0

Hi I am trying to setup site-to-site vpn tunneling on AWS VMs. Below are my ipsec.conf files for both VMs.

VM-1 (assume IP address : 1.2.3.4)

 conn %default
    lifetime=60m
    mobike=no
    keyexchange=ikev2
    authby=secret
    type=transport
    auto=start

conn gateway-1
    left=1.2.3.4
    leftid=1.2.3.4
    leftfirewall=yes
    right=1.2.4.5
    rightid=1.2.4.5
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    leftauth=secret
    rightauth=secret
    type=transport
    auto=start


VM-2 (assume IP address : 1.2.3.5)
 conn %default
    lifetime=60m
    mobike=no
    keyexchange=ikev2
    authby=secret
    type=transport
    auto=start

conn gateway-2
    left=1.2.3.5
    leftid=1.2.3.5
    leftfirewall=yes
    right=1.2.4.4
    rightid=1.2.4.4
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1!
    leftauth=secret
    rightauth=secret
    type=transport
    auto=start

on both machines I have started strongswan by strongswan start command.

When I am trying to run strongswan up gateway-1 from VM-1 I am getting -

initiating IKE_SA aaa[3] to 1.2.3.5
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)    N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 1.2.3.4[500] to 1.2.3.5[500] (336 bytes)
received packet: from 1.2.3.5[500] to 1.2.3.4[500] (36 bytes)
parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN notify error
establishing connection 'gateway-1' failed

I am not sure what I am missing here.

Improve this question
2
  • If VM2 is using 1.2.3.5 as its IP address as well as its IKE ID, why isn't VM1 configured to accept that – why does it have right[id]=1.2.4.5 instead?
    – grawity_u1686
    Commented Sep 29, 2022 at 3:56
  • Thank you for your response. Can you please give some example. I new to this. What is IKE ID?
    – ppb
    Commented Sep 29, 2022 at 4:01

1 Answer 1

Reset to default
0

IKE proposals are first matched by the initiator and responder IDs (IDi/IDr), which work a lot like TLS SNI or the HTTP Host header – the initiator says "I'm <leftid> and I want to speak with <rightid>" and the responder tries to find a configuration matching these IDs (either as leftid/rightid or as rightid/leftid).

But currently your defined connections have IDs that do not match each other at all – e.g. VM2 claims to be 1.2.3.5, yet VM1 is configured to ask for 1.2.4.5 for some reason:

VM 1                          VM 2
-------------------           -------------------
conn gateway-1                conn gateway-2
    leftid=1.2.3.4       /--     leftid=1.2.3.5
    rightid=1.2.4.5   --/        rightid=1.2.4.4

(Note that the IDs are used for matching only, so they don't actually need to be in IP address format – it may be easier to understand this if you use domain-format IDs, e.g. leftid=gateway1.example.com.)

Note that strongSwan no longer recommends the ipsec.conf style; you should take the opportunity to rewrite this for swanctl instead.

Improve this answer
3
  • Thank you for detailed information. With swanctl how can I start the service, like strongswan start? How can I install strongswan.swanctl.service
    – ppb
    Commented Sep 29, 2022 at 5:15
  • Depends on distro, e.g. on Arch it used to be strongswan-swanctl.service (but then it got renamed to regular strongswan.service), on Debian it's in a "charon-systemd" package, etc. Migration from ipsec.conf to swanctl is not required, but I would still recommend it as the swanctl config files can be easier to understand.
    – grawity_u1686
    Commented Sep 29, 2022 at 5:51
  • As another note, modp1024 (i.e. 1024-bit DH) is considered quite weak nowadays. If traditional DH is needed then use at least modp2048 (preferably modp3072), however, strongSwan supports ECDH, so ecp256 or curve25519 are much better choices.
    – grawity_u1686
    Commented Sep 29, 2022 at 5:54

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .