3

I'm creating a VPN using StrongSwan. It's my first time using this tool. I followed a tutorial to set up. I've hit a blocker whereby the peer connection times out. The status is 0 up, 1 connecting.

I have tried on different servers, the same issue happends.

ipsec.conf

conn conec-example
  authby=secret
  left=%defaultroute
  leftid=<public_IP_1>
  leftsubnet=<private_ip_1>/20
  right=<public_IP_2>
  rightsubnet=<private_ip_2>/20
  ike=aes256-sha2_256-modp1024!
  esp=aes256-sha2_256!
  keyingtries=0
  ikelifetime=1h
  lifetime=8h
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  auto=start

ipsec.secrets

public_IP_1 public_IP_2 : PSK "randomprivatesharedkey"

Here is part of the logs:

Aug 18 17:29:01 ip-x charon: 10[IKE] retransmit 2 of request with message ID 0
Aug 18 17:29:01 ip-x charon: 10[NET] sending packet: from x.x[500] to x.x.x.x[500] (334 bytes)
Aug 18 17:30:19 ip-x charon: 13[IKE] retransmit 5 of request with message ID 0
Aug 18 17:30:19 ip-xcharon: 13[NET] sending packet: from x.x[500] tox.x.x.129[500] (334 bytes)
Aug 18 17:31:35  charon: 16[IKE] giving up after 5 retransmits
Aug 18 17:31:35 charon: 16[IKE] peer not responding, trying again (2/0)

I expected a successful connection after setting up this, though no success. How can I resolve this? Any ideas?

learnc
  • 43
  • 1
  • 5
  • I recommend posting your issue on https://serverfault.com (I've had great success there and https://serverfault.com/users/95913/ecdsa is very helpful). Have you tried running the server using `sudo ipsec start --nofork` and adjusting the log level using `sudo ipsec stroke loglevel cfg 2` (see https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration#Runtime-Configuration). Please share as much log info as you can. – sunknudsen Aug 18 '19 at 19:52
  • Also, I recommend having a look at https://medium.com/@sunknudsen/self-host-your-very-own-strongswan-ikev2-ipsec-state-of-the-art-vpn-server-for-ios-and-macos-8cd7023497fc. – sunknudsen Aug 18 '19 at 19:54
  • I recommend adding the logs to the question as comments are limited in size. – sunknudsen Aug 18 '19 at 20:27
  • Why `/20` btw vs `/24`? Do you have a firewall running on the client or the server? – sunknudsen Aug 18 '19 at 20:32
  • I copied the subnet address of the EC2 instance on AWS which was of type /20. No firewall running on both ends. – learnc Aug 18 '19 at 20:34
  • Don't think I can help. Nothing comes to mind. I suggest posting on Server Fault and including obfuscated configuration files of both server and client and as much debugging info as possible. – sunknudsen Aug 18 '19 at 20:37

1 Answers1

1

Based on the log excerpt, strongswan has an issue to reach the other peer. There is way too little information to provide an exact answer; topology and addressing plan, relevant AWS security groups settings and both VPN peers configuration are needed.

Still please let me offer a few hints what to do in order to successfully connect via VPN:

  1. UDP ports 500 and 4500 must be open on both VPN peers. In AWS, it means an AWS security group associated with the EC2 instance running strongswan must contain explicit rules to allow incoming UDP traffic on ports 500 and 4500. EC2 instance is always behind a NAT, so ESP/AH packets will be encapsulated in UDP packets.
  2. Any firewall on both VPN peers has to allow the UDP traffic mentioned in the previous point.
  3. Beware that the UDP encapsulation affects the MTU of the traffic going through the VPN connection.
GoodMirek
  • 215
  • 1
  • 10