I have to create an IPSec tunnel from amazon to an ASA 5500. Below is the info I was provided on the ASA config:
Support Key Exchanged for Subnets: ON IKE Encryption Method: AES256 SHA IKE Diffie-Hellman Groups for Phase 1: Group 2 (1024 bit) IKE (Phase-1) Timeout: 1440 Min IPSEC Encryption Method: AES256 SHA IPSEC (Phase-2) Timeout: 3600 Sec PFS (Perfect Forward Secrecy): Disabled Keepalive: Disabled
I setup libreswan on a centos 7 ec2 instance. This is what I have for Libreswan connection config:
conn ipsec type=tunnel authby=secret remote_peer_type=cisco initial-contact=yes rekey=yes pfs=no ikelifetime=1440m salifetime=60m ike=aes256-sha1;dh2 phase2alg=aes256-sha1;modp1024 aggrmode=no
I've successfully created a tunnel to another libreswan instance in a separate aws vpn and can pass traffic but when I point to the ASA, I don't seem to be even getting past the IKE phase. based on this ipsec status:
000 Total IPsec connections: loaded 1, active 0 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(1), authenticated(0), anonymous(0) 000 IPsec SAs: total(0), authenticated(0), anonymous(0) 000 000 #1: "ipsec":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_v1_RETRANSMIT in 12s; nodpd; idle; import:admin initiate 1: pending Phase 2 for "ipsec" replacing #0
I know the preshared key is correct but I'm at a loss. For starters, do I at least have the correct libreswan config based the ASA config?
I'm banging my head against the wall here and am willing to pay if someone knowledgeable can give some direction.
No comments:
Post a Comment