<div dir="ltr">Hi,<br><br>I am trying to setup a transitvpc in AWS to connect my customer. I
am building a RHEL7.4/Libreswan VPN system to create a VPN to my customer and then
VPNs to other AWS regions. The RHEL instance would also be used to
handle VPCPeer connectivity from the transitVPC
to the other VPCs in the region (US East 1 at this point).<br>
<br>
The endpoint for my customer is a Cisco 5525 ASA. We are attempting to
implement a PSK IPSEC VPN. It is giving us fits. Unfortunately, I and
the my customer's network person have never implemented this configuration. I am
trying to see if anyone can vet my work
and make sure I am not missing anything obvious.<br>
<br>
Current secret file:<br>
<br>
include /etc/ipsec.d/*.secrets<br>
X.X.63.50 X.X.10.4 : PSK "<PSK hidden>"<br>
<br>
Current ipsec config file:<br>
<span class="gmail-description gmail-pre-wrap gmail-ng-binding"><br>
config setup <br>
protostack=netkey <br>
conn aws-customer<br>
subnet also=aws-customer <br>
leftsubnet=X.X.0.0/14 <br>
rightsubnet=X.X.0.0/15 <br>
conn aws-customer<br>
remote_peer_type=cisco <br>
ike=aes128-sha;modp1536 <br>
esp=aes128-sha;modp1536 <br>
# phase2alg=aes128-sha;modp1536 <br>
encapsulation=yes <br>
leftid=aws <br>
# left=X.X.63.50 <br>
left=X.X.254.42 <br>
rightid=customer <br>
right=X.X.10.4 <br>
authby=secret <br>
auto=add <br>
# use auto=start when done testing the tunnel</span><br>
<br>
ipsec verify shows some red elements in its return, but it is unclear if
that would prevent the connections or are just recommended for security
or some other reason.<br>
<br>
[root@ip-X-X-254-42 ~]# ipsec verify<br>
Verifying installed system and configuration files<br>
<br>
Version check and ipsec on-path [OK]<br>
Libreswan 3.20 (netkey) on 3.10.0-693.5.2.el7.x86_64<br>
Checking for IPsec support in kernel [OK]<br>
NETKEY: Testing XFRM related proc values<br>
ICMP default/send_redirects [<span style="background-color:rgb(255,0,0)">NOT DISABLED</span>]<br>
<br>
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!<br>
<br>
ICMP default/accept_redirects [<span style="background-color:rgb(255,0,0)">NOT DISABLED</span>]<br>
<br>
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!<br>
<br>
XFRM larval drop [OK]<br>
Pluto ipsec.conf syntax [OK]<br>
Two or more interfaces found, checking IP forwarding [<span style="background-color:rgb(255,0,0)">FAILED</span>]<br>
Checking rp_filter [<span style="background-color:rgb(255,0,0)">ENABLED</span>]<br>
/proc/sys/net/ipv4/conf/all/rp_filter [<span style="background-color:rgb(255,0,0)">ENABLED</span>]<br>
/proc/sys/net/ipv4/conf/default/rp_filter [<span style="background-color:rgb(255,0,0)">ENABLED</span>]<br>
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [<span style="background-color:rgb(255,0,0)">ENABLED</span>]<br>
rp_filter is not fully aware of IPsec and should be disabled<br>
Checking that pluto is running [OK]<br>
Pluto listening for IKE on udp 500 [OK]<br>
Pluto listening for IKE/NAT-T on udp 4500 [OK]<br>
Pluto ipsec.secret syntax [OK]<br>
Checking 'ip' command [OK]<br>
Checking 'iptables' command [OK]<br>
Checking 'prelink' command does not interfere with FIPS [OK]<br>
Checking for obsolete ipsec.conf options [OK]<br>
<br>
ipsec verify: encountered 11 errors - see 'man ipsec_verify' for help<br>
<br>
<br>
When I "up" the connection, I get the following in a loop:<br>
<br>
<p>I expect to see something similar to:</p>
<pre>104 "mytunnel" #1: STATE_MAIN_I1: initiate
003 "mytunnel" #1: received Vendor ID payload [Dead Peer Detection]
003 "mytunnel" #1: received Vendor ID payload [FRAGMENTATION]
106 "mytunnel" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "mytunnel" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "mytunnel" #1: received Vendor ID payload [CAN-IKEv2]
004 "mytunnel" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_128 integ=sha group=MODP2048}
117 "mytunnel" #2: STATE_QUICK_I1: initiate
004 "mytunnel" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive}</pre>
But am seeing:<br><br>
<div>002 "aws-customersubnet" #370: initiating Main Mode<br>
104 "aws-customersubnet" #370: STATE_MAIN_I1: initiate<br>
002 "aws-customersubnet" #370: transition from state STATE_MAIN_I1 to state STATE_MAI<br>
N_I2<br>
106 "aws-customersubnet" #370: STATE_MAIN_I2: sent MI2, expecting MR2<br>
003 "aws-customersubcustomernet" #370: ignoring unknown Vendor ID payload [aa53590b1da04b22f0<br>
ceb9c7bae1cd1e]<br>
002 "aws-customersubnet" #370: transition from state STATE_MAIN_I2 to state STATE_MAI<br>
N_I3<br>
108 "aws-customersubnet" #370: STATE_MAIN_I3: sent MI3, expecting MR3<br>
002 "aws-customersubnet" #370: Main mode peer ID is ID_IPV4_ADDR: 'X.X.10.4'<br>
002 "aws-customersubnet" #370: transition from state STATE_MAIN_I3 to state STATE_MAI<br>
N_I4<br>
004 "aws-customersubnet" #370: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_K<br>
EY cipher=aes_128 integ=sha group=MODP1536}<br>
002 "aws-DOcustomersubnet" #371: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEV1_<br>
ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#370 msgid:b8b4<br>
cd3e proposal=AES(12)_128-SHA1(2) pfsgroup=MODP1536}<br>
117 "aws-customersubnet" #371: STATE_QUICK_I1: initiate<br>
002 "aws-customersubnet" #372: initiating Main Mode<br>
104 "aws-customersubnet" #372: STATE_MAIN_I1: initiate<br>
002 "aws-customersubnet" #371: deleting state (STATE_QUICK_I1)<br>
002 "aws-customersubnet" #372: transition from state STATE_MAIN_I1 to state STATE_MAI<br>
N_I2<br>
<br>
</div>
The last 3 lines are the IPSEC service terminating the setup and starting over. This repeats until I down the VPN connection.
</div>