[Swan] Site to Site vpn - one site with dynamic IP

Geoff Sweet geoffrsweet at gmail.com
Wed Aug 28 03:56:02 UTC 2019 

I am building a small VPN from a remote site running PFSense to an AWS
endpoint.  I've beat my head against the wall trying to figure this out and
I am a little surprised to find very little helpfulness via Google.  Almost
everything relates to static IP's at both ends of a connection.

So I have a small AMI2 running with libreswan on it:
root at ip-10-2-0-11 ipsec.d]# ipsec --version
Linux Libreswan 3.23 (netkey) on 4.14.123-111.109.amzn2.x86_64

And I have the following single config file:
[root at ip-10-2-0-11 ipsec.d]# cat awsconnection.conf
conn awsconnection
  type=tunnel
  authby=secret
  ikev2=insist
  ike=aes256-sha1;modp1024
  phase2alg=aes_gcm256-null
  pfs=yes
  auto=add

  left=%defaultroute
  leftid=@vpn.remotesite.com
  leftsubnet=192.168.8.0/24
  leftnexthop=%defaultroute

  right=10.2.0.11
  rightid=34.X.Y.28
  rightsubnet=10.2.0.0/16
  rightsourceip=10.2.0.11
  rightnexthop=%defaultroute
  keyingtries=%forever

So then when I initiate the connection on the PFSense server, I get this in
the logs:

Aug 28 03:43:20.849823: | initial parent SA message received on
10.2.0.11:500 but no connection has been authorized with policy
PSK+IKEV2_ALLOW
Aug 28 03:43:20.849826: | find_host_connection me=10.2.0.11:500 him=
73.109.32.142:500 policy=AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849830: | find_host_pair: comparing 10.2.0.11:500 to
<invalid>:500
Aug 28 03:43:20.849833: | find_next_host_connection
policy=AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849836: | find_next_host_connection returns empty
Aug 28 03:43:20.849839: | find_host_connection me=10.2.0.11:500
him=%any:500 policy=AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849842: | find_host_pair: comparing 10.2.0.11:500 to
<invalid>:500
Aug 28 03:43:20.849845: | find_next_host_connection
policy=AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849848: | find_next_host_connection returns empty
Aug 28 03:43:20.849863: | initial parent SA message received on
10.2.0.11:500 but no connection has been authorized with policy
AUTHNULL+IKEV2_ALLOW
Aug 28 03:43:20.849868: packet from 73.109.32.142:500: initial parent SA
message received on 10.2.0.11:500 but no suitable connection found with
IKEv2 policy
Aug 28 03:43:20.849873: | skip start processing: state #0 (in
complete_v2_state_transition() at ikev2.c:2331)
Aug 28 03:43:20.849876: | #0 complete v2 state transition from
STATE_UNDEFINED with v2N_NO_PROPOSAL_CHOSEN
Aug 28 03:43:20.849882: | sending a notification reply
Aug 28 03:43:20.849888: packet from 73.109.32.142:500: sending unencrypted
notification v2N_NO_PROPOSAL_CHOSEN to 73.109.32.142:500
Aug 28 03:43:20.849892: | **emit ISAKMP Message:
Aug 28 03:43:20.849895: |    initiator cookie:
Aug 28 03:43:20.849898: |   fa a4 f1 59  64 0b 25 38
Aug 28 03:43:20.849901: |    responder cookie:
Aug 28 03:43:20.849904: |   00 00 00 00  00 00 00 00
Aug 28 03:43:20.849907: |    next payload type: ISAKMP_NEXT_v2N (0x29)
Aug 28 03:43:20.849910: |    ISAKMP version: IKEv2 version 2.0
(rfc4306/rfc5996) (0x20)
Aug 28 03:43:20.849914: |    exchange type: ISAKMP_v2_SA_INIT (0x22)
Aug 28 03:43:20.849917: |    flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20)
Aug 28 03:43:20.849920: |    message ID:  00 00 00 00
Aug 28 03:43:20.849924: | Adding a v2N Payload
Aug 28 03:43:20.849927: | ***emit IKEv2 Notify Payload:
Aug 28 03:43:20.849930: |    next payload type: ISAKMP_NEXT_v2NONE (0x0)
Aug 28 03:43:20.849933: |    flags: none (0x0)
Aug 28 03:43:20.849936: |    Protocol ID: PROTO_v2_RESERVED (0x0)
Aug 28 03:43:20.849939: |    SPI size: 0 (0x0)
Aug 28 03:43:20.849942: |    Notify Message Type: v2N_NO_PROPOSAL_CHOSEN
(0xe)
Aug 28 03:43:20.849946: | emitting length of IKEv2 Notify Payload: 8
Aug 28 03:43:20.849949: | no IKEv1 message padding required
Aug 28 03:43:20.849953: | emitting length of ISAKMP Message: 36
Aug 28 03:43:20.849962: | sending 36 bytes for v2 notify through eth0:500
to 73.109.32.142:500 (using #0)
Aug 28 03:43:20.849965: |   fa a4 f1 59  64 0b 25 38  00 00 00 00  00 00 00
00
Aug 28 03:43:20.849968: |   29 20 22 20  00 00 00 00  00 00 00 24  00 00 00
08
Aug 28 03:43:20.849971: |   00 00 00 0e
Aug 28 03:43:20.849999: | state transition function for STATE_UNDEFINED
failed: v2N_NO_PROPOSAL_CHOSEN
Aug 28 03:43:20.850017: | processing: stop from 73.109.32.142:500 (in
comm_handle() at demux.c:375)

I'm kind of at a loss.  Anyone have any ideas?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20190827/a70b18d9/attachment-0001.html>

More information about the Swan mailing list