Status output and debug below (anonymised, but consistent)
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-11-amd64,
x86_64):
uptime: 4 seconds, since Mar 25 14:45:06 2020
malloc: sbrk 1892352, mmap 0, used 417440, free 1474912
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 p
gp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
x.x.x.x
10.100.15.1
Connections:
server-to-aws: 10.100.15.1...y.y.y.y IKEv1, dpddelay=15s
server-to-aws: local: [server] uses pre-shared key authentication
server-to-aws: remote: [aws] uses pre-shared key authentication
server-to-aws: child: 10.100.15.0/24 === 172.21.0.0/16 172.22.0.0/16
TUNNEL, dpdaction=restart
Security Associations (0 up, 1 connecting):
server-to-aws[1]: CONNECTING, 10.100.15.1[%any]...y.y.y.y[%any]
server-to-aws[1]: IKEv1 SPIs: f8ad92b2d16ea9a4_i* 0000000000000000_r
server-to-aws[1]: Tasks queued: QUICK_MODE
server-to-aws[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE
ISAKMP_CERT_POST ISAKMP_NATD
Wed, 2020-03-25 14:41 00[DMN] Starting IKE charon daemon (strongSwan
5.5.1, Linux 4.9.0-11-amd64, x86_64)
Wed, 2020-03-25 14:41 00[LIB] plugin 'aesni': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'aes': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'rc2': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'sha2': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'sha1': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'md5': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'random': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'nonce': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'x509': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'revocation': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'constraints': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'pubkey': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs1': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs7': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs8': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'pkcs12': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'pgp': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'dnskey': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'sshkey': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'pem': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'openssl': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'fips-prf': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'gmp': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'agent': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'xcbc': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'hmac': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'gcm': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'attr': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'kernel-netlink': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'resolve': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'socket-default': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'connmark': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'stroke': loaded successfully
Wed, 2020-03-25 14:41 00[LIB] plugin 'updown': loaded successfully
Wed, 2020-03-25 14:41 00[KNL] known interfaces and IP addresses:
Wed, 2020-03-25 14:41 00[KNL] lo
Wed, 2020-03-25 14:41 00[KNL] 127.0.0.1
Wed, 2020-03-25 14:41 00[KNL] ::1
Wed, 2020-03-25 14:41 00[KNL] eth0
Wed, 2020-03-25 14:41 00[KNL] eth1
Wed, 2020-03-25 14:41 00[KNL] bond0
Wed, 2020-03-25 14:41 00[KNL] x.x.x.x
Wed, 2020-03-25 14:41 00[KNL] 10.100.15.1
Wed, 2020-03-25 14:41 00[LIB] feature PUBKEY:DSA in plugin 'pem' has
