Issue #432
Updated by Tobias Brunner almost 12 years ago
Hello all,
I'm struggling with this for a week now and I cannot resolve this issue. Imho it is worth to look on it because of non-standard setup.
THE TASK:
Create a VPN tunnel between Amazon EC2 instance and 3rd party company (Cisco router)
DIFFERENCES:
Amazon instance is not a VPN gateway, it is a peer and destination host instance. In shortcut: packages are not forwarded to other hosts.
PARAMETERS:
IKE Parameters (Phase 1)
- IKE protocol IKE2
- IKE Encryption 3DES
- Authentication Method MD5
- Diffie-Helman Group 2
- Security Association Lifetime (sec) 28800
- Pre-share Key "key"
IPSec Parameters (Phase 2)
- IPSec Encryption 3DES
- Authentication Method MD5
- Diffie-Helman Group N/A
- Security Association Lifetime (sec) 3600
VPN Device Cisco 2800
Encryption Domain/Access Needed
Subnet Protocol
10.xxx.yyy.123/32 tcp/9999
10.xxx.yyy.456/32 tcp/9999
10.xxx.yyy.789/32 tcp/9999
I have no access to the cisco router and unfortunately have no logs from this side. I have a simmilar WORKING connection but using IKE1. I'm using a strongswan 5.1.0. The 3rd party company also have more than 20 actives tunnels and no errors when creating new one, except my case.
My config (experimental):
<pre>
config
@config setup
conn %default
auto=start
conn VPN
type=tunnel
ike=3des-md5-modp1024
ikelifetime=28800s
keyexchange=ikev2
esp=3des-md5
lifetime=3600s
left=<amazon private IP>
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftid=<amazon elastic IP>
leftauth=psk
right=<3rd party peer IP>
rightfirewall=yes
rightsubnet=10.xxx.yyy.123/32,10.xxx.yyy.456/32,10.xxx.yyy.789/32
rightprotoport=tcp/9999
rightauth=psk
</pre>
rightauth=psk@
My ipsec.secrets
<pre> @
<amazon elastic IP> : PSK "psk_key"
<3rd party peer IP> : PSK "psk_key"
</pre> "psk_key"@
The problem is that this tunnel won't comes up:
<pre>
charon: @charon: 03[IKE] initiating IKE_SA VPN to <3rd party peer IP>
charon: 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
charon: 03[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 02[IKE] retransmit 1 of request with message ID 0
charon: 02[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 01[IKE] retransmit 2 of request with message ID 0
charon: 01[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 05[IKE] retransmit 3 of request with message ID 0
charon: 05[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 12[IKE] retransmit 4 of request with message ID 0
charon: 12[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 11[IKE] retransmit 5 of request with message ID 0
charon: 11[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 14[IKE] giving up after 5 retransmits
charon: 14[IKE] establishing IKE_SA failed, peer not responding
</pre> @
the FW are correctly configured
Any suggestions highly appreciated!
I'm struggling with this for a week now and I cannot resolve this issue. Imho it is worth to look on it because of non-standard setup.
THE TASK:
Create a VPN tunnel between Amazon EC2 instance and 3rd party company (Cisco router)
DIFFERENCES:
Amazon instance is not a VPN gateway, it is a peer and destination host instance. In shortcut: packages are not forwarded to other hosts.
PARAMETERS:
IKE Parameters (Phase 1)
- IKE protocol IKE2
- IKE Encryption 3DES
- Authentication Method MD5
- Diffie-Helman Group 2
- Security Association Lifetime (sec) 28800
- Pre-share Key "key"
IPSec Parameters (Phase 2)
- IPSec Encryption 3DES
- Authentication Method MD5
- Diffie-Helman Group N/A
- Security Association Lifetime (sec) 3600
VPN Device Cisco 2800
Encryption Domain/Access Needed
Subnet Protocol
10.xxx.yyy.123/32 tcp/9999
10.xxx.yyy.456/32 tcp/9999
10.xxx.yyy.789/32 tcp/9999
I have no access to the cisco router and unfortunately have no logs from this side. I have a simmilar WORKING connection but using IKE1. I'm using a strongswan 5.1.0. The 3rd party company also have more than 20 actives tunnels and no errors when creating new one, except my case.
My config (experimental):
<pre>
config
@config setup
conn %default
auto=start
conn VPN
type=tunnel
ike=3des-md5-modp1024
ikelifetime=28800s
keyexchange=ikev2
esp=3des-md5
lifetime=3600s
left=<amazon private IP>
leftsubnet=0.0.0.0/0
leftfirewall=yes
leftid=<amazon elastic IP>
leftauth=psk
right=<3rd party peer IP>
rightfirewall=yes
rightsubnet=10.xxx.yyy.123/32,10.xxx.yyy.456/32,10.xxx.yyy.789/32
rightprotoport=tcp/9999
rightauth=psk
</pre>
rightauth=psk@
My ipsec.secrets
<pre> @
<amazon elastic IP> : PSK "psk_key"
<3rd party peer IP> : PSK "psk_key"
</pre> "psk_key"@
The problem is that this tunnel won't comes up:
<pre>
charon: @charon: 03[IKE] initiating IKE_SA VPN to <3rd party peer IP>
charon: 03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
charon: 03[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 02[IKE] retransmit 1 of request with message ID 0
charon: 02[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 01[IKE] retransmit 2 of request with message ID 0
charon: 01[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 05[IKE] retransmit 3 of request with message ID 0
charon: 05[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 12[IKE] retransmit 4 of request with message ID 0
charon: 12[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 11[IKE] retransmit 5 of request with message ID 0
charon: 11[NET] sending packet: from <amazon private IP>[500] to <3rd party peer ip>[500] (536 bytes)
charon: 14[IKE] giving up after 5 retransmits
charon: 14[IKE] establishing IKE_SA failed, peer not responding
</pre> @
the FW are correctly configured
Any suggestions highly appreciated!