Can't get past IPSEC for Amazon VPC setup



  • Trying to setup Amazon VPC connection using 2.0-RC3. I've followed the instructions here "http://seattleit.net/blog" but I can't get my IPsec connections to establish. Here is my IPsec log:

    Jul 7 17:47:20 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
    Jul 7 17:47:26 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
    Jul 7 17:47:30 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
    Jul 7 17:47:36 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
    Jul 7 17:47:40 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
    Jul 7 17:47:46 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
    Jul 7 17:47:50 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
    Jul 7 17:47:51 racoon: ERROR: phase1 negotiation failed due to time up. 23dd9fb19e5e863c:31ad937a523d3536
    Jul 7 17:47:55 racoon: ERROR: phase1 negotiation failed due to time up. 2b94e6ef380bc8c0:6848734845e582b2
    Jul 7 17:48:01 racoon: [VPC]: INFO: respond new phase 1 negotiation: 141.202.232.222[500]<=>72.21.209.225[500]
    Jul 7 17:48:01 racoon: INFO: begin Identity Protection mode.
    Jul 7 17:48:01 racoon: INFO: received Vendor ID: DPD
    Jul 7 17:48:01 racoon: WARNING: SPI size isn't zero, but IKE proposal.
    Jul 7 17:48:05 racoon: [VPC]: INFO: respond new phase 1 negotiation: 141.202.232.222[500]<=>72.21.209.193[500]
    Jul 7 17:48:05 racoon: INFO: begin Identity Protection mode.
    Jul 7 17:48:05 racoon: INFO: received Vendor ID: DPD
    Jul 7 17:48:05 racoon: WARNING: SPI size isn't zero, but IKE proposal.
    Jul 7 17:48:06 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
    Jul 7 17:48:10 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
    Jul 7 17:48:16 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
    Jul 7 17:48:20 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
    Jul 7 17:48:23 racoon: [VPC]: [72.21.209.225] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
    Jul 7 17:48:26 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
    Jul 7 17:48:30 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
    Jul 7 17:48:36 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
    Jul 7 17:48:40 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
    Jul 7 17:48:46 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
    Jul 7 17:48:50 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
    Jul 7 17:48:51 racoon: ERROR: phase1 negotiation failed due to time up. 8c25b6ee6bdc3404:68e5523ddf946f34
    Jul 7 17:48:55 racoon: [VPC]: [72.21.209.225] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 72.21.209.225[0]->141.202.232.222[0]
    Jul 7 17:48:55 racoon: INFO: delete phase 2 handler.
    Jul 7 17:48:55 racoon: ERROR: phase1 negotiation failed due to time up. 7db33fbd32772914:57c5e7c26261f0e1


  • Rebel Alliance Developer Netgate

    Looks like you have some kind of a phase 1 settings mismatch.



  • Same thing happened to me.  I originally set up IPSec via static IPs for Peer and Identifier.  Now I've been messing around with Dynamic DNS service and nothing has been changed in Phase One settings which worked fine before so I am wondering is IPSec not passing the Dynamic IP correctly to the remote site for authentication?

    For now I revert back to static IPs until I figure this out.

    Just for reference:

    My Firewall:

    2.0-RC3 (i386)
    built on Fri Jul 15 19:39:23 EDT 2011

    Remote Site:

    WatchGuard XTM510 running 11.4.1 firmware.


Log in to reply