![]() ![]() I have noticed that re-keying was successful (in the attached log) every hour (within margintime) until the re-authentication (every 8 hours)failed at 7:31Īt 23:54 (4-30) was the first recorded successful re-authentication (in this log) and the next re-authentication attempt was done at 7:40 (4-30) but it failed due to the problem at 7:31 Just one question about re-keying with my setup. Seems strange that the peer would send such stuff from/to port 500 (which is reserved for IKE) unless this is some proprietary Cisco crap (or the messages got mangled, but that would be in a strangely consistent way, so most unlikely). That these messages are neither IKEv1 nor IKEv2. You might be able to work around the issue by disabling rekeying completely ( rekey=no) and let the peer recreate the SAs (if it feels like doing so). Why the peer would behave so strangely when handling the reauthentication you'd have to ask Cisco. Note that strongSwan does not actually stop its attempts to reauthenticate the original SA, and these retries continue to fail for some reason. At 08:01 the peer initiates a new SA that gets established successfully. The original IKE_SA is actually deleted at 07:40 (presumably because it expired). The same happens repeatedly after 5 retransmits of such a message (reauth retries are at 07:34, 07:37, 07:39 and so on). However, at 07:31 there is a failed reauthentication: the Cisco box suddenly denies knowing the IKE_SA strongSwan is creating when it receives the last Main Mode message. Tue, 08:00 08 sending keep alive to 69.x.11.169ĭoesn't look like either side tries to initiate an SA at that time. Tue, 08:00 07 received retransmit of response with ID 0, but next request already sent Tue, 08:00 16 received unsupported IKE version 13.5 from 24.x.88.72, sending INVALID_MAJOR_VERSION Tue, 08:00 16 generating INFORMATIONAL response 0 What do these records from charon_debug mean?: ![]() ![]() I have tested Cisco RV042 - AWS site-to-site VPN connection (virtual private gateway - customer gateway) with no issues at all. You will find 2 connections in the nf:Ĭonn1: AWS strongSwan - Cisco RV042 (ikev1), this one that is not working properlyĬonn2: AWS strongSwan - Ubiquiti EdgeRouter (ikev2) it works with no issues (that means, at least to me, there are no configuration errors on the ec2 instance on the network level). The last time when I restarted/re-established a VPN connection from the Cisco side was at 8:03 am I do not see any problems with routing, when a VPN tunnel is established, ping and other data transmissions work in both directions. StrongSwan is running on AWS EC2 Ubuntu 18.04įirewall - Security Groups, therefore I am using iptables for nat POSTROUTING only. ![]() I have set up a site-to-site VPN tunnel between EdgeRouter and this strongSwan, everything works as expected, but they are both strongSwanĬisco-EdgeRouter is experiencing the same issues as described above.īut Cisco-Cisco and Cisco-other (non-StrongSwan) are quite stable. Local Group: IP+Domain Name Authentication Is this Cisco side problem, strongSwan or both? Received packet: fto (76 bytes)Īnd there are no any errors, looks good, but in reality it is far from to be OK. Generating INFORMATIONAL_V1 request 3168494568 But I can't ping from the Cisco side to strongSwan, pinging restores only after Cisco side is pinged from the strongSwan side. Initially everything works fine but in some period of time of inactivity (still need to figure out when it happens) when I check the status of VPN connection/tunnel on both sides, everything looks OK:Ĭisco RV042 status "Connected", strongSwan SA (connection) - Up. I am experiencing the following issue when setting up ipsec site-to-site vpn connection: ![]()
0 Comments
Leave a Reply. |