Can't get past IPSEC for Amazon VPC setup

gilry

Trying to setup Amazon VPC connection using 2.0-RC3. I've followed the instructions here "http://seattleit.net/blog" but I can't get my IPsec connections to establish. Here is my IPsec log:

Jul 7 17:47:20 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
Jul 7 17:47:26 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
Jul 7 17:47:30 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
Jul 7 17:47:36 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
Jul 7 17:47:40 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
Jul 7 17:47:46 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
Jul 7 17:47:50 racoon: [Unknown Gateway/Dynamic]: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
Jul 7 17:47:51 racoon: ERROR: phase1 negotiation failed due to time up. 23dd9fb19e5e863c:31ad937a523d3536
Jul 7 17:47:55 racoon: ERROR: phase1 negotiation failed due to time up. 2b94e6ef380bc8c0:6848734845e582b2
Jul 7 17:48:01 racoon: [VPC]: INFO: respond new phase 1 negotiation: 141.202.232.222[500]<=>72.21.209.225[500]
Jul 7 17:48:01 racoon: INFO: begin Identity Protection mode.
Jul 7 17:48:01 racoon: INFO: received Vendor ID: DPD
Jul 7 17:48:01 racoon: WARNING: SPI size isn't zero, but IKE proposal.
Jul 7 17:48:05 racoon: [VPC]: INFO: respond new phase 1 negotiation: 141.202.232.222[500]<=>72.21.209.193[500]
Jul 7 17:48:05 racoon: INFO: begin Identity Protection mode.
Jul 7 17:48:05 racoon: INFO: received Vendor ID: DPD
Jul 7 17:48:05 racoon: WARNING: SPI size isn't zero, but IKE proposal.
Jul 7 17:48:06 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
Jul 7 17:48:10 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
Jul 7 17:48:16 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
Jul 7 17:48:20 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
Jul 7 17:48:23 racoon: [VPC]: [72.21.209.225] INFO: request for establishing IPsec-SA was queued due to no phase1 found.
Jul 7 17:48:26 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
Jul 7 17:48:30 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
Jul 7 17:48:36 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
Jul 7 17:48:40 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
Jul 7 17:48:46 racoon: NOTIFY: the packet is retransmitted by 72.21.209.225[500] (1).
Jul 7 17:48:50 racoon: NOTIFY: the packet is retransmitted by 72.21.209.193[500] (1).
Jul 7 17:48:51 racoon: ERROR: phase1 negotiation failed due to time up. 8c25b6ee6bdc3404:68e5523ddf946f34
Jul 7 17:48:55 racoon: [VPC]: [72.21.209.225] ERROR: phase2 negotiation failed due to time up waiting for phase1 [Remote Side not responding]. ESP 72.21.209.225[0]->141.202.232.222[0]
Jul 7 17:48:55 racoon: INFO: delete phase 2 handler.
Jul 7 17:48:55 racoon: ERROR: phase1 negotiation failed due to time up. 7db33fbd32772914:57c5e7c26261f0e1

jimp

Looks like you have some kind of a phase 1 settings mismatch.

Darkk

Same thing happened to me.  I originally set up IPSec via static IPs for Peer and Identifier.  Now I've been messing around with Dynamic DNS service and nothing has been changed in Phase One settings which worked fine before so I am wondering is IPSec not passing the Dynamic IP correctly to the remote site for authentication?

For now I revert back to static IPs until I figure this out.

Just for reference:

My Firewall:

2.0-RC3 (i386)
built on Fri Jul 15 19:39:23 EDT 2011

Remote Site:

WatchGuard XTM510 running 11.4.1 firmware.