, it creates a tunnel, and from that point onwards I can initiate a connection.</div><div><br></div><div>Please help!</div><div><br></div><div>ipsec.conf shown below;</div><div><br></div><div># ipsec.conf - strongSwan IPsec configuration file</div><div><br></div><div># basic configuration</div><div><br></div><div>config setup</div><div> charondebug="ike, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"</div><div><br></div><div>conn %default</div><div> ikelifetime=28800s</div><div> keylife=3600s</div><div> rekeymargin=3m</div><div> keyingtries=3</div><div> keyexchange=ikev1</div><div> authby=secret</div><div> type=tunnel</div><div> dpddelay=10s</div><div> dpdtimeout =30s</div><div> dpdaction=restart</div><div> rekey=yes</div><div>conn THW-FW-B</div><div> ike=3des-sha1-modp1024</div><div> esp=3des-sha1-modp1024</div><div> left=172.31.12.91</div><div> leftsubnet=<ElasticIP></div><div> leftid=<ElasticIP></div><div> leftfirewall=yes</div><div> right=<CustomerPublicIPFirewall></div><div> rightsubnet=<CustomerSubnet></div><div> auto=start</div><div><br></div><div>Many thanks</div><div><br></div><div>Jon</div><div><br></div><div><br></div><div><br></div></div></div></div>
</div></div>