I have to create an IPSec tunnel from amazon to an ASA 5500. Below is the info I was provided on the ASA config:
Support Key Exchanged for Subnets: ON IKE Encryption Method: AES256 SHA IKE Diffie-Hellman Groups for Phase 1: Group 2 (1024 bit) IKE (Phase-1) Timeout: 1440 Min IPSEC Encryption Method: AES256 SHA IPSEC (Phase-2) Timeout: 3600 Sec PFS (Perfect Forward Secrecy): Disabled Keepalive: Disabled I setup libreswan on a centos 7 ec2 instance. This is what I have for Libreswan connection config: conn ipsec type=tunnel authby=secret remote_peer_type=cisco initial-contact=yes rekey=yes pfs=no ikelifetime=1440m salifetime=60m ike=aes256-sha1;dh2 phase2alg=aes256-sha1;modp1024 aggrmode=no I've successfully created a tunnel to another libreswan instance in a separate aws vpn and can pass traffic but when I point to the ASA, I don't seem to be even getting past the IKE phase. based on this ipsec status: 000 Total IPsec connections: loaded 1, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(1), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 #1: "ipsec":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_v1_RETRANSMIT in 12s; nodpd; idle; import:admin initiate 1: pending Phase 2 for "ipsec" replacing #0 I know the preshared key is correct but I'm at a loss. For starters, do I at least have the correct libreswan config based the ASA config? I'm banging my head against the wall here and am willing to pay if someone knowledgeable can give some direction.
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
