14-Jun-201910:04 - last edited on 01-Jun-202315:00 by JimmyPackets
Hello,
I'm trying to configure a site to site VPN IPSec Tunnel between our AWS VPN Endpoint and our BIGIP 3900, but we are failing at phase1 of IPSec policy negotiation. I wanted to make sure that our BIGIP 3900 and software version are compatible and if so what our next troubleshooting steps should be. We verified iptables isn't interfering. Our BIGIP is running with software version: BIG-IP 12.1.3.3 Build 0.0.1 Point Release 3
I'm using the default customer gateway configuration exported out of AWS for a F5 Networks BIG IP v12.0.0+. On the AWS side the endpoint is reporting as available, but both tunnels are still showing as down. The F5 racoon log is showing that the policy negotiation is failing during phase1 with a "time up" message. I'll post the logs below, with our AWS endpoint IP addresses replaced with <aws public IP>
2019-06-14 10:33:20: INFO: initiate new phase 1 negotiation: 172.31.2.7[500]<=><aws public ip>[500]
2019-06-14 10:33:20: INFO: begin Identity Protection mode.
2019-06-14 10:33:22: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP <aws public ip>[0]->172.31.2.7[0]
2019-06-14 10:33:22: INFO: delete phase 2 handler.
2019-06-14 10:33:41: ERROR: phase1 negotiation failed due to time up. b642c9591dd83a1a:0000000000000000
2019-06-14 10:33:51: INFO: IPsec-SA request for <aws public ip> queued due to no phase1 found.
2019-06-14 10:33:51: INFO: initiate new phase 1 negotiation: 172.31.2.7[500]<=><aws public ip>[500]
2019-06-14 10:33:51: INFO: begin Identity Protection mode.
2019-06-14 10:33:51: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP <aws public ip>[0]->172.31.2.7[0]
2019-06-14 10:33:51: INFO: delete phase 2 handler.
2019-06-14 10:34:10: ERROR: phase1 negotiation failed due to time up. 7f279f2a2725f7ba:0000000000000000
2019-06-14 10:34:20: INFO: IPsec-SA request for <aws public ip> queued due to no phase1 found.
