[strongSwan] establishing IKE_SA failed, peer not responding

Noel Kuntze noel at familie-kuntze.de
Thu Apr 30 00:57:02 CEST 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Oliver,

As you censored the local IP, I cannot tell if you do this, but
you can only send packets from IPs, which you have locally
installed on an interface. So do not put your public IP in there,
unless you have it on a local interface.

Make sure your firewall rules (and those of the instance) allow UDP
port 500 and 4500 and double check your IPs.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 29.04.2015 um 11:51 schrieb Oliver Asuncion Rojo .:
> Hi,
>
> I would like to ask your help regarding my issue with strongswan. I am planning to setup site-to-site vpn between 2 Amazon VPCs using strongswan-5.3.0 on CentOS 7.0. I can ping end-to-end IP addresses and I didn't enable firewall between two servers. Both has the same ipsec.secrets file.
>
> === My ipsec.conf file =====
>
> config setup
>         # strictcrlpolicy=yes
>         # uniqueids = no
>
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         authby=secret
>         ike=3des,sha1,modp1024
>         keyexchange=ikev2
>         mobike=no
>
> conn vpc1tovpc2
>         left=xx.xx.xxx.xx
>         leftsubnet=170.44.98.128/27 <http://170.44.98.128/27>
>         leftid=@vpc1
>         leftfirewall=yes
>         right=xx.xx.xx.xxx
>         rightsubnet=172.16.0.0/24 <http://172.16.0.0/24>
>         rightid=@vpc2
>         auto=start
>
> My statusall results:
> Status of IKE charon daemon (strongSwan 5.3.0, Linux 3.10.0-229.1.2.el7.x86_64, x86_64):
>   uptime: 71 minutes, since Apr 29 08:38:53 2015
>   malloc: sbrk 2568192, mmap 0, used 484832, free 2083360
>   worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 0
>   loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp
> Listening IP addresses:
>   172.16.0.101
> Connections:
>     vpc1tovpc2:  xx.xx.xx.xxx...xx.xx.xx.xxx  IKEv2
>     vpc1tovpc2:   local:  [qa] uses pre-shared key authentication
>     vpc1tovpc2:   remote: [wellsfargo] uses pre-shared key authentication
>     vpc1tovpc2:   child:  172.16.0.0/24 <http://172.16.0.0/24> === 170.44.98.128/27 <http://170.44.98.128/27> TUNNEL
> Security Associations (0 up, 0 connecting):
>   none
>
>
> When starting connection between strongswan servers (strongswan up vpc1tovpc2) , I'm getting below errors:
>
> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> retransmit 1 of request with message ID 0
> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> retransmit 2 of request with message ID 0
> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> retransmit 3 of request with message ID 0
> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> retransmit 4 of request with message ID 0
> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> retransmit 5 of request with message ID 0
> sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> giving up after 5 retransmits
> establishing IKE_SA failed, peer not responding
> establishing connection 'vpc1tovpc2' failed
>
> I appreciate your response. Thanks!
>
> Oliver
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVQWG7AAoJEDg5KY9j7GZYpHAP+gJqP3Ol2RBsiDlGZ3F0j8Zo
j9T5QNWSYDce/5RsOZ0ON6OqcL0RL3iJ4ZZWOzIQFvBMEkBy1tj97sCVZrZeB6jd
13Zq+lUtOCbI2m+2d6qllvmUKk8RPET83RGv7u4Uu6cw13k4ATIq6YZ4N5Osp44g
ZXXFHuAimMiUta4kYGg372M0J+J22RvZP18vbuPyIyqICOdN0+qnhCCjZ1x+kEUS
Cl66YQ2EEsKsNFSf8ovy/NWYGTIX5NHDql+Jj1liMse3L35wzUzc8CkjyiI6A58y
FJnpMbeM+a/QLAvDRhPo4G9DA12/wcF13Ixct8JdYX4AsJroC4h44AAZsDSCdxPd
tbI/YyIjYPgO75w7iTlip+eoC+T2DVkwp+qSJYRjgPH93UKamgixw+jOGHICLzQC
x74aqEUj3ej4sWYoo05mx4HygSgWN43KMqLmL9Hven2RN8tYTR2OHHyDIGnrJUOS
Ai37ypJkQ0Vzrx5tKrvn8Piw6Vyo4a7Utf2o/IqqM54QpfiPlJ++R/CiwEzAIMng
Cz1k2ojBxFq224Ax0k50ZE9aEXuXeaEDIo7S3A1qUMrxfx8tMjFTF2c4qATQtzy1
snUkC+Q/PwT9pGC2RdARRQyfVKujlqISYxV0Nx6efyiTwoNr+FQ+GAUdnDnqUzoN
ueTcBzR75HyqS0K7K4LO
=0sVr
-----END PGP SIGNATURE-----




More information about the Users mailing list