Hi Friends,<br> Any help on this query???<br><br><div class="gmail_quote">On Wed, Apr 4, 2012 at 12:14 AM, SaRaVanAn <span dir="ltr"><<a href="mailto:saravanan.nagarajan87@gmail.com">saravanan.nagarajan87@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Andreas,<br> This is the critical topology I have been digging through for a month. It would be great, if you share your views on this, as you are a virtuoso in this field.<br>
<br>Regards,<br>Saravanan N<div class="HOEnZb"><div class="h5"><br><br><div class="gmail_quote">
On Tue, Apr 3, 2012 at 12:04 AM, SaRaVanAn <span dir="ltr"><<a href="mailto:saravanan.nagarajan87@gmail.com" target="_blank">saravanan.nagarajan87@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Hi Andreas,<br> Please find the topology and error scenario below<br><br><br>Cisco Vpn (eth1) (eth1) (eth0) (eth0)<br>Client ---------------------- StrongSwan ------------------------------------------- Strongswan (VPN server)<br>
(Gateway)<br>20.1.1.1 20.1.1.2 172.31.114.239 172.31.114.227<br> (NAT MASQUERADE)<br>
<br><br>I have established a tunnel between Strongwan Gateway and Strongwan VPN server, the tunnel is up and<br>its working fine. Now I m trying to establish a tunnel between Cisco Vpn Client and Strongswan VPN server<br>
natted via Strongswan Gateway, but I found that Strongswan is not responding for the IKE packets from Cisco VPN<br>client. I have confirmed this with the help of tcpdump on eth0 in Stronswan VPN server. But<br>the tunnel between Cisco VPN client and Strongswan vpn server is working fine, if there is no tunnel established between Strongswan Gateway and Strongswan VPN server, so I could not suspect configuration error also.<br>
Please share your views on this.<br><br>Configuration details<br>+++++++++++++++<br><br>Strongswan Gateway<br>++++++++++++++++<br><br>Nat:<br>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br><br><br>ipsec.conf<br>
+++++++<br>
<br>config setup<br><br> plutostart=no<br><br> charondebug=all<br><br> nat_traversal=yes<br><br> <br><br>conn site-site<br><br> keyexchange=ikev2<br><br> right=172.31.114.227<br><br> left=172.31.114.239<br>
<br> authby=secret<br><br> ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024<br><br> auto=add<br><br>ipsec.secrets<br>++++++++++<br><br>172.31.114.239 172.31.114.227 : PSK "sachin"<br>
<br><br>Strongswan VPN server<br><br>+++++++++++++++++++++<br><br>ca vpnca<br><br> cacert=caCert.pem<br><br> #crluri=crl.pem<br><br> auto=add<br><br> <br><br>config setup<br><br> plutostart=yes<br>
<br> #plutodebug=control<br><br> charonstart=yes<br><br> charondebug="net 0"<br><br> nat_traversal=yes<br><br> crlcheckinterval=10m<br><br> strictcrlpolicy=no<br>
<br> <br><br>conn %default<br><br> ikelifetime=60m<br><br> keylife=20m<br><br> rekeymargin=3m<br><br> keyingtries=1<br><br> leftupdown="sudo -E ipsec _updown"<br><br> <br><br>
# Add connections here.<br>
<br>conn cisco-vpn<br><br> type=tunnel<br><br> keyexchange=ikev1<br><br> ike=aes256-sha1-modp1536!<br><br> esp=aes256-sha1!<br><br> dpdaction=clear<br><br> dpddelay=300s<br>
<br> left=%defaultroute<br><br> leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br><br> leftcert=dutCert.pem <br><br> leftid="C=CH, O=strongSwan, CN=strongswan"<br>
<br> right=%any<br><br> rightsourceip=%addrpool<br><br> pfs=no<br><br> authby=xauthrsasig<br><br> xauth=server<br><br> auto=add<br><br><br>conn site-site<br><br> keyexchange=ikev2<br>
<br> right=172.31.114.239<br><br> left=172.31.114.227<br><br> authby=secret<br><br> ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024<br> auto=add<br><br>ipsec.secrets<br>+++++++++++<br>
<br>: RSA dutKey.pem<br><br>tester : XAUTH "tester"<br><br>172.31.114.227 172.31.114.239 : PSK "sachin"<br><br>Regards,<br>Saravanan N<br> <br>
</blockquote></div><br>
</div></div></blockquote></div><br>