Hello,
I created an AWS Site-to-Site VPN connection between my local network and aws vpc, installed the libreswan package, after starting the ipsec service, it can't connect to tunnel 1. What could be the problem?
OS: Ubuntu 18.04.6 LTS, libreswan 3.29 package
Output:
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: DH algorithms:
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: NONE IKEv1: IKEv2: IKE ESP AH FIPS null, dh0
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: MODP1024 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh2
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: MODP1536 IKEv1: IKE ESP AH IKEv2: IKE ESP AH dh5
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: MODP2048 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh14
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: MODP3072 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh15
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: MODP4096 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh16
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: MODP6144 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh17
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: MODP8192 IKEv1: IKE ESP AH IKEv2: IKE ESP AH FIPS dh18
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: DH19 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_256, ecp256
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: DH20 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_384, ecp384
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: DH21 IKEv1: IKE IKEv2: IKE ESP AH FIPS ecp_521, ecp521
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: DH31 IKEv1: IKE IKEv2: IKE ESP AH curve25519
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: 1 CPU cores online
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: starting up 1 crypto helpers
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: started thread for crypto helper 0
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: Using Linux XFRM/NETKEY IPsec interface code on 4.15.0-197-generic
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: selinux support is NOT enabled.
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: watchdog: sending probes every 100 secs
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: seccomp security not supported
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: seccomp security for crypto helper not supported
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: added connection description "Tunnel1"
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: listening for IKE messages
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: Kernel supports NIC esp-hw-offload
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface ens160/ens160 (esp-hw-offload=no) 192.168.55.18:500
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface ens160/ens160 192.168.50.18:4500
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: Kernel supports NIC esp-hw-offload
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface lo/lo 127.0.0.1:4500
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: Kernel supports NIC esp-hw-offload
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface lo/lo (esp-hw-offload=no) ::1:500
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: loading secrets from "/etc/ipsec.secrets"
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: loading secrets from "/etc/ipsec.d/aws.secrets"
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: initiating v2 parent SA
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: "Tunnel1": constructed local IKE proposals for Tunnel1 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_128;PRF=HMAC
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response
Nov 25 07:55:23 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response
Nov 25 07:55:24 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 2 seconds for response
Nov 25 07:55:26 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 4 seconds for response
Nov 25 07:55:30 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 8 seconds for response
Nov 25 07:55:38 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 16 seconds for response
Thanks in advance.
Checking the IP address and pre-shared key is a matter of looking in your configuration files. If you are doing NAT in between your VPN termination point and AWS then I'd also look at the logs there. Not that forwarding UDP 500 and 4500 isn't enough - you also need to forward IP protocol 50 (ESP) and maybe 51 (AH). These are not TCP or UDP ports, they are IP protocols.