[strongSwan] establishing IKE_SA failed, peer not responding

Oliver Asuncion Rojo . oliver.rojo at gmail.com
Wed Apr 29 11:51:33 CEST 2015 

Hi,

I would like to ask your help regarding my issue with strongswan. I am
planning to setup site-to-site vpn between 2 Amazon VPCs using
strongswan-5.3.0 on CentOS 7.0. I can ping end-to-end IP addresses and I
didn't enable firewall between two servers. Both has the same ipsec.secrets
file.

=== My ipsec.conf file =====

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        authby=secret
        ike=3des,sha1,modp1024
        keyexchange=ikev2
        mobike=no

conn vpc1tovpc2
        left=xx.xx.xxx.xx
        leftsubnet=170.44.98.128/27
        leftid=@vpc1
        leftfirewall=yes
        right=xx.xx.xx.xxx
        rightsubnet=172.16.0.0/24
        rightid=@vpc2
        auto=start

My statusall results:
Status of IKE charon daemon (strongSwan 5.3.0, Linux
3.10.0-229.1.2.el7.x86_64, x86_64):
  uptime: 71 minutes, since Apr 29 08:38:53 2015
  malloc: sbrk 2568192, mmap 0, used 484832, free 2083360
  worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509
revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp xcbc cmac hmac curl sqlite attr
kernel-libipsec kernel-netlink resolve socket-default farp stroke vici
updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls
eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth
tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp
Listening IP addresses:
  172.16.0.101
Connections:
    vpc1tovpc2:  xx.xx.xx.xxx...xx.xx.xx.xxx  IKEv2
    vpc1tovpc2:   local:  [qa] uses pre-shared key authentication
    vpc1tovpc2:   remote: [wellsfargo] uses pre-shared key authentication
    vpc1tovpc2:   child:  172.16.0.0/24 === 170.44.98.128/27 TUNNEL
Security Associations (0 up, 0 connecting):
  none


When starting connection between strongswan servers (strongswan up
vpc1tovpc2) , I'm getting below errors:

generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
N(HASH_ALG) ]
sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
retransmit 1 of request with message ID 0
sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
retransmit 2 of request with message ID 0
sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
retransmit 3 of request with message ID 0
sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
retransmit 4 of request with message ID 0
sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
retransmit 5 of request with message ID 0
sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
giving up after 5 retransmits
establishing IKE_SA failed, peer not responding
establishing connection 'vpc1tovpc2' failed

I appreciate your response. Thanks!

Oliver
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150429/7a1b2672/attachment-0001.html>

More information about the Users mailing list