VPN Issue- AWS and Sonicwall

Hi I have a Sonicwall and a OpenSwan Instance behind my VPC in AWS. I am having issues connecting the VPN . I followed this guide:

Addtional steps

net.ipv4.ip_forward = 1

AWS Instance- Disable source checking.

Checked Security Groups- UDP 500 and UDP 4500.

Network ACL - Allow Any Inbound and Outbound

Logs: On Sonicwall (182.57.3.179):

17:52:06 Sep 21 358 VPN Inform IKE Initiator: Start Aggressive Mode negotiation (Phase 1) 182.57.3.179, 500 17.221.128.14, 500 udp VPN Policy: AWS
VPN OPENSWAN [Show Details] [Click to disable this kind of events]
17:52:06 Sep 21 403 VPN Inform IKE negotiation aborted due to Timeout
17:53:18 Sep 21 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request.

On OpenSwan instance (17.221.128.14) ipsec barf:

+ sed -n '2243,$p' /var/log/secure
Sep 21 21:49:59 ip-172-31-16-12 ipsec__plutorun: Starting Pluto subsystem...
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: nss directory plutomain: /etc/ipsec.d
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NSS Initialized
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:25537
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: LEAK_DETECTIVE support [disabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: OCF support for IKE [disabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: SAref support [disabled]: Protocol not available
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: SAbind support [disabled]: Protocol not available
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NSS support [enabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: HAVE_STATSD notification support not compiled in
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Setting NAT-Traversal port-4500 floating to on
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: port floating activation criteria nat_t=1/port_float=1
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NAT-Traversal support [enabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: starting up 1 cryptographic helpers
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: started helper (thread) pid=139735991080704 (fd:8)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Using Linux 2.6 IPsec interface code on 4.9.43-17.39.amzn1.x86_64 (experimental code)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/cacerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/aacerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/crls'
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: added connection description "SonicWall"
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: listening for IKE messages
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface eth0/eth0 172.31.16.12:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface eth0/eth0 172.31.16.12:4500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo 127.0.0.1:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo 127.0.0.1:4500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo ::1:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: loading secrets from "/etc/ipsec.secrets"
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: "SonicWall": We cannot identify ourselves with either end of this connection.
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring unknown Vendor ID payload [5b362bc820f60007]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring Vendor ID payload [Sonicwall 2 (3.1.0.12-86s?)]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: received Vendor ID payload [Dead Peer Detection]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: received Vendor ID payload [XAUTH]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.154:500: initial Aggressive Mode message from 182.57.3.154 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

Sounds like 173.57.3.154(Sonicwall) is talking to OpenSwan, but not establishing tunnel.

FYI- I used AWS VPC VPN with the Sonicwall. However I only use the instance for testing purposes and the OpenSwan instance is cheaper then the VPC-VPN connection. Plus I can turn instances off/on. Again this is a testing environment between AWS and Sonicwall. I am open to all suggestions.

3 Reset to default

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like