I am building a small VPN from a remote site running PFSense to an AWS endpoint. I've beat my head against the wall trying to figure this out and I am a little surprised to find very little helpfulness via Google. Almost everything relates to static IP's at both ends of a connection.
So I have a small AMI2 running with libreswan on it: root@ip-10-2-0-11 ipsec.d]# ipsec --version Linux Libreswan 3.23 (netkey) on 4.14.123-111.109.amzn2.x86_64 And I have the following single config file: [root@ip-10-2-0-11 ipsec.d]# cat awsconnection.conf conn awsconnection type=tunnel authby=secret ikev2=insist ike=aes256-sha1;modp1024 phase2alg=aes_gcm256-null pfs=yes auto=add left=%defaultroute [email protected] leftsubnet=192.168.8.0/24 leftnexthop=%defaultroute right=10.2.0.11 rightid=34.X.Y.28 rightsubnet=10.2.0.0/16 rightsourceip=10.2.0.11 rightnexthop=%defaultroute keyingtries=%forever So then when I initiate the connection on the PFSense server, I get this in the logs: Aug 28 03:43:20.849823: | initial parent SA message received on 10.2.0.11:500 but no connection has been authorized with policy PSK+IKEV2_ALLOW Aug 28 03:43:20.849826: | find_host_connection me=10.2.0.11:500 him= 73.109.32.142:500 policy=AUTHNULL+IKEV2_ALLOW Aug 28 03:43:20.849830: | find_host_pair: comparing 10.2.0.11:500 to <invalid>:500 Aug 28 03:43:20.849833: | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW Aug 28 03:43:20.849836: | find_next_host_connection returns empty Aug 28 03:43:20.849839: | find_host_connection me=10.2.0.11:500 him=%any:500 policy=AUTHNULL+IKEV2_ALLOW Aug 28 03:43:20.849842: | find_host_pair: comparing 10.2.0.11:500 to <invalid>:500 Aug 28 03:43:20.849845: | find_next_host_connection policy=AUTHNULL+IKEV2_ALLOW Aug 28 03:43:20.849848: | find_next_host_connection returns empty Aug 28 03:43:20.849863: | initial parent SA message received on 10.2.0.11:500 but no connection has been authorized with policy AUTHNULL+IKEV2_ALLOW Aug 28 03:43:20.849868: packet from 73.109.32.142:500: initial parent SA message received on 10.2.0.11:500 but no suitable connection found with IKEv2 policy Aug 28 03:43:20.849873: | skip start processing: state #0 (in complete_v2_state_transition() at ikev2.c:2331) Aug 28 03:43:20.849876: | #0 complete v2 state transition from STATE_UNDEFINED with v2N_NO_PROPOSAL_CHOSEN Aug 28 03:43:20.849882: | sending a notification reply Aug 28 03:43:20.849888: packet from 73.109.32.142:500: sending unencrypted notification v2N_NO_PROPOSAL_CHOSEN to 73.109.32.142:500 Aug 28 03:43:20.849892: | **emit ISAKMP Message: Aug 28 03:43:20.849895: | initiator cookie: Aug 28 03:43:20.849898: | fa a4 f1 59 64 0b 25 38 Aug 28 03:43:20.849901: | responder cookie: Aug 28 03:43:20.849904: | 00 00 00 00 00 00 00 00 Aug 28 03:43:20.849907: | next payload type: ISAKMP_NEXT_v2N (0x29) Aug 28 03:43:20.849910: | ISAKMP version: IKEv2 version 2.0 (rfc4306/rfc5996) (0x20) Aug 28 03:43:20.849914: | exchange type: ISAKMP_v2_SA_INIT (0x22) Aug 28 03:43:20.849917: | flags: ISAKMP_FLAG_v2_MSG_RESPONSE (0x20) Aug 28 03:43:20.849920: | message ID: 00 00 00 00 Aug 28 03:43:20.849924: | Adding a v2N Payload Aug 28 03:43:20.849927: | ***emit IKEv2 Notify Payload: Aug 28 03:43:20.849930: | next payload type: ISAKMP_NEXT_v2NONE (0x0) Aug 28 03:43:20.849933: | flags: none (0x0) Aug 28 03:43:20.849936: | Protocol ID: PROTO_v2_RESERVED (0x0) Aug 28 03:43:20.849939: | SPI size: 0 (0x0) Aug 28 03:43:20.849942: | Notify Message Type: v2N_NO_PROPOSAL_CHOSEN (0xe) Aug 28 03:43:20.849946: | emitting length of IKEv2 Notify Payload: 8 Aug 28 03:43:20.849949: | no IKEv1 message padding required Aug 28 03:43:20.849953: | emitting length of ISAKMP Message: 36 Aug 28 03:43:20.849962: | sending 36 bytes for v2 notify through eth0:500 to 73.109.32.142:500 (using #0) Aug 28 03:43:20.849965: | fa a4 f1 59 64 0b 25 38 00 00 00 00 00 00 00 00 Aug 28 03:43:20.849968: | 29 20 22 20 00 00 00 00 00 00 00 24 00 00 00 08 Aug 28 03:43:20.849971: | 00 00 00 0e Aug 28 03:43:20.849999: | state transition function for STATE_UNDEFINED failed: v2N_NO_PROPOSAL_CHOSEN Aug 28 03:43:20.850017: | processing: stop from 73.109.32.142:500 (in comm_handle() at demux.c:375) I'm kind of at a loss. Anyone have any ideas?
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
