Hi Andreas,<br>  Please find the topology and error scenario below<br><br><br>Cisco Vpn (eth1)              (eth1)            (eth0)                                 (eth0)<br>Client           ---------------------- StrongSwan ------------------------------------------- Strongswan (VPN server)<br>
                                            (Gateway)<br>20.1.1.1                      20.1.1.2        172.31.114.239                         172.31.114.227<br>                                                       (NAT MASQUERADE)<br>
<br><br>I have established a tunnel between Strongwan Gateway and Strongwan VPN server, the tunnel is up and<br>its working fine. Now I m trying to establish a tunnel between Cisco Vpn Client and Strongswan VPN server<br>
natted via Strongswan Gateway, but I found that Strongswan is not responding for the IKE packets from Cisco VPN<br>client. I have confirmed this with the help of tcpdump on eth0 in Stronswan VPN server. But<br>the tunnel between Cisco VPN client and Strongswan vpn server is working fine, if there is no tunnel established between Strongswan Gateway and Strongswan VPN server, so I could not suspect configuration error also.<br>
Please share your views on this.<br><br>Configuration details<br>+++++++++++++++<br><br>Strongswan Gateway<br>++++++++++++++++<br><br>Nat:<br>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br><br><br>ipsec.conf<br>+++++++<br>
<br>config setup<br><br>        plutostart=no<br><br>        charondebug=all<br><br>        nat_traversal=yes<br><br> <br><br>conn site-site<br><br>        keyexchange=ikev2<br><br>        right=172.31.114.227<br><br>        left=172.31.114.239<br>
<br>        authby=secret<br><br>        ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024<br><br>        auto=add<br><br>ipsec.secrets<br>++++++++++<br><br>172.31.114.239 172.31.114.227 : PSK "sachin"<br>
<br><br>Strongswan VPN server<br><br>+++++++++++++++++++++<br><br>ca vpnca<br><br>          cacert=caCert.pem<br><br>          #crluri=crl.pem<br><br>          auto=add<br><br> <br><br>config setup<br><br>          plutostart=yes<br>
<br>          #plutodebug=control<br><br>          charonstart=yes<br><br>          charondebug="net 0"<br><br>          nat_traversal=yes<br><br>          crlcheckinterval=10m<br><br>          strictcrlpolicy=no<br>
<br> <br><br>conn %default<br><br>        ikelifetime=60m<br><br>        keylife=20m<br><br>        rekeymargin=3m<br><br>        keyingtries=1<br><br>        leftupdown="sudo -E ipsec _updown"<br><br> <br><br># Add connections here.<br>
<br>conn cisco-vpn<br><br>          type=tunnel<br><br>          keyexchange=ikev1<br><br>          ike=aes256-sha1-modp1536!<br><br>          esp=aes256-sha1!<br><br>          dpdaction=clear<br><br>          dpddelay=300s<br>
<br>          left=%defaultroute<br><br>          leftsubnet=<a href="http://0.0.0.0/0">0.0.0.0/0</a><br><br>          leftcert=dutCert.pem                                                   <br><br>          leftid="C=CH, O=strongSwan, CN=strongswan"<br>
<br>          right=%any<br><br>          rightsourceip=%addrpool<br><br>          pfs=no<br><br>          authby=xauthrsasig<br><br>          xauth=server<br><br>          auto=add<br><br><br>conn site-site<br><br>        keyexchange=ikev2<br>
<br>        right=172.31.114.239<br><br>        left=172.31.114.227<br><br>        authby=secret<br><br>        ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024<br>      auto=add<br><br>ipsec.secrets<br>+++++++++++<br>
<br>: RSA dutKey.pem<br><br>tester : XAUTH "tester"<br><br>172.31.114.227 172.31.114.239 : PSK "sachin"<br><br>Regards,<br>Saravanan N<br> <br>