[Swan] Site to Site vpn - one site with dynamic IP
Geoff Sweet
geoffrsweet at gmail.com
Wed Aug 28 03:56:02 UTC 2019
I am building a small VPN from a remote site running PFSense to an AWS
endpoint. I've beat my head against the wall trying to figure this out and
I am a little surprised to find very little helpfulness via Google. Almost
everything relates to static IP's at both ends of a connection.
So I have a small AMI2 running with libreswan on it:
root at ip-10-2-0-11 ipsec.d]# ipsec --version
Linux Libreswan 3.23 (netkey) on 4.14.123-111.109.amzn2.x86_64
And I have the following single config file:
[root at ip-10-2-0-11 ipsec.d]# cat awsconnection.conf
conn awsconnection
type=tunnel
authby=secret
ikev2=insist
ike=aes256-sha1;modp1024
phase2alg=aes_gcm256-null
pfs=yes
auto=add
left=%defaultroute
leftid=@vpn.remotesite.com
leftsubnet=192.168.8.0/24
leftnexthop=%defaultroute
right=10.2.0.11
rightid=34.X.Y.28
rightsubnet=10.2.0.0/16
rightsourceip=10.2.0.11
rightnexthop=%defaultroute
keyingtries=%forever
So then when I initiate the connection on the PFSense server, I get this in
the logs:
Aug 28 03:43:20.849823: | initial parent SA message received on
10.2.0.11:500 but no connection has been authorized with policy
PSK+IKEV2_ALLOW
Aug 28 03:43:20.849826: | find_host_connection me=10.2.0.11:500 him=
73.109.32.142:500 policy=AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849830: | find_host_pair: comparing 10.2.0.11:500 to
<invalid>:500
Aug 28 03:43:20.849833: | find_next_host_connection
policy=AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849836: | find_next_host_connection returns empty
Aug 28 03:43:20.849839: | find_host_connection me=10.2.0.11:500
him=%any:500 policy=AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849842: | find_host_pair: comparing 10.2.0.11:500 to
<invalid>:500
Aug 28 03:43:20.849845: | find_next_host_connection
policy=AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849848: | find_next_host_connection returns empty
Aug 28 03:43:20.849863: | initial parent SA message received on
10.2.0.11:500 but no connection has been authorized with policy
AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849868: packet from 73.109.32.142:500: initial parent SA
message received on 10.2.0.11:500 but no suitable connection found with
IKEv2 policy
Aug 28 03:43:20.849873: | skip start processing: state #0 (in
complete_v2_state_transition() at ikev2.c:2331)
Aug 28 03:43:20.849876: | #0 complete v2 state transition from
STATE_UNDEFINED with v2N_NO_PROPOSAL_CHOSEN
Aug 28 03:43:20.849882: | sending a notification reply
Aug 28 03:43:20.849888: packet from 73.109.32.142:500: sending unencrypted
notification v2N_NO_PROPOSAL_CHOSEN to 73.109.32.142:500
Aug 28 03:43:20.849892: | **emit ISAKMP Message:
Aug 28 03:43:20.849895: | initiator cookie:
Aug 28 03:43:20.849898: | fa a4 f1 59 64 0b 25 38
Aug 28 03:43:20.849901: | responder cookie:
Aug 28 03:43:20.849904: | 00 00 00 00 00 00 00 00
Aug 28 03:43:20.849907: | next payload type: ISAKMP_NEXT_v2N (0x29)
Aug 28 03:43:20.849910: | ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Aug 28 03:43:20.849914: | exchange type: ISAKMP_v2_SA_INIT (0x22)
Aug 28 03:43:20.849917: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Aug 28 03:43:20.849920: | message ID: 00 00 00 00
Aug 28 03:43:20.849924: | Adding a v2N Payload
Aug 28 03:43:20.849927: | ***emit IKEv2 Notify Payload:
Aug 28 03:43:20.849930: | next payload type: ISAKMP_NEXT_v2NONE (0x0)
Aug 28 03:43:20.849933: | flags: none (0x0)
Aug 28 03:43:20.849936: | Protocol ID: PROTO_v2_RESERVED (0x0)
Aug 28 03:43:20.849939: | SPI size: 0 (0x0)
Aug 28 03:43:20.849942: | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN
(0xe)
Aug 28 03:43:20.849946: | emitting length of IKEv2 Notify Payload: 8
Aug 28 03:43:20.849949: | no IKEv1 message padding required
Aug 28 03:43:20.849953: | emitting length of ISAKMP Message: 36
Aug 28 03:43:20.849962: | sending 36 bytes for v2 notify through eth0:500
to 73.109.32.142:500 (using #0)
Aug 28 03:43:20.849965: | fa a4 f1 59 64 0b 25 38 00 00 00 00 00 00 00
00
Aug 28 03:43:20.849968: | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00
08
Aug 28 03:43:20.849971: | 00 00 00 0e
Aug 28 03:43:20.849999: | state transition function for STATE_UNDEFINED
failed: v2N_NO_PROPOSAL_CHOSEN
Aug 28 03:43:20.850017: | processing: stop from 73.109.32.142:500 (in
comm_handle() at demux.c:375)
I'm kind of at a loss. Anyone have any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190827/a70b18d9/attachment-0001.html>
More information about the Swan
mailing list