Site-To-Site VPN AWS problem

mankomal · February 14, 2022, 1:11pm

This is the log
in template src-address and dst-address should not be changed?

Feb/14/2022 18:40:56 ipsec,debug ===== received 320 bytes from 3.219.43.131[4500] to 103.54.222.93[4500]
Feb/14/2022 18:40:56 ipsec -> ike2 reply, exchange: SA_INIT:0 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:40:56 ipsec ike2 initialize recv
Feb/14/2022 18:40:56 ipsec payload seen: SA (48 bytes)
Feb/14/2022 18:40:56 ipsec payload seen: KE (136 bytes)
Feb/14/2022 18:40:56 ipsec payload seen: NONCE (36 bytes)
Feb/14/2022 18:40:56 ipsec payload seen: NOTIFY (28 bytes)
Feb/14/2022 18:40:56 ipsec payload seen: NOTIFY (28 bytes)
Feb/14/2022 18:40:56 ipsec payload seen: NOTIFY (8 bytes)
Feb/14/2022 18:40:56 ipsec payload seen: NOTIFY (8 bytes)
Feb/14/2022 18:40:56 ipsec processing payload: NONCE
Feb/14/2022 18:40:56 ipsec processing payload: SA
Feb/14/2022 18:40:56 ipsec IKE Protocol: IKE
Feb/14/2022 18:40:56 ipsec  proposal #1
Feb/14/2022 18:40:56 ipsec   enc: aes128-cbc
Feb/14/2022 18:40:56 ipsec   prf: hmac-sha1
Feb/14/2022 18:40:56 ipsec   auth: sha1
Feb/14/2022 18:40:56 ipsec   dh: modp1024
Feb/14/2022 18:40:56 ipsec matched proposal:
Feb/14/2022 18:40:56 ipsec  proposal #1
Feb/14/2022 18:40:56 ipsec   enc: aes128-cbc
Feb/14/2022 18:40:56 ipsec   prf: hmac-sha1
Feb/14/2022 18:40:56 ipsec   auth: sha1
Feb/14/2022 18:40:56 ipsec   dh: modp1024
Feb/14/2022 18:40:56 ipsec processing payload: KE
Feb/14/2022 18:40:56 ipsec,debug => shared secret (size 0x80)
Feb/14/2022 18:40:56 ipsec,debug 433299d1 e2e2315d 0a6fc44b 3af4f6f5 6d10fbd8 b4a8c396 9dc3e50b f216c748
Feb/14/2022 18:40:56 ipsec,debug 59a5562d 58bf9045 efb54f6a 8319de24 a011649d bc8e67fe e3d41035 c33add57
Feb/14/2022 18:40:56 ipsec,debug e6a4b4e2 1db147c6 83c22f31 726546fc 93a95d5b 397053dd f37c9f6f 689317aa
Feb/14/2022 18:40:56 ipsec,debug e5848842 96675e76 b84147a8 7075f0d5 7a944b26 adfdd82d 3c8b9259 c011151b
Feb/14/2022 18:40:56 ipsec,debug => skeyseed (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug 04f66bee e33278ab 5efcd9d3 ce5eafa0 440d45d0
Feb/14/2022 18:40:56 ipsec,debug => keymat (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug 467576a5 d745825a dea2f09c d3e7e151 b339216c
Feb/14/2022 18:40:56 ipsec,debug => SK_ai (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug 8203d0e8 c6a22259 08f2bf1c 46a2b34b c7a20e96
Feb/14/2022 18:40:56 ipsec,debug => SK_ar (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug e9ffacd0 42243f92 9e1e12db 97ac44a9 f78aba2d
Feb/14/2022 18:40:56 ipsec,debug => SK_ei (size 0x10)
Feb/14/2022 18:40:56 ipsec,debug 2e9f049e 048b9760 d1241fbd 086ef136
Feb/14/2022 18:40:56 ipsec,debug => SK_er (size 0x10)
Feb/14/2022 18:40:56 ipsec,debug e6ba4810 0d202c4f ecb8c8a9 c4bc5daa
Feb/14/2022 18:40:56 ipsec,debug => SK_pi (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug fdaf22f6 bdb1a239 c197a61b 2370a086 764dc8d0
Feb/14/2022 18:40:56 ipsec,debug => SK_pr (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug b7eb4393 a7c3b113 7b0b4d48 c34e3a42 1e7f3e16
Feb/14/2022 18:40:56 ipsec,info new ike2 SA (I): AWS 103.54.222.93[4500]-3.219.43.131[4500] spi:ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:40:56 ipsec processing payloads: NOTIFY
Feb/14/2022 18:40:56 ipsec   notify: NAT_DETECTION_SOURCE_IP
Feb/14/2022 18:40:56 ipsec   notify: NAT_DETECTION_DESTINATION_IP
Feb/14/2022 18:40:56 ipsec   notify: IKEV2_FRAGMENTATION_SUPPORTED
Feb/14/2022 18:40:56 ipsec   notify: MULTIPLE_AUTH_SUPPORTED
Feb/14/2022 18:40:56 ipsec (NAT-T) REMOTE 
Feb/14/2022 18:40:56 ipsec KA list add: 103.54.222.93[4500]->3.219.43.131[4500]
Feb/14/2022 18:40:56 ipsec fragmentation negotiated
Feb/14/2022 18:40:56 ipsec init child continue
Feb/14/2022 18:40:56 ipsec offering proto: 3
Feb/14/2022 18:40:56 ipsec  proposal #1
Feb/14/2022 18:40:56 ipsec   enc: aes128-cbc
Feb/14/2022 18:40:56 ipsec   auth: sha1
Feb/14/2022 18:40:56 ipsec ID_I (ADDR4): 103.54.222.93
Feb/14/2022 18:40:56 ipsec adding payload: ID_I
Feb/14/2022 18:40:56 ipsec,debug => (size 0xc)
