<div dir="ltr">Hi Brian,<div><br></div><div style>I know you mentioned non-ASA/non-PIX but an FYI, I have Cisco ASA working with Strongswan 5.0.1 on CentOS 6.2. This is what I have on Strongswan side. I have commented few lines to mark the difference. Also, in my case, the Cisco always initiates the connections - Strongswan never does.</div>
<div style><br></div><div style>conn cisco-asa-cert // Your vpn1</div><div style><div> auto=add</div><div> authby=pubkey // I use certificate-based authentication. Use auth=secret is using pre-shared keys</div>
<div> left=%defaultroute // Could be Strongswan IP but %defaultroute chooses the IP of the default interface</div><div> leftcert=vpngwCert.pem // How Strongswan identifies to the connecting clients (Cisco)</div>
<div> leftsubnet=<a href="http://10.10.0.0/16">10.10.0.0/16</a> // The subnet behind Strongswan</div><div> right=%any // IP of the cisco. Router can connect with any IP</div><div>
rightcert=ciscoasa.pem // Certificate of the connecting cisco router </div><div> rightsubnet=<a href="http://192.168.202.0/24">192.168.202.0/24</a> // Subnet behind the connecting cisco router</div>
<div> forceencaps=yes // Force ESP packets to be encapsulated inside UDP.</div><div> mark=20 // xfrm marks. This and below are something that I am trying to. YOU WON'T NEED THIS</div>
<div> leftupdown=/usr/local/etc/ipsec.d/scripts/asa_mark_updown // YOU WON'T NEED this.<br></div><div><br></div><div style>It works great with this config. Not sure but I felt you left and right are possibly interchanged?? More details on your network config would help.</div>
<div style><br></div><div style>Thanks,</div><div style>Bharath Kumar</div></div><div style><br></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 16, 2013 at 1:50 PM, Brian secmang <span dir="ltr"><<a href="mailto:secmang@hotmail.com" target="_blank">secmang@hotmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div dir="ltr">Hello,<br>
We've been struggling with getting a working vpn tunnel up between a Strongswan Linux host and a Cisco ISR router (1941). We're trying to setup a subnet-subnet VPN.<br>
<br>
Does anyone have a working configuration of a working setup between any Cisco router (non-ASA,non-PIX), and a Strongswan server? <br>
<br>
Details:<br>
Strongswan vU4.4.1 with kernel 2.6.32-5-amd64<br>
<br>
ipsec.conf:<br><font>
config setup<br>
plutodebug=control<br>
crlcheckinterval=180<br>
strictcrlpolicy=no <br>
nat_traversal=yes<br>
charonstart=no<br>
<br>
conn %default <br>
ikelifetime=3600s<br>
keylife=20m<br>
rekeymargin=3m<br>
keyingtries=1<br>
keyexchange=ikev1<br>
<br>
<br>
conn vpn1<br>
left=192.168.0.2 # Cisco ISR<br>
leftsubnet=<a href="http://10.2.3.96/28" target="_blank">10.2.3.96/28</a> # User subnet (peer1)<br>
right=172.16.0.1 # StrongSwan Linux (peer2)<br>
rightsubnet=<a href="http://10.1.1.0/16" target="_blank">10.1.1.0/16</a> # Network users will access<br>
auto=start<br></font> </div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
<a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br></blockquote></div><br></div>