greetings all,
Could someone give me a hint on what could be the issue here?
on both logs, A.A.A.A is the public IP of AWS VPN
On Ubiquiti Dream Machine, logs go in a loop with this:
2024-01-16T18:37:32-05:00 Dream-Machine charon[5739]: 16[IKE] initiating IKE_SA 65a7104beedfdb7f7046dfad[1093] to A.A.A.A
2024-01-16T18:37:32-05:00 Dream-Machine charon[5739]: 16[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-01-16T18:37:32-05:00 Dream-Machine charon[5739]: 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
2024-01-16T18:37:32-05:00 Dream-Machine ubios-udapi-server[4413]: ipsec: IPsec tunnel (site-to-site) 65a7104beedfdb7f7046dfad IKE SA trying to wake up
2024-01-16T18:37:32-05:00 Dream-Machine charon[5739]: 14[IKE] establishing CHILD_SA 65a7104beedfdb7f7046dfad{860}
2024-01-16T18:37:32-05:00 Dream-Machine charon[5739]: 14[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
2024-01-16T18:37:32-05:00 Dream-Machine charon[5739]: 06[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
On AWS end I have the following logs:
2024-01-16T18:38:49.000-05:00
{"event_timestamp":1705448329,"details":"received packet: from cgw-0ab1734978a22649f [UDP 4500] to A.A.A.A [UDP 4500] (368 bytes)","dpd_enabled":true,"nat_t_detected":true,"ike_phase1_state":"negotiating","ike_phase2_state":"down"}
Link
2024-01-16T18:38:49.000-05:00
{"event_timestamp":1705448329,"details":"AWS tunnel processed request (id=1) for IKE_AUTH exchange","dpd_enabled":true,"nat_t_detected":true,"ike_phase1_state":"negotiating","ike_phase2_state":"down"}
Link
2024-01-16T18:38:49.000-05:00
{"event_timestamp":1705448329,"details":"AWS tunnel is searching for matching peer configurations between A.A.A.A and cgw-0ab1734978a22649f","dpd_enabled":true,"nat_t_detected":true,"ike_phase1_state":"negotiating","ike_phase2_state":"down"}
Link
2024-01-16T18:38:49.000-05:00
{"event_timestamp":1705448329,"details":"AWS tunnel is sending response (id=1) for IKE_AUTH exchange","dpd_enabled":true,"nat_t_detected":true,"ike_phase1_state":"negotiating","ike_phase2_state":"down"}
Link
2024-01-16T18:38:49.000-05:00
{"event_timestamp":1705448329,"details":"sending packet: from A.A.A.A [UDP 4500] to cgw-0ab1734978a22649f [UDP 4500] (80 bytes)","dpd_enabled":true,"nat_t_detected":true,"ike_phase1_state":"negotiating","ike_phase2_state":"down"}
Link
2024-01-16T18:38:54.000-05:00
{"event_timestamp":1705448334,"details":"received packet: from cgw-0ab1734978a22649f [UDP 500] to A.A.A.A [UDP 500] (464 bytes)","dpd_enabled":true,"nat_t_detected":true,"ike_phase1_state":"negotiating","ike_phase2_state":"down"}
Link
2024-01-16T18:38:54.000-05:00
{"event_timestamp":1705448334,"details":"AWS tunnel processed request (id=0) for IKE_SA_INIT exchange","dpd_enabled":true,"nat_t_detected":true,"ike_phase1_state":"negotiating","ike_phase2_state":"down"}
Link
2024-01-16T18:38:54.000-05:00
{"event_timestamp":1705448334,"details":"AWS tunnel detected cgw-0ab1734978a22649f as the IKE_SA initiator","dpd_enabled":true,"nat_t_detected":true,"ike_phase1_state":"negotiating","ike_phase2_state":"down"}
Link
To answer some questions:
- I am not NATing. My GPON Modem is directly connected to my DM which has the public IP.
- When a VPN is created on DM, firewall rules are automatically setup
- Same pre shared key on both end
- DM is using IKEv2, AES256, SHA(2-)256, DH Group 14 (tried other without success).
Any hint appreciated.
AWS OFFICIALUpdated 10 months ago
Did you get this to work in the end?