unmet dependency: PUBKEY:DSA
Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY:DSA in plugin 'pem' has
unmet dependency: PRIVKEY:DSA
Wed, 2020-03-25 14:41 00[LIB] feature PRIVKEY:BLISS in plugin 'pem' has
unmet dependency: PRIVKEY:BLISS
Wed, 2020-03-25 14:41 00[LIB] feature CERT_DECODE:OCSP_REQUEST in plugin
'pem' has unmet dependency: CERT_DECODE:OCSP_REQUEST
Wed, 2020-03-25 14:41 00[LIB] feature
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_224
Wed, 2020-03-25 14:41 00[LIB] feature
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_256
Wed, 2020-03-25 14:41 00[LIB] feature
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_384
Wed, 2020-03-25 14:41 00[LIB] feature
PRIVKEY_SIGN:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_512
Wed, 2020-03-25 14:41 00[LIB] feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_224 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_224
Wed, 2020-03-25 14:41 00[LIB] feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_256 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_256
Wed, 2020-03-25 14:41 00[LIB] feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_384 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_384
Wed, 2020-03-25 14:41 00[LIB] feature
PUBKEY_VERIFY:RSA_EMSA_PKCS1_SHA3_512 in plugin 'gmp' has unmet
dependency: HASHER:HASH_SHA3_512
Wed, 2020-03-25 14:41 00[CFG] loading ca certificates from
'/etc/ipsec.d/cacerts'
Wed, 2020-03-25 14:41 00[CFG] loading aa certificates from
'/etc/ipsec.d/aacerts'
Wed, 2020-03-25 14:41 00[CFG] loading ocsp signer certificates from
'/etc/ipsec.d/ocspcerts'
Wed, 2020-03-25 14:41 00[CFG] loading attribute certificates from
'/etc/ipsec.d/acerts'
Wed, 2020-03-25 14:41 00[CFG] loading crls from '/etc/ipsec.d/crls'
Wed, 2020-03-25 14:41 00[CFG] loading secrets from '/etc/ipsec.secrets'
Wed, 2020-03-25 14:41 00[CFG] expanding file expression
'/var/lib/strongswan/ipsec.secrets.inc' failed
Wed, 2020-03-25 14:41 00[CFG] loaded IKE secret for 10.100.15.1 y.y.y.y
Wed, 2020-03-25 14:41 00[CFG] loaded IKE secret for x.x.x.x y.y.y.y
Wed, 2020-03-25 14:41 00[LIB] loaded plugins: charon aesni aes rc2 sha2
sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7
pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac
gcm attr kernel-netlink resolve socket-default connmark stroke updown
Wed, 2020-03-25 14:41 00[LIB] unable to load 12 plugin features (12 due
to unmet dependencies)
Wed, 2020-03-25 14:41 00[LIB] dropped capabilities, running as uid 0, gid 0
Wed, 2020-03-25 14:41 00[JOB] spawning 16 worker threads
Wed, 2020-03-25 14:41 01[LIB] created thread 01 [8989]
Wed, 2020-03-25 14:41 02[LIB] created thread 02 [8990]
Wed, 2020-03-25 14:41 03[LIB] created thread 03 [8991]
Wed, 2020-03-25 14:41 04[LIB] created thread 04 [8992]
Wed, 2020-03-25 14:41 05[LIB] created thread 05 [8993]
Wed, 2020-03-25 14:41 06[LIB] created thread 06 [8994]
Wed, 2020-03-25 14:41 07[LIB] created thread 07 [8995]
Wed, 2020-03-25 14:41 08[LIB] created thread 08 [8996]
Wed, 2020-03-25 14:41 09[LIB] created thread 09 [8997]
Wed, 2020-03-25 14:41 10[LIB] created thread 10 [8998]
Wed, 2020-03-25 14:41 11[LIB] created thread 11 [8999]
Wed, 2020-03-25 14:41 12[LIB] created thread 12 [9000]
Wed, 2020-03-25 14:41 13[LIB] created thread 13 [9001]
Wed, 2020-03-25 14:41 14[LIB] created thread 14 [9003]
Wed, 2020-03-25 14:41 15[LIB] created thread 15 [9002]
Wed, 2020-03-25 14:41 16[LIB] created thread 16 [9004]
Wed, 2020-03-25 14:41 04[CFG] received stroke: add connection
'server-to-aws'
Wed, 2020-03-25 14:41 04[CFG] conn server-to-aws
