OpenSwan IPSec Site to Site tunnel – Amazon EC2 instance to Cisco ASA

If you see something like this in the logs:

initial Main Mode message received on ###########:500 but no connection has been authorized with policy=PSK

And the far end is the one that is trying to send you isakmp messages…… MAKE SURE you have auto=add turned on in the config file.

Refer to the sample output below. This config was between an EC2 instance and a Cisco ASA.

conn vpc1-to-vpc2
        type=tunnel
        authby=secret

        #LEFT SIDE
        left=%defaultroute
        leftid=###############
        leftnexthop=%defaultroute
        leftsubnet=###############

        #RIGHT SIDE#
        right=################
        #new line below
        #protostack=klips
        rightsubnet=################
        esp=aes256-sha1;modp1024
        keyexchange=ike
        ike=aes256-sha1;modp1536
        salifetime=28800s
        pfs=yes
        auto=add <—————– You need that line to allow the far end to begin negotiation of phase 1.
        dpdaction=hold

Advertisements