Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can't get past IPSEC for Amazon VPC setup

    Scheduled Pinned Locked Moved IPsec
    3 Posts 3 Posters 5.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gilry
      last edited by

      Trying to setup Amazon VPC connection using 2.0-RC3. I've followed the instructions here "http://seattleit.net/blog" but I can't get my IPsec connections to establish. Here is my IPsec log:

      Jul 7 17:47:20 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
      Jul 7 17:47:26 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
      Jul 7 17:47:30 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
      Jul 7 17:47:36 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
      Jul 7 17:47:40 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
      Jul 7 17:47:46 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
      Jul 7 17:47:50 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
      Jul 7 17:47:51 racoon: ERROR: phase1 negotiation failed due to time up. 23dd9fb19e5e863c:31ad937a523d3536
      Jul 7 17:47:55 racoon: ERROR: phase1 negotiation failed due to time up. 2b94e6ef380bc8c0:6848734845e582b2
      Jul 7 17:48:01 racoon: [VPC]: INFO: respond new phase 1 negotiation: 141.202.232.222[500]<=>72.21.209.225[500]
      Jul 7 17:48:01 racoon: INFO: begin Identity Protection mode.
      Jul 7 17:48:01 racoon: INFO: received Vendor ID: DPD
      Jul 7 17:48:01 racoon: WARNING: SPI size isn't zero, but IKE proposal.
      Jul 7 17:48:05 racoon: [VPC]: INFO: respond new phase 1 negotiation: 141.202.232.222[500]<=>72.21.209.193[500]
      Jul 7 17:48:05 racoon: INFO: begin Identity Protection mode.
      Jul 7 17:48:05 racoon: INFO: received Vendor ID: DPD
      Jul 7 17:48:05 racoon: WARNING: SPI size isn't zero, but IKE proposal.
      Jul 7 17:48:06 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
      Jul 7 17:48:10 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
      Jul 7 17:48:16 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
      Jul 7 17:48:20 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
      Jul 7 17:48:23 racoon: [VPC]: [72.21.209.225] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
      Jul 7 17:48:26 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
      Jul 7 17:48:30 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
      Jul 7 17:48:36 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
      Jul 7 17:48:40 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
      Jul 7 17:48:46 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
      Jul 7 17:48:50 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
      Jul 7 17:48:51 racoon: ERROR: phase1 negotiation failed due to time up. 8c25b6ee6bdc3404:68e5523ddf946f34
      Jul 7 17:48:55 racoon: [VPC]: [72.21.209.225] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 72.21.209.225[0]->141.202.232.222[0]
      Jul 7 17:48:55 racoon: INFO: delete phase 2 handler.
      Jul 7 17:48:55 racoon: ERROR: phase1 negotiation failed due to time up. 7db33fbd32772914:57c5e7c26261f0e1

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        Looks like you have some kind of a phase 1 settings mismatch.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • D
          Darkk
          last edited by

          Same thing happened to me.  I originally set up IPSec via static IPs for Peer and Identifier.  Now I've been messing around with Dynamic DNS service and nothing has been changed in Phase One settings which worked fine before so I am wondering is IPSec not passing the Dynamic IP correctly to the remote site for authentication?

          For now I revert back to static IPs until I figure this out.

          Just for reference:

          My Firewall:

          2.0-RC3 (i386)
          built on Fri Jul 15 19:39:23 EDT 2011

          Remote Site:

          WatchGuard XTM510 running 11.4.1 firmware.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.