Feb/14/2022 18:40:56 ipsec,debug 0000000c 01000000 6736de5d
Feb/14/2022 18:40:56 ipsec,debug => auth nonce (size 0x20)
Feb/14/2022 18:40:56 ipsec,debug 9c58d573 f87a7aee 5b53b385 0549e95b 03c46765 81b700c8 c8293889 8f8ff222
Feb/14/2022 18:40:56 ipsec,debug => SK_p (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug fdaf22f6 bdb1a239 c197a61b 2370a086 764dc8d0
Feb/14/2022 18:40:56 ipsec,debug => idhash (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug 756718dc 2b74270d 7a07423d 62742ee1 76ef4195
Feb/14/2022 18:40:56 ipsec,debug => my auth (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug 757d9fb6 f5c33c67 0fb4e084 91508ed7 a9e1115d
Feb/14/2022 18:40:56 ipsec adding payload: AUTH
Feb/14/2022 18:40:56 ipsec,debug => (size 0x1c)
Feb/14/2022 18:40:56 ipsec,debug 0000001c 02000000 757d9fb6 f5c33c67 0fb4e084 91508ed7 a9e1115d
Feb/14/2022 18:40:56 ipsec adding notify: INITIAL_CONTACT
Feb/14/2022 18:40:56 ipsec,debug => (size 0x8)
Feb/14/2022 18:40:56 ipsec,debug 00000008 00004000
Feb/14/2022 18:40:56 ipsec adding payload: SA
Feb/14/2022 18:40:56 ipsec,debug => (size 0x2c)
Feb/14/2022 18:40:56 ipsec,debug 0000002c 00000028 01030403 075fddf2 0300000c 0100000c 800e0080 03000008
Feb/14/2022 18:40:56 ipsec,debug 03000002 00000008 05000000
Feb/14/2022 18:40:56 ipsec initiator selector: 103.54.222.93 
Feb/14/2022 18:40:56 ipsec adding payload: TS_I
Feb/14/2022 18:40:56 ipsec,debug => (size 0x18)
Feb/14/2022 18:40:56 ipsec,debug 00000018 01000000 07000010 0000ffff 6736de5d 6736de5d
Feb/14/2022 18:40:56 ipsec responder selector: 3.219.43.131 
Feb/14/2022 18:40:56 ipsec adding payload: TS_R
Feb/14/2022 18:40:56 ipsec,debug => (size 0x18)
Feb/14/2022 18:40:56 ipsec,debug 00000018 01000000 07000010 0000ffff 03db2b83 03db2b83
Feb/14/2022 18:40:56 ipsec adding notify: USE_TRANSPORT_MODE
Feb/14/2022 18:40:56 ipsec,debug => (size 0x8)
Feb/14/2022 18:40:56 ipsec,debug 00000008 00004007
Feb/14/2022 18:40:56 ipsec <- ike2 request, exchange: AUTH:1 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:40:56 ipsec,debug ===== sending 460 bytes from 103.54.222.93[4500] to 3.219.43.131[4500]
Feb/14/2022 18:40:56 ipsec,debug 1 times of 464 bytes message will be sent to 3.219.43.131[4500]
Feb/14/2022 18:40:56 ipsec,debug ===== received 124 bytes from 3.219.43.131[4500] to 103.54.222.93[4500]
Feb/14/2022 18:40:56 ipsec -> ike2 reply, exchange: AUTH:1 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:40:56 ipsec payload seen: ENC (96 bytes)
Feb/14/2022 18:40:56 ipsec processing payload: ENC
Feb/14/2022 18:40:56 ipsec,debug => iv (size 0x10)
Feb/14/2022 18:40:56 ipsec,debug 5e5e018e 0c60355f 49788f31 a9af6d6e
Feb/14/2022 18:40:56 ipsec,debug decrypted packet
Feb/14/2022 18:40:56 ipsec payload seen: ID_R (12 bytes)
Feb/14/2022 18:40:56 ipsec payload seen: AUTH (28 bytes)
Feb/14/2022 18:40:56 ipsec payload seen: NOTIFY (8 bytes)
Feb/14/2022 18:40:56 ipsec processing payloads: NOTIFY
Feb/14/2022 18:40:56 ipsec   notify: TS_UNACCEPTABLE
Feb/14/2022 18:40:56 ipsec ike auth: initiator finish
Feb/14/2022 18:40:56 ipsec processing payload: ID_R
Feb/14/2022 18:40:56 ipsec ID_R (ADDR4): 3.219.43.131
Feb/14/2022 18:40:56 ipsec processing payload: AUTH
Feb/14/2022 18:40:56 ipsec requested auth method: SKEY
Feb/14/2022 18:40:56 ipsec,debug => peer's auth (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug ce7109e1 7742d991 94fa745b 20d3a3eb 5f109a2d
Feb/14/2022 18:40:56 ipsec,debug => auth nonce (size 0x18)
Feb/14/2022 18:40:56 ipsec,debug 13f956a6 061a9941 bedb64d0 dc0e01a7 cc4f33e1 4967a3de
Feb/14/2022 18:40:56 ipsec,debug => SK_p (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug b7eb4393 a7c3b113 7b0b4d48 c34e3a42 1e7f3e16
Feb/14/2022 18:40:56 ipsec,debug => idhash (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug c18f68c9 051320f1 a20d5e89 c670e6e9 48fc4ff0
Feb/14/2022 18:40:56 ipsec,debug => calculated peer's AUTH (size 0x14)
Feb/14/2022 18:40:56 ipsec,debug ce7109e1 7742d991 94fa745b 20d3a3eb 5f109a2d
Feb/14/2022 18:40:56 ipsec,info,account peer authorized: AWS 103.54.222.93[4500]-3.219.43.131[4500] spi:ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:40:56 ipsec processing payloads: NOTIFY
