[strongSwan] Migration from Openswan to Strongswan

Andreas Steffen andreas.steffen at strongswan.org
Tue May 10 12:12:31 CEST 2011 

Hello Pavel,

if you have iptables in place and you ping the internal interface
of the VPN gateway then you need an INPUT/OUTPUT iptables rule
to access that interface. Thus you'll need

    leftfirewall=yes
    lefthostaccess=yes

If you have a MASQUERADING rule in place which NATs all traffic
from the internal network to the outer IP address of the gateway
then you must exempt traffic to be tunneled from this rule by adding

iptables -t nat -I POSTROUTING 1 -s 10.10.0.0/16 -o eth0 \
          -m policy --dir out --pol ipsec --proto esp -j ACCEPT

Regards

Andreas

On 05/10/2011 11:51 AM, Pavel Arnošt wrote:
> Hi,
> I tried to migrate our Openswan VPN (2.6.21) to Strongswan VPN (4.5.1)
> on our CentOS 5 server. Openswan package is from official CentOS
> repository (openswan-2.6.21-5.el5_6.4), Strongswan package have been
> built from this spec file:
> http://developer.intra2net.com/git/?p=strongswan-rpm;a=blob_plain;f=strongswan.spec;hb=e2bb0076fce6d44ee80cff4b20d90a0eee1fa689
> I slightly modified configuration for IKEv1 keying, ipsec.conf looks like:
> config setup
> charonstart=no
> plutodebug="control"
> conn %default
> keyexchange=ikev1
> authby=secret
> conn CONN
> type=tunnel
> left=A.A.A.A
> leftsubnet=192.168.52.0/24
> right=B.B.B.B
> rightsubnet=10.10.0.0/16
> auto=start
> auth=esp
> ikelifetime=28800s
> keylife=3600s
> compress=no
> ike=3des-sha1-modp1024
> esp=3des-sha1
> pfs=yes
> dpddelay=30
> dpdtimeout=120
> dpdaction=restart
> Both ISAKMP and IPsec SA were succesfully established, ip xfrm policy
> output was the same as output from Openswan. But...
> In tcpdump, I saw incoming ESP traffic from B.B.B.B, but no ESP traffic
> from our address A.A.A.A. Ping to 10.10.255.1 returned no response, so I
> think that policies were in place (with turned off VPN, ping returned
> "host unreachable" from far away gateway). I added "iptables -I FORWARD
> -j ACCEPT" rule to iptables to rule out problem with firewall.
> Do you have any idea what can be wrong?
> Thanks,
> Regards,
> Pavel Arnost
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list