[Swan] Host-to-Host Transport Mode

Tsveitel, Dmitri Dtsveitel at smartronix.com
Fri Mar 27 05:24:31 EET 2015


Hi,

   I hope someone can help me with a problem I am having setting up IPsec transport mode between two CentOS 7 hosts. I have two hosts on the same subnet. Both are using the same ipsec.conf:

config setup
      protostack=netkey
      dumpdir=/var/run/pluto/
      nat_traversal=yes
conn %default
      auto=start
      type=transport
      forceencaps=yes
      authby=secret
      ike=aes256-sha2;dh23
      phase2=esp
      phase2alg=aes256-sha2;dh23
      ikev2=insist
      failureshunt=drop
      ikelifetime=24h
      salifetime=12h
      rekey=yes
      rekeyfuzz=20%
      dpddelay=120
      dpdtimeout=120
      dpdaction=restart

include /etc/ipsec.d/*.conf

Then, in /etc/ipsec.d/nodes.conf on Host A:
conn node172.31.28.54
        left=172.31.28.53
        right=172.31.28.54

And on Host B:
conn node172.31.28.53
        left=172.31.28.54
        right=172.31.28.53

When I first start the two hosts, I cannot connect to Host B from Host A, or vice versa (I test using ssh). However, if I first try to connect from Host A to Host B (which fails), and then from Host B to Host A, the connection from B to A succeeds, and subsequent connections from A to B also work. Going in the opposite order produces the same result. The connections start working once I have initiated a connection from each host.

My understanding was that it would be sufficient to set auto=start to ensure the tunnels were up on startup.

These hosts are both in an AWS VPC, with a Security Group permitting UDP 500 and 4500.

I would appreciate any suggestions you could offer. Thanks! Dmitri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20150327/27d10a99/attachment.html>


More information about the Swan mailing list