[Swan] Host-to-Host Transport Mode
Tsveitel, Dmitri
Dtsveitel at smartronix.com
Fri Mar 27 05:24:31 EET 2015
Hi,
I hope someone can help me with a problem I am having setting up IPsec transport mode between two CentOS 7 hosts. I have two hosts on the same subnet. Both are using the same ipsec.conf:
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
conn %default
auto=start
type=transport
forceencaps=yes
authby=secret
ike=aes256-sha2;dh23
phase2=esp
phase2alg=aes256-sha2;dh23
ikev2=insist
failureshunt=drop
ikelifetime=24h
salifetime=12h
rekey=yes
rekeyfuzz=20%
dpddelay=120
dpdtimeout=120
dpdaction=restart
include /etc/ipsec.d/*.conf
Then, in /etc/ipsec.d/nodes.conf on Host A:
conn node172.31.28.54
left=172.31.28.53
right=172.31.28.54
And on Host B:
conn node172.31.28.53
left=172.31.28.54
right=172.31.28.53
When I first start the two hosts, I cannot connect to Host B from Host A, or vice versa (I test using ssh). However, if I first try to connect from Host A to Host B (which fails), and then from Host B to Host A, the connection from B to A succeeds, and subsequent connections from A to B also work. Going in the opposite order produces the same result. The connections start working once I have initiated a connection from each host.
My understanding was that it would be sufficient to set auto=start to ensure the tunnels were up on startup.
These hosts are both in an AWS VPC, with a Security Group permitting UDP 500 and 4500.
I would appreciate any suggestions you could offer. Thanks! Dmitri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150327/27d10a99/attachment.html>
More information about the Swan
mailing list