AWS Site-to-Site VPN

Question

Hello,

I created an AWS Site-to-Site VPN connection between my local network and aws vpc, installed the libreswan package, after starting the ipsec service, it can't connect to tunnel 1. What could be the problem? 
OS: Ubuntu 18.04.6 LTS, libreswan 3.29 package

Output:

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: DH algorithms:

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   NONE                    IKEv1:             IKEv2: IKE ESP AH  FIPS  null, dh0

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   MODP1024                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh2

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   MODP1536                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH        dh5

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   MODP2048                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh14

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   MODP3072                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh15

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   MODP4096                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh16

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   MODP6144                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh17

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   MODP8192                IKEv1: IKE ESP AH  IKEv2: IKE ESP AH  FIPS  dh18

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   DH19                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_256, ecp256

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   DH20                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_384, ecp384

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   DH21                    IKEv1: IKE         IKEv2: IKE ESP AH  FIPS  ecp_521, ecp521

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]:   DH31                    IKEv1: IKE         IKEv2: IKE ESP AH        curve25519

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: 1 CPU cores online

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: starting up 1 crypto helpers

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: started thread for crypto helper 0

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: Using Linux XFRM/NETKEY IPsec interface code on 4.15.0-197-generic

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: selinux support is NOT enabled.

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: watchdog: sending probes every 100 secs

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: seccomp security not supported

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: seccomp security for crypto helper not supported

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: added connection description "Tunnel1"

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: listening for IKE messages

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: Kernel supports NIC esp-hw-offload

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface ens160/ens160 (esp-hw-offload=no) 192.168.55.18:500

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface ens160/ens160 192.168.50.18:4500

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: Kernel supports NIC esp-hw-offload

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface lo/lo 127.0.0.1:4500

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: Kernel supports NIC esp-hw-offload

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: adding interface lo/lo (esp-hw-offload=no) ::1:500

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: loading secrets from "/etc/ipsec.secrets"

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: loading secrets from "/etc/ipsec.d/aws.secrets"

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: initiating v2 parent SA

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: "Tunnel1": constructed local IKE proposals for Tunnel1 (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_128;PRF=HMAC

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: sent v2I1, expected v2R1

Nov 25 07:55:22 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 0.5 seconds for response

Nov 25 07:55:23 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response

Nov 25 07:55:24 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 2 seconds for response

Nov 25 07:55:26 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 4 seconds for response

Nov 25 07:55:30 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 8 seconds for response

Nov 25 07:55:38 aws-vpn-p-1 pluto[4468]: "Tunnel1" #1: STATE_PARENT_I1: retransmission; will wait 16 seconds for response

Thanks in advance.

Answer

Hello,

If you have any firewall upstream to the VPN appliance please make sure to allows ingress traffic for UDP:500 (and UDP:4500, if you are using NAT traversal) from AWS VPN-endpoint public IPs.

Answer

It seems to be doing the right thing but is getting no response. Are you seeing anything in the [Site-to-site VPN Logs](https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-logs.html)?

If not, I would check the that the IP address and pre-shared key is configured correctly - if they aren't (in general) the remote end of an IPSEC tunnel won't respond.

Answer

Unfortunately there is no data in Site-to-site VPN Logs

>If not, I would check the that the IP address and pre-shared key is configured correctly - if they aren't (in general) the remote end of an IPSEC tunnel won't respond.

Could you please elaborate more on how I can do this?

I have a public address nailed to another VM and forward is configured there via nginx on ports 500/udp and 4500/udp on the VM where ipsec is raised (libreswan package)

AWS Site-to-Site VPN

Relevant content