[strongSwan] establishing IKE_SA failed, peer not responding

Miroslav Svoboda goodmirek at goodmirek.cz
Thu Apr 30 07:58:31 CEST 2015


Hello,

I have the same setup working in AWS VPC.
Do you interconnect your VPC's via VPC peering connections or via their 
public IP's?
Do you allow inbound connections in security groups of both VPN nodes?
You need:
UDP/500, UDP/4500, IP protocol 50 (ESP)

As first thing, I would try to send packets from node vpc1 to node vpc2 
(UDP port 500) and vice versa and see whether they arrive.
vpc1 # nmap -sU -p500 -Pn vpc2
vpc2 # sudo tcpdump udp port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
05:52:31.153768 IP vpc1.38874 > vpc2.isakmp: isakmp: phase 1 I ident

If you use public IP's then UDP/4500 has to be opened as well, for NAT 
traversal. I prefer to use VPC Peering Connections.

BR,
Miroslav

On Thursday, April 30, 2015 at 12:57:08 AM UTC+2, Noel Kuntze wrote:
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Oliver,
>
> As you censored the local IP, I cannot tell if you do this, but
> you can only send packets from IPs, which you have locally
> installed on an interface. So do not put your public IP in there,
> unless you have it on a local interface.
>
> Make sure your firewall rules (and those of the instance) allow UDP
> port 500 and 4500 and double check your IPs.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 29.04.2015 um 11:51 schrieb Oliver Asuncion Rojo .:
> > Hi,
> >
> > I would like to ask your help regarding my issue with strongswan. I am 
> planning to setup site-to-site vpn between 2 Amazon VPCs using 
> strongswan-5.3.0 on CentOS 7.0. I can ping end-to-end IP addresses and I 
> didn't enable firewall between two servers. Both has the same ipsec.secrets 
> file.
> >
> > === My ipsec.conf file =====
> >
> > config setup
> >         # strictcrlpolicy=yes
> >         # uniqueids = no
> >
> > conn %default
> >         ikelifetime=60m
> >         keylife=20m
> >         rekeymargin=3m
> >         keyingtries=1
> >         authby=secret
> >         ike=3des,sha1,modp1024
> >         keyexchange=ikev2
> >         mobike=no
> >
> > conn vpc1tovpc2
> >         left=xx.xx.xxx.xx
> >         leftsubnet=170.44.98.128/27 <http://170.44.98.128/27>
> >         leftid=@vpc1
> >         leftfirewall=yes
> >         right=xx.xx.xx.xxx
> >         rightsubnet=172.16.0.0/24 <http://172.16.0.0/24>
> >         rightid=@vpc2
> >         auto=start
> >
> > My statusall results:
> > Status of IKE charon daemon (strongSwan 5.3.0, Linux 
> 3.10.0-229.1.2.el7.x86_64, x86_64):
> >   uptime: 71 minutes, since Apr 29 08:38:53 2015
> >   malloc: sbrk 2568192, mmap 0, used 484832, free 2083360
> >   worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, 
> scheduled: 0
> >   loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 
> revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
> sshkey pem openssl fips-prf gmp xcbc cmac hmac curl sqlite attr 
> kernel-libipsec kernel-netlink resolve socket-default farp stroke vici 
> updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls 
> eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth 
> tnc-imc tnc-imv tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp
> > Listening IP addresses:
> >   172.16.0.101
> > Connections:
> >     vpc1tovpc2:  xx.xx.xx.xxx...xx.xx.xx.xxx  IKEv2
> >     vpc1tovpc2:   local:  [qa] uses pre-shared key authentication
> >     vpc1tovpc2:   remote: [wellsfargo] uses pre-shared key authentication
> >     vpc1tovpc2:   child:  172.16.0.0/24 <http://172.16.0.0/24> === 
> 170.44.98.128/27 <http://170.44.98.128/27> TUNNEL
> > Security Associations (0 up, 0 connecting):
> >   none
> >
> >
> > When starting connection between strongswan servers (strongswan up 
> vpc1tovpc2) , I'm getting below errors:
> >
> > generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
> N(HASH_ALG) ]
> > sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> > retransmit 1 of request with message ID 0
> > sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> > retransmit 2 of request with message ID 0
> > sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> > retransmit 3 of request with message ID 0
> > sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> > retransmit 4 of request with message ID 0
> > sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> > retransmit 5 of request with message ID 0
> > sending packet: from xxx.xx.xx.xx[500] to xxx.xx.xx.xx[500] (992 bytes)
> > giving up after 5 retransmits
> > establishing IKE_SA failed, peer not responding
> > establishing connection 'vpc1tovpc2' failed
> >
> > I appreciate your response. Thanks!
> >
> > Oliver
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJVQWG7AAoJEDg5KY9j7GZYpHAP+gJqP3Ol2RBsiDlGZ3F0j8Zo
> j9T5QNWSYDce/5RsOZ0ON6OqcL0RL3iJ4ZZWOzIQFvBMEkBy1tj97sCVZrZeB6jd
> 13Zq+lUtOCbI2m+2d6qllvmUKk8RPET83RGv7u4Uu6cw13k4ATIq6YZ4N5Osp44g
> ZXXFHuAimMiUta4kYGg372M0J+J22RvZP18vbuPyIyqICOdN0+qnhCCjZ1x+kEUS
> Cl66YQ2EEsKsNFSf8ovy/NWYGTIX5NHDql+Jj1liMse3L35wzUzc8CkjyiI6A58y
> FJnpMbeM+a/QLAvDRhPo4G9DA12/wcF13Ixct8JdYX4AsJroC4h44AAZsDSCdxPd
> tbI/YyIjYPgO75w7iTlip+eoC+T2DVkwp+qSJYRjgPH93UKamgixw+jOGHICLzQC
> x74aqEUj3ej4sWYoo05mx4HygSgWN43KMqLmL9Hven2RN8tYTR2OHHyDIGnrJUOS
> Ai37ypJkQ0Vzrx5tKrvn8Piw6Vyo4a7Utf2o/IqqM54QpfiPlJ++R/CiwEzAIMng
> Cz1k2ojBxFq224Ax0k50ZE9aEXuXeaEDIo7S3A1qUMrxfx8tMjFTF2c4qATQtzy1
> snUkC+Q/PwT9pGC2RdARRQyfVKujlqISYxV0Nx6efyiTwoNr+FQ+GAUdnDnqUzoN
> ueTcBzR75HyqS0K7K4LO
> =0sVr
> -----END PGP SIGNATURE-----
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150429/28ccf63f/attachment-0001.html>


More information about the Users mailing list