Hey, Saravan,<div><br></div><div>Are you trying to setup a client-to-server/remote-access VPN tunnel (Cisco VPN client -to- Strongwan VPN server), INSIDE an existing VPN tunnel (from Strongswan GW To Strongswan VPN server, which is site-to-site) ?</div>

<div><br></div><div>If so: why this scenario?</div><div>If not: please confirm you expect to see 2 VPN tunnels between Strongswan GW and Strongswan VPN Server: one being the initial one you establish, and then another one, natted, between the cisco client and the strongswan vpn server. Is that correct?</div>

<div><br></div><div>Thanks,</div><div>Cristina</div><br><div class="gmail_quote">On Wed, Apr 4, 2012 at 11:02 AM, SaRaVanAn <span dir="ltr"><<a href="mailto:saravanan.nagarajan87@gmail.com">saravanan.nagarajan87@gmail.com</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Friends,<br>      Any help on this query???<div class="HOEnZb"><div class="h5"><br><br><div class="gmail_quote">On Wed, Apr 4, 2012 at 12:14 AM, SaRaVanAn <span dir="ltr"><<a href="mailto:saravanan.nagarajan87@gmail.com" target="_blank">saravanan.nagarajan87@gmail.com</a>></span> wrote:<br>


<blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Andreas,<br>   This is the critical topology I have been digging through for a month. It would be great, if you share your views on this, as you are a virtuoso in this field.<br>


<br>Regards,<br>Saravanan N<div><div><br><br><div class="gmail_quote">
On Tue, Apr 3, 2012 at 12:04 AM, SaRaVanAn <span dir="ltr"><<a href="mailto:saravanan.nagarajan87@gmail.com" target="_blank">saravanan.nagarajan87@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">



Hi Andreas,<br>  Please find the topology and error scenario below<br><br><br>Cisco Vpn (eth1)              (eth1)            (eth0)                                 (eth0)<br>Client           ---------------------- StrongSwan ------------------------------------------- Strongswan (VPN server)<br>




                                            (Gateway)<br>20.1.1.1                      20.1.1.2        172.31.114.239                         172.31.114.227<br>                                                       (NAT MASQUERADE)<br>




<br><br>I have established a tunnel between Strongwan Gateway and Strongwan VPN server, the tunnel is up and<br>its working fine. Now I m trying to establish a tunnel between Cisco Vpn Client and Strongswan VPN server<br>




natted via Strongswan Gateway, but I found that Strongswan is not responding for the IKE packets from Cisco VPN<br>client. I have confirmed this with the help of tcpdump on eth0 in Stronswan VPN server. But<br>the tunnel between Cisco VPN client and Strongswan vpn server is working fine, if there is no tunnel established between Strongswan Gateway and Strongswan VPN server, so I could not suspect configuration error also.<br>




Please share your views on this.<br><br>Configuration details<br>+++++++++++++++<br><br>Strongswan Gateway<br>++++++++++++++++<br><br>Nat:<br>iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE<br><br><br>ipsec.conf<br>



+++++++<br>
<br>config setup<br><br>        plutostart=no<br><br>        charondebug=all<br><br>        nat_traversal=yes<br><br> <br><br>conn site-site<br><br>        keyexchange=ikev2<br><br>        right=172.31.114.227<br><br>        left=172.31.114.239<br>




<br>        authby=secret<br><br>        ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024<br><br>        auto=add<br><br>ipsec.secrets<br>++++++++++<br><br>172.31.114.239 172.31.114.227 : PSK "sachin"<br>




<br><br>Strongswan VPN server<br><br>+++++++++++++++++++++<br><br>ca vpnca<br><br>          cacert=caCert.pem<br><br>          #crluri=crl.pem<br><br>          auto=add<br><br> <br><br>config setup<br><br>          plutostart=yes<br>




<br>          #plutodebug=control<br><br>          charonstart=yes<br><br>          charondebug="net 0"<br><br>          nat_traversal=yes<br><br>          crlcheckinterval=10m<br><br>          strictcrlpolicy=no<br>




<br> <br><br>conn %default<br><br>        ikelifetime=60m<br><br>        keylife=20m<br><br>        rekeymargin=3m<br><br>        keyingtries=1<br><br>        leftupdown="sudo -E ipsec _updown"<br><br> <br><br>



# Add connections here.<br>
<br>conn cisco-vpn<br><br>          type=tunnel<br><br>          keyexchange=ikev1<br><br>          ike=aes256-sha1-modp1536!<br><br>          esp=aes256-sha1!<br><br>          dpdaction=clear<br><br>          dpddelay=300s<br>




<br>          left=%defaultroute<br><br>          leftsubnet=<a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br><br>          leftcert=dutCert.pem                                                   <br><br>          leftid="C=CH, O=strongSwan, CN=strongswan"<br>




<br>          right=%any<br><br>          rightsourceip=%addrpool<br><br>          pfs=no<br><br>          authby=xauthrsasig<br><br>          xauth=server<br><br>          auto=add<br><br><br>conn site-site<br><br>        keyexchange=ikev2<br>




<br>        right=172.31.114.239<br><br>        left=172.31.114.227<br><br>        authby=secret<br><br>        ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024<br>      auto=add<br><br>ipsec.secrets<br>+++++++++++<br>




<br>: RSA dutKey.pem<br><br>tester : XAUTH "tester"<br><br>172.31.114.227 172.31.114.239 : PSK "sachin"<br><br>Regards,<br>Saravanan N<br> <br>
</blockquote></div><br>
</div></div></blockquote></div><br>
</div></div><br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br>