<div dir="ltr">
<p style="margin:0px 0px 0.357143em;padding:0px;font-size:14px;line-height:1.42857em;color:rgb(34,34,34);font-family:verdana,arial,helvetica,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">I have to create an IPSec tunnel from amazon to an ASA 5500. Below is the info I was provided on the ASA config:</p><pre style="margin:0.357143em 0px;padding:4px 9px;border:1px solid rgb(230,230,222);background-color:rgb(255,255,255);border-radius:2px;overflow:auto;color:rgb(34,34,34);font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><code style="font-family:monospace,monospace;font-style:normal;font-weight:normal;margin:0px 2px;border:0px;background-color:transparent;border-radius:2px;white-space:pre;word-break:normal;display:block;font-size:1em;line-height:1.42857em;padding:0px">Support Key Exchanged for Subnets: ON
IKE Encryption Method: AES256 SHA
IKE Diffie-Hellman Groups for Phase 1: Group 2 (1024 bit)
IKE (Phase-1) Timeout: 1440 Min
IPSEC Encryption Method: AES256 SHA
IPSEC (Phase-2) Timeout: 3600 Sec
PFS (Perfect Forward Secrecy): Disabled
Keepalive: Disabled
</code></pre><p style="margin:0.357143em 0px;padding:0px;font-size:14px;line-height:1.42857em;color:rgb(34,34,34);font-family:verdana,arial,helvetica,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">I setup libreswan on a centos 7 ec2 instance. This is what I have for Libreswan connection config:</p><pre style="margin:0.357143em 0px;padding:4px 9px;border:1px solid rgb(230,230,222);background-color:rgb(255,255,255);border-radius:2px;overflow:auto;color:rgb(34,34,34);font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><code style="font-family:monospace,monospace;font-style:normal;font-weight:normal;margin:0px 2px;border:0px;background-color:transparent;border-radius:2px;white-space:pre;word-break:normal;display:block;font-size:1em;line-height:1.42857em;padding:0px">conn ipsec
type=tunnel
authby=secret
remote_peer_type=cisco
initial-contact=yes
rekey=yes
pfs=no
ikelifetime=1440m
salifetime=60m
ike=aes256-sha1;dh2
phase2alg=aes256-sha1;modp1024
aggrmode=no
</code></pre><p style="margin:0.357143em 0px;padding:0px;font-size:14px;line-height:1.42857em;color:rgb(34,34,34);font-family:verdana,arial,helvetica,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">I've successfully created a tunnel to another libreswan instance in a separate aws vpn and can pass traffic but when I point to the ASA, I don't seem to be even getting past the IKE phase. based on this ipsec status:</p><pre style="margin:0.357143em 0px;padding:4px 9px;border:1px solid rgb(230,230,222);background-color:rgb(255,255,255);border-radius:2px;overflow:auto;color:rgb(34,34,34);font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial"><code style="font-family:monospace,monospace;font-style:normal;font-weight:normal;margin:0px 2px;border:0px;background-color:transparent;border-radius:2px;white-space:pre;word-break:normal;display:block;font-size:1em;line-height:1.42857em;padding:0px">000 Total IPsec connections: loaded 1, active 0
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(1), authenticated(0), anonymous(0)
000 IPsec SAs: total(0), authenticated(0), anonymous(0)
000
000 #1: "ipsec":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_v1_RETRANSMIT in 12s; nodpd; idle; import:admin initiate
1: pending Phase 2 for "ipsec" replacing #0
</code></pre><p style="margin:0.357143em 0px;padding:0px;font-size:14px;line-height:1.42857em;color:rgb(34,34,34);font-family:verdana,arial,helvetica,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">I know the preshared key is correct but I'm at a loss. For starters, do I at least have the correct libreswan config based the ASA config?</p><p style="margin:0.357143em 0px 0px;padding:0px;font-size:14px;line-height:1.42857em;color:rgb(34,34,34);font-family:verdana,arial,helvetica,sans-serif;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration-style:initial;text-decoration-color:initial">I'm banging my head against the wall here and am willing to pay if someone knowledgeable can give some direction.</p>
<br></div>