Wed, 2020-03-25 14:41 04[CFG] left=10.100.15.1
Wed, 2020-03-25 14:41 04[CFG] leftsubnet=10.100.15.0/24
Wed, 2020-03-25 14:41 04[CFG] leftauth=psk
Wed, 2020-03-25 14:41 04[CFG] leftid=server
Wed, 2020-03-25 14:41 04[CFG] right=y.y.y.y
Wed, 2020-03-25 14:41 04[CFG] rightsubnet=172.21.0.0/16, 172.22.0.0/16
Wed, 2020-03-25 14:41 04[CFG] rightauth=psk
Wed, 2020-03-25 14:41 04[CFG] rightid=aws
Wed, 2020-03-25 14:41 04[CFG] ike=aes256-sha256-modp1536
Wed, 2020-03-25 14:41 04[CFG] esp=aes256-sha256-modp1536
Wed, 2020-03-25 14:41 04[CFG] dpddelay=15
Wed, 2020-03-25 14:41 04[CFG] dpdtimeout=30
Wed, 2020-03-25 14:41 04[CFG] dpdaction=3
Wed, 2020-03-25 14:41 04[CFG] mediation=no
Wed, 2020-03-25 14:41 04[CFG] keyexchange=ikev1
Wed, 2020-03-25 14:41 04[KNL] y.y.y.y is not a local address or the
interface is down
Wed, 2020-03-25 14:41 04[CFG] added configuration 'server-to-aws'
Wed, 2020-03-25 14:41 06[CFG] received stroke: initiate 'server-to-aws'
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing ISAKMP_VENDOR task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing ISAKMP_CERT_PRE
task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing MAIN_MODE task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing
ISAKMP_CERT_POST task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing ISAKMP_NATD task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> queueing QUICK_MODE task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating new tasks
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating
ISAKMP_VENDOR task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating
ISAKMP_CERT_PRE task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating MAIN_MODE task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating
ISAKMP_CERT_POST task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> activating ISAKMP_NATD
task
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending XAuth vendor ID
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending DPD vendor ID
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending FRAGMENTATION
vendor ID
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending NAT-T (RFC 3947)
vendor ID
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> sending
draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> initiating Main Mode
IKE_SA server-to-aws[1] to y.y.y.y
Wed, 2020-03-25 14:41 06[IKE] <server-to-aws|1> IKE_SA server-to-aws[1]
state change: CREATED => CONNECTING
Wed, 2020-03-25 14:41 06[CFG] <server-to-aws|1> configured proposals:
IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_MD5_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024,
IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_MD5/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/MODP_3072/MODP_4096/MODP_8192/MODP_2048/MODP_2048_256/MODP_1024
Wed, 2020-03-25 14:41 06[ENC] <server-to-aws|1> generating ID_PROT
request 0 [ SA V V V V V ]
Wed, 2020-03-25 14:41 06[NET] <server-to-aws|1> sending packet: from
10.100.15.1[500] to y.y.y.y[500] (252 bytes)
Wed, 2020-03-25 14:41 08[CFG] proposing traffic selectors for us:
Wed, 2020-03-25 14:41 08[CFG] 10.100.15.0/24
Wed, 2020-03-25 14:41 08[CFG] proposing traffic selectors for other:
Wed, 2020-03-25 14:41 08[CFG] 172.21.0.0/16
Wed, 2020-03-25 14:41 08[CFG] 172.22.0.0/16
Wed, 2020-03-25 14:41 10[CFG] proposing traffic selectors for us:
Wed, 2020-03-25 14:41 10[CFG] 10.100.15.0/24
Wed, 2020-03-25 14:41 10[CFG] proposing traffic selectors for other:
Wed, 2020-03-25 14:41 10[CFG] 172.21.0.0/16
Wed, 2020-03-25 14:41 10[CFG] 172.22.0.0/16
Wed, 2020-03-25 14:41 11[NET] <2> received packet: from y.y.y.y[500] to