Feb/14/2022 18:40:56 ipsec   notify: TS_UNACCEPTABLE
Feb/14/2022 18:40:56 ipsec got error: TS_UNACCEPTABLE
Feb/14/2022 18:41:00 ipsec,debug KA: 103.54.222.93[4500]->3.219.43.131[4500]
Feb/14/2022 18:41:00 ipsec,debug 1 times of 1 bytes message will be sent to 3.219.43.131[4500]
Feb/14/2022 18:41:06 ipsec,debug ===== received 76 bytes from 3.219.43.131[4500] to 103.54.222.93[4500]
Feb/14/2022 18:41:06 ipsec -> ike2 request, exchange: INFORMATIONAL:0 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:41:06 ipsec payload seen: ENC (48 bytes)
Feb/14/2022 18:41:06 ipsec processing payload: ENC
Feb/14/2022 18:41:06 ipsec,debug => iv (size 0x10)
Feb/14/2022 18:41:06 ipsec,debug 63043e3b 12ebd2e2 2235cff4 6505af21
Feb/14/2022 18:41:06 ipsec,debug decrypted packet
Feb/14/2022 18:41:06 ipsec respond: info
Feb/14/2022 18:41:06 ipsec,debug sending empty reply
Feb/14/2022 18:41:06 ipsec <- ike2 reply, exchange: INFORMATIONAL:0 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:41:06 ipsec,debug ===== sending 108 bytes from 103.54.222.93[4500] to 3.219.43.131[4500]
Feb/14/2022 18:41:06 ipsec,debug 1 times of 112 bytes message will be sent to 3.219.43.131[4500]
Feb/14/2022 18:41:17 ipsec,debug ===== received 76 bytes from 3.219.43.131[4500] to 103.54.222.93[4500]
Feb/14/2022 18:41:17 ipsec -> ike2 request, exchange: INFORMATIONAL:1 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:41:17 ipsec payload seen: ENC (48 bytes)
Feb/14/2022 18:41:17 ipsec processing payload: ENC
Feb/14/2022 18:41:17 ipsec,debug => iv (size 0x10)
Feb/14/2022 18:41:17 ipsec,debug 7b5fbae2 7582ceed 86c7b754 4d666d60
Feb/14/2022 18:41:17 ipsec,debug decrypted packet
Feb/14/2022 18:41:17 ipsec respond: info
Feb/14/2022 18:41:17 ipsec,debug sending empty reply
Feb/14/2022 18:41:17 ipsec <- ike2 reply, exchange: INFORMATIONAL:1 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:41:17 ipsec,debug ===== sending 156 bytes from 103.54.222.93[4500] to 3.219.43.131[4500]
Feb/14/2022 18:41:17 ipsec,debug 1 times of 160 bytes message will be sent to 3.219.43.131[4500]
Feb/14/2022 18:41:20 ipsec,debug KA: 103.54.222.93[4500]->3.219.43.131[4500]
Feb/14/2022 18:41:20 ipsec,debug 1 times of 1 bytes message will be sent to 3.219.43.131[4500]
Feb/14/2022 18:41:28 ipsec,debug ===== received 76 bytes from 3.219.43.131[4500] to 103.54.222.93[4500]
Feb/14/2022 18:41:28 ipsec -> ike2 request, exchange: INFORMATIONAL:2 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:41:28 ipsec payload seen: ENC (48 bytes)
Feb/14/2022 18:41:28 ipsec processing payload: ENC
Feb/14/2022 18:41:28 ipsec,debug => iv (size 0x10)
Feb/14/2022 18:41:28 ipsec,debug 9be42f0f df3fa13f 45025f1c 3d85e4a7
Feb/14/2022 18:41:28 ipsec,debug decrypted packet
Feb/14/2022 18:41:28 ipsec respond: info
Feb/14/2022 18:41:28 ipsec,debug sending empty reply
Feb/14/2022 18:41:28 ipsec <- ike2 reply, exchange: INFORMATIONAL:2 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:41:28 ipsec,debug ===== sending 124 bytes from 103.54.222.93[4500] to 3.219.43.131[4500]
Feb/14/2022 18:41:28 ipsec,debug 1 times of 128 bytes message will be sent to 3.219.43.131[4500]
Feb/14/2022 18:41:30 ipsec,info killing ike2 SA: AWS 103.54.222.93[4500]-3.219.43.131[4500] spi:ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:41:30 ipsec adding payload: DELETE
Feb/14/2022 18:41:30 ipsec,debug => (size 0x8)
Feb/14/2022 18:41:30 ipsec,debug 00000008 01000000
Feb/14/2022 18:41:30 ipsec <- ike2 request, exchange: INFORMATIONAL:2 3.219.43.131[4500] ca41ef2335817273:bfeb85fecca95f29
Feb/14/2022 18:41:30 ipsec,debug ===== sending 284 bytes from 103.54.222.93[4500] to 3.219.43.131[4500]
Feb/14/2022 18:41:30 ipsec,debug 1 times of 288 bytes message will be sent to 3.219.43.131[4500]
Feb/14/2022 18:41:30 ipsec KA remove: 103.54.222.93[4500]->3.219.43.131[4500]
Feb/14/2022 18:41:30 ipsec,debug KA tree dump: 103.54.222.93[4500]->3.219.43.131[4500] (in_use=1)
Feb/14/2022 18:41:30 ipsec,debug KA removing this one...

