[strongSwan] Ikev2 rekeying failure on EC2 site2site tunnel

Isaac Hollander isaac.hollander at selerityinc.com
Wed Sep 7 00:20:32 CEST 2016 

Hi, all,

I've set up a site-to-site tunnel with StrongSwan 5.1.2 between two Ubuntu
14.04 (Trusty) instances running on AWS EC2.  This tunnel will connect
VPC's in two AWS regions.  Ultimately, I plan to run two tunnels with
hot/cold automatic failover.

I followed the example in the ikev2/net2net-psk test at
https://www.strongswan.org/testresults.html.

The issue is that the IKE reauth fails, and charon decides to tear the
whole thing down.

Syslog snipped cleaned of ip address information.  The tunnel is named
strongswan1.

Sep  6 17:12:17 ec2vsswp01 charon: 04[IKE] reauthenticating IKE_SA
strongswan1[1]
Sep  6 17:12:17 ec2vsswp01 charon: 04[IKE] queueing IKE_REAUTH task
Sep  6 17:12:17 ec2vsswp01 charon: 04[IKE] activating new tasks
Sep  6 17:12:17 ec2vsswp01 charon: 04[IKE]   activating IKE_REAUTH task
Sep  6 17:12:17 ec2vsswp01 charon: 04[IKE] deleting IKE_SA strongswan1[1]
between [ omitted ]
Sep  6 17:12:17 ec2vsswp01 charon: 04[IKE] IKE_SA strongswan1[1] state
change: ESTABLISHED => DELETING
Sep  6 17:12:17 ec2vsswp01 charon: 04[IKE] sending DELETE for IKE_SA
strongswan1[1]
Sep  6 17:12:17 ec2vsswp01 charon: 04[ENC] generating INFORMATIONAL request
2 [ D ]
Sep  6 17:12:17 ec2vsswp01 charon: 04[NET] sending packet: from [ omitted ]
to [ omitted ] (76 bytes)
Sep  6 17:12:17 ec2vsswp01 charon: 03[NET] sending packet: from [ omitted ]
to [ omitted ]
Sep  6 17:12:17 ec2vsswp01 charon: 02[NET] received packet: from [ omitted
] to [ omitted ]
Sep  6 17:12:17 ec2vsswp01 charon: 02[NET] waiting for data on sockets
Sep  6 17:12:17 ec2vsswp01 charon: 09[NET] received packet: from [ omitted
] to [ omitted] (76 bytes)
Sep  6 17:12:17 ec2vsswp01 charon: 09[ENC] parsed INFORMATIONAL response 2
[ ]
Sep  6 17:12:17 ec2vsswp01 charon: 09[IKE] IKE_SA deleted
Sep  6 17:12:17 ec2vsswp01 charon: 09[IKE] unable to reauthenticate IKE_SA,
no CHILD_SA to recreate
Sep  6 17:12:17 ec2vsswp01 charon: 09[IKE] reauthenticating IKE_SA failed
Sep  6 17:12:17 ec2vsswp01 charon: 09[IKE] IKE_SA strongswan1[1] state
change: DELETING => DESTROYING

On each side (A and B), I have /etc/ipsec.conf as:

conn %default
 ikelifetime=60m
 keylife=20m
 rekeymargin=3m
 keyingtries=1
 keyexchange=ikev2
 authby=secret
 mobike=no
 ike=aes256-sha512-modp4096!
 esp=aes256-sha512-modp4096!


conn strongswan1
# ip configuration information omitted; the tunnel establishes fine and
fails on ike rekey
 auto=start
 type=tunnel

I've increased logging levels in the charondebug line, but perhaps I've
missed something simple?  Any ideas or pointers would be greatly
appreciated.

Thanks!

Isaac
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160906/87933665/attachment.html>

More information about the Users mailing list