x.x.x.x[500] (292 bytes)
Wed, 2020-03-25 14:41 11[ENC] <2> parsed ID_PROT request 0 [ SA V V V V
V V V V V V ]
Wed, 2020-03-25 14:41 11[CFG] <2> looking for an ike config for
x.x.x.x...y.y.y.y
Wed, 2020-03-25 14:41 11[IKE] <2> no IKE config found for
x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
Wed, 2020-03-25 14:41 11[ENC] <2> generating INFORMATIONAL_V1 request
2361685619 [ N(NO_PROP) ]
Wed, 2020-03-25 14:41 11[NET] <2> sending packet: from x.x.x.x[500] to
y.y.y.y[500] (40 bytes)
Wed, 2020-03-25 14:41 11[IKE] <2> IKE_SA (unnamed)[2] state change:
CREATED => DESTROYING
Wed, 2020-03-25 14:41 12[IKE] <server-to-aws|1> sending retransmit 1 of
request message ID 0, seq 1
Wed, 2020-03-25 14:41 12[NET] <server-to-aws|1> sending packet: from
10.100.15.1[500] to y.y.y.y[500] (252 bytes)
Wed, 2020-03-25 14:41 15[CFG] proposing traffic selectors for us:
Wed, 2020-03-25 14:41 15[CFG] 10.100.15.0/24
Wed, 2020-03-25 14:41 15[CFG] proposing traffic selectors for other:
Wed, 2020-03-25 14:41 15[CFG] 172.21.0.0/16
Wed, 2020-03-25 14:41 15[CFG] 172.22.0.0/16
Wed, 2020-03-25 14:41 05[CFG] proposing traffic selectors for us:
Wed, 2020-03-25 14:41 05[CFG] 10.100.15.0/24
Wed, 2020-03-25 14:41 05[CFG] proposing traffic selectors for other:
Wed, 2020-03-25 14:41 05[CFG] 172.21.0.0/16
Wed, 2020-03-25 14:41 05[CFG] 172.22.0.0/16
Wed, 2020-03-25 14:41 06[CFG] proposing traffic selectors for us:
Wed, 2020-03-25 14:41 06[CFG] 10.100.15.0/24
Wed, 2020-03-25 14:41 06[CFG] proposing traffic selectors for other:
Wed, 2020-03-25 14:41 06[CFG] 172.21.0.0/16
Wed, 2020-03-25 14:41 06[CFG] 172.22.0.0/16
Wed, 2020-03-25 14:41 09[NET] <3> received packet: from y.y.y.y[500] to
x.x.x.x[500] (292 bytes)
Wed, 2020-03-25 14:41 09[ENC] <3> parsed ID_PROT request 0 [ SA V V V V
V V V V V V ]
Wed, 2020-03-25 14:41 09[CFG] <3> looking for an ike config for
x.x.x.x...y.y.y.y
Wed, 2020-03-25 14:41 09[IKE] <3> no IKE config found for
x.x.x.x...y.y.y.y, sending NO_PROPOSAL_CHOSEN
Wed, 2020-03-25 14:41 09[ENC] <3> generating INFORMATIONAL_V1 request
3284802983 [ N(NO_PROP) ]
Wed, 2020-03-25 14:41 09[NET] <3> sending packet: from x.x.x.x[500] to
y.y.y.y[500] (40 bytes)
Wed, 2020-03-25 14:41 09[IKE] <3> IKE_SA (unnamed)[3] state change:
CREATED => DESTROYING
Wed, 2020-03-25 14:41 08[CFG] proposing traffic selectors for us:
Wed, 2020-03-25 14:41 08[CFG] 10.100.15.0/24
Wed, 2020-03-25 14:41 08[CFG] proposing traffic selectors for other:
Wed, 2020-03-25 14:41 08[CFG] 172.21.0.0/16
Wed, 2020-03-25 14:41 08[CFG] 172.22.0.0/16
Wed, 2020-03-25 14:41 10[IKE] <server-to-aws|1> sending retransmit 2 of
request message ID 0, seq 1
Wed, 2020-03-25 14:41 10[NET] <server-to-aws|1> sending packet: from
10.100.15.1[500] to y.y.y.y[500] (252 bytes)
Wed, 2020-03-25 14:41 11[CFG] proposing traffic selectors for us:
Wed, 2020-03-25 14:41 11[CFG] 10.100.15.0/24
Wed, 2020-03-25 14:41 11[CFG] proposing traffic selectors for other:
Wed, 2020-03-25 14:41 11[CFG] 172.21.0.0/16
Wed, 2020-03-25 14:41 11[CFG] 172.22.0.0/16
Wed, 2020-03-25 14:41 16[CFG] proposing traffic selectors for us:
Wed, 2020-03-25 14:41 16[CFG] 10.100.15.0/24
Wed, 2020-03-25 14:41 16[CFG] proposing traffic selectors for other:
Wed, 2020-03-25 14:41 16[CFG] 172.21.0.0/16
Wed, 2020-03-25 14:41 16[CFG] 172.22.0.0/16
Wed, 2020-03-25 14:41 00[DMN] signal of type SIGINT received. Shutting down
Wed, 2020-03-25 14:41 00[IKE] <server-to-aws|1> destroying IKE_SA in
state CONNECTING without notification
Wed, 2020-03-25 14:41 00[IKE] <server-to-aws|1> IKE_SA server-to-aws[1]
state change: CONNECTING => DESTROYING