sindy · February 14, 2022, 1:21pm

Not in the template, but maybe in the static policy after all - I have missed that in the original log, the highlighted part was a response from AWS to our suggestion for 0.0.0.0/0<->0.0.0.0/0, so the meaning of the TS_I and TS_R fields was reverse. So set generate-policy on the identity row back to no, swap the subnets in dst-address and src-address of the manually configured policy, and enable it again.

mankomal · February 15, 2022, 1:19pm

So when you say swap the subnets that means a fresh policy at MT end will be:
SRC - 172.31.0.0/16 (AWS Subnet) and DST - 10.10.10.0/24 (MT Subnet)

sindy · February 15, 2022, 1:20pm

If so, that would be wrong. DST at Mikrotik must be the AWS subnet and SRC at Mikrotik must be the remote subnet.

mankomal · February 15, 2022, 2:28pm

Yea I thought so but your last post said invert src and dst so reconfirming if I understood correctly

Ok I will try with proper src and dst and post config and logs

sindy · February 15, 2022, 2:30pm

It only said so because you’ve apparently already tried with the correct src and dst and it failed, and you haven’t given any details regarding which of the subnets is at which end until the previous post, so I wasn’t sure.

mankomal · February 15, 2022, 2:34pm

Ok i will post the whole thing config and logs