CODEWITHSUNDEEP
amazon-ec2vpnstrongswan
learnc
learnc

Reputation: 41

Strongswan not establishing connection

I'm creating a VPN using StrongSwan. It's my first time using this tool. I followed a tutorial to set up. I've hit a blocker whereby the peer connection times out. The status is 0 up, 1 connecting.

I have tried on different servers, the same issue happends.

ipsec.conf

conn conec-example
  authby=secret
  left=%defaultroute
  leftid=<public_IP_1>
  leftsubnet=<private_ip_1>/20
  right=<public_IP_2>
  rightsubnet=<private_ip_2>/20
  ike=aes256-sha2_256-modp1024!
  esp=aes256-sha2_256!
  keyingtries=0
  ikelifetime=1h
  lifetime=8h
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  auto=start

ipsec.secrets

public_IP_1 public_IP_2 : PSK "randomprivatesharedkey"

Here is part of the logs:

Aug 18 17:29:01 ip-x charon: 10[IKE] retransmit 2 of request with message ID 0
Aug 18 17:29:01 ip-x charon: 10[NET] sending packet: from x.x[500] to x.x.x.x[500] (334 bytes)
Aug 18 17:30:19 ip-x charon: 13[IKE] retransmit 5 of request with message ID 0
Aug 18 17:30:19 ip-xcharon: 13[NET] sending packet: from x.x[500] tox.x.x.129[500] (334 bytes)
Aug 18 17:31:35  charon: 16[IKE] giving up after 5 retransmits
Aug 18 17:31:35 charon: 16[IKE] peer not responding, trying again (2/0)

I expected a successful connection after setting up this, though no success. How can I resolve this? Any ideas?

Upvotes: 2

Views: 3756

Answers (1)

GoodMirek
GoodMirek

Reputation: 222

Based on the log excerpt, strongswan has an issue to reach the other peer. There is way too little information to provide an exact answer; topology and addressing plan, relevant AWS security groups settings and both VPN peers configuration are needed.

Still please let me offer a few hints what to do in order to successfully connect via VPN:

  1. UDP ports 500 and 4500 must be open on both VPN peers. In AWS, it means an AWS security group associated with the EC2 instance running strongswan must contain explicit rules to allow incoming UDP traffic on ports 500 and 4500. EC2 instance is always behind a NAT, so ESP/AH packets will be encapsulated in UDP packets.
  2. Any firewall on both VPN peers has to allow the UDP traffic mentioned in the previous point.
  3. Beware that the UDP encapsulation affects the MTU of the traffic going through the VPN connection.

Upvotes: 1

Related Questions