Hi Andreas,<br>   This is the critical topology I have been digging through for a month. It would be great, if you share your views on this, as you are a virtuoso in this field.<br><br>Regards,<br>Saravanan N<br><br><div class="gmail_quote">
On Tue, Apr 3, 2012 at 12:04 AM, SaRaVanAn <span dir="ltr"><<a href="mailto:saravanan.nagarajan87@gmail.com">saravanan.nagarajan87@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hi Andreas,<br>  Please find the topology and error scenario below<br><br><br>Cisco Vpn (eth1)              (eth1)            (eth0)                                 (eth0)<br>Client           ---------------------- StrongSwan ------------------------------------------- Strongswan (VPN server)<br>

                                            (Gateway)<br>20.1.1.1                      20.1.1.2        172.31.114.239                         172.31.114.227<br>                                                       (NAT MASQUERADE)<br>

<br><br>I have established a tunnel between Strongwan Gateway and Strongwan VPN server, the tunnel is up and<br>its working fine. Now I m trying to establish a tunnel between Cisco Vpn Client and Strongswan VPN server<br>

natted via Strongswan Gateway, but I found that Strongswan is not responding for the IKE packets from Cisco VPN<br>client. I have confirmed this with the help of tcpdump on eth0 in Stronswan VPN server. But<br>the tunnel between Cisco VPN client and Strongswan vpn server is working fine, if there is no tunnel established between Strongswan Gateway and Strongswan VPN server, so I could not suspect configuration error also.<br>

Please share your views on this.<br><br>Configuration details<br>+++++++++++++++<br><br>Strongswan Gateway<br>++++++++++++++++<br><br>Nat:<br>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br><br><br>ipsec.conf<br>
+++++++<br>
<br>config setup<br><br>        plutostart=no<br><br>        charondebug=all<br><br>        nat_traversal=yes<br><br> <br><br>conn site-site<br><br>        keyexchange=ikev2<br><br>        right=172.31.114.227<br><br>        left=172.31.114.239<br>

<br>        authby=secret<br><br>        ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024<br><br>        auto=add<br><br>ipsec.secrets<br>++++++++++<br><br>172.31.114.239 172.31.114.227 : PSK "sachin"<br>

<br><br>Strongswan VPN server<br><br>+++++++++++++++++++++<br><br>ca vpnca<br><br>          cacert=caCert.pem<br><br>          #crluri=crl.pem<br><br>          auto=add<br><br> <br><br>config setup<br><br>          plutostart=yes<br>

<br>          #plutodebug=control<br><br>          charonstart=yes<br><br>          charondebug="net 0"<br><br>          nat_traversal=yes<br><br>          crlcheckinterval=10m<br><br>          strictcrlpolicy=no<br>

<br> <br><br>conn %default<br><br>        ikelifetime=60m<br><br>        keylife=20m<br><br>        rekeymargin=3m<br><br>        keyingtries=1<br><br>        leftupdown="sudo -E ipsec _updown"<br><br> <br><br>
# Add connections here.<br>
<br>conn cisco-vpn<br><br>          type=tunnel<br><br>          keyexchange=ikev1<br><br>          ike=aes256-sha1-modp1536!<br><br>          esp=aes256-sha1!<br><br>          dpdaction=clear<br><br>          dpddelay=300s<br>

<br>          left=%defaultroute<br><br>          leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br><br>          leftcert=dutCert.pem                                                   <br><br>          leftid="C=CH, O=strongSwan, CN=strongswan"<br>

<br>          right=%any<br><br>          rightsourceip=%addrpool<br><br>          pfs=no<br><br>          authby=xauthrsasig<br><br>          xauth=server<br><br>          auto=add<br><br><br>conn site-site<br><br>        keyexchange=ikev2<br>

<br>        right=172.31.114.239<br><br>        left=172.31.114.227<br><br>        authby=secret<br><br>        ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024<br>      auto=add<br><br>ipsec.secrets<br>+++++++++++<br>

<br>: RSA dutKey.pem<br><br>tester : XAUTH "tester"<br><br>172.31.114.227 172.31.114.239 : PSK "sachin"<br><br>Regards,<br>Saravanan N<br> <br>
</blockquote></div><br>