Hi,
I hope someone can help me with a problem I am having setting up IPsec
transport mode between two CentOS 7 hosts. I have two hosts on the same subnet.
Both are using the same ipsec.conf:
config setup
protostack=netkey
dumpdir=/var/run/pluto/
nat_traversal=yes
conn %default
auto=start
type=transport
forceencaps=yes
authby=secret
ike=aes256-sha2;dh23
phase2=esp
phase2alg=aes256-sha2;dh23
ikev2=insist
failureshunt=drop
ikelifetime=24h
salifetime=12h
rekey=yes
rekeyfuzz=20%
dpddelay=120
dpdtimeout=120
dpdaction=restart
include /etc/ipsec.d/*.conf
Then, in /etc/ipsec.d/nodes.conf on Host A:
conn node172.31.28.54
left=172.31.28.53
right=172.31.28.54
And on Host B:
conn node172.31.28.53
left=172.31.28.54
right=172.31.28.53
When I first start the two hosts, I cannot connect to Host B from Host A, or
vice versa (I test using ssh). However, if I first try to connect from Host A
to Host B (which fails), and then from Host B to Host A, the connection from B
to A succeeds, and subsequent connections from A to B also work. Going in the
opposite order produces the same result. The connections start working once I
have initiated a connection from each host.
My understanding was that it would be sufficient to set auto=start to ensure
the tunnels were up on startup.
These hosts are both in an AWS VPC, with a Security Group permitting UDP 500
and 4500.
I would appreciate any suggestions you could offer. Thanks! Dmitri
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
