<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-CA" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US">The ultimate goal is to be able to subscribe to multicast traffic (239.100.100.13) being generated behind the cisco router on the server hosting strongswan. Ideally we would like to also forward this traffic onto the
network behind strongswan however we understand that that step in AWS VPCs is not trivial/possible without additional tunnels/configuration. Any help would be appreciated.<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">We are having an issue setting up site-to-site vpn in our environment. Both the router and the strongswan server implement NAT in some way. On the router it is configured on the source interface for the external IP. On
the strongswan server the server sits in a Amazon VPC (it is an EC2 instance) and there is an elastic IP attached to the instance.
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Our Environment looks like this: <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> External IP: External IP:
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> +----------------+<<Cisco external IP>> <<AWS External IP>>+------------------+
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> | Cisco Router | | Centos 7 |
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> | ---------------------------------------------------- StrongSwan |
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> | |GRE Tunnel IP: GRE Tunnel IP: | |
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> +--------|-------+10.100.60.13/30 10.100.60.14/30 +---------|--------+
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> | |
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> | |
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> | | <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> | |
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> Internal Network Internal Network
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> 192.168.0.0/16 192.168.1.0/24
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> Multicast Traffic
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> 239.100.100.13
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:12.0pt;color:black;mso-fareast-language:EN-CA"> <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:12.0pt;color:black;mso-fareast-language:EN-CA"> <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:12.0pt;color:black;mso-fareast-language:EN-CA">We are trying to setup a site-to-site vpn between a Cisco router and a centos 7 server running Strongswan 5.7.2-1.el7.<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:12.0pt;color:black;mso-fareast-language:EN-CA"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:12.0pt;color:black;mso-fareast-language:EN-CA">We are able to establish the ipsec tunnel, however the gre network 10.100.60.12/30 is not pingable. Further to this, while we see the multicast
traffic via a tcpdump it appears to be ‘caught’ in the GRE encapsulation and does not provide data when subscribed to via a local process meant to connect to it:<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">strongswan]# tcpdump -n -s 0 -i eth0 not port 22<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">16:23:59.959925 IP <<Cisco external IP>>.ipsec-nat-t > 192.168.1.154.ipsec-nat-t: UDP-encap: ESP(spi=0xcf6ee5da,seq=0x1dc399),
length 132<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">16:23:59.959925 IP <<Cisco external IP>> > <<AWS External IP>>: GREv0, length 76: IP 192.168.3.48.48146 > 239.100.100.13.9250:
UDP, length 44<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">16:23:59.959942 IP <<Cisco external IP>>.ipsec-nat-t > 192.168.1.154.ipsec-nat-t: UDP-encap: ESP(spi=0xcf6ee5da,seq=0x1dc39a),
length 132<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">16:23:59.959942 IP <<Cisco external IP>> > <<AWS External IP>>: GREv0, length 76: IP 192.168.3.48.48146 > 239.100.100.13.9250:
UDP, length 44<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">16:23:59.960201 IP <<Cisco external IP>>.ipsec-nat-t > 192.168.1.154.ipsec-nat-t: UDP-encap: ESP(spi=0xcf6ee5da,seq=0x1dc39b),
length 132<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">16:23:59.960201 IP <<Cisco external IP>> > <<AWS External IP>>: GREv0, length 76: IP 192.168.3.48.48146 > 239.100.100.13.9250:
UDP, length 44
<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA"> <o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:12.0pt;color:black;mso-fareast-language:EN-CA">On the cisco router the following configuration is used:<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:12.0pt;color:black;mso-fareast-language:EN-CA"><o:p> </o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">crypto isakmp policy 300<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">encr 3des<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">authentication pre-share<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">group 2<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">lifetime 28800<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">!<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">crypto isakmp key <<key>> address <<AWS External IP>><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">!<br>
crypto ipsec transform-set RXN-3DES-SHA esp-3des esp-sha-hmac<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">mode tunnel<br>
!<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">crypto map outside_map 999 ipsec-isakmp<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">description IPSec tunnel to newStrongSwanTestAws<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">set peer <<AWS External IP>><o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">set transform-set RXN-3DES-SHA<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">set pfs group2<o:p></o:p></span></p>
<p class="MsoNormal" style="line-height:14.4pt"><span style="font-size:10.0pt;font-family:"Courier New";color:black;mso-fareast-language:EN-CA">match address NEWSTRONGSWANTEST<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">interface Tunnel999<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">description StrongSwantest GRE tunnel<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip address 10.100.60.13 255.255.255.252<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip mtu 1400<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip nat outside<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip pim neighbor-filter MCAST-DENY-ALL<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip pim sparse-dense-mode<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip tcp adjust-mss 1360<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip igmp static-group 239.100.100.13<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">tunnel source <<Cisco external IP>><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">tunnel destination <<AWS External IP>><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip virtual-reassembly<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">!<br>
interface GigabitEthernet0/1/1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip address <<Cisco external IP>> 255.255.255.128<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip nat outside<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">negotiation auto<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">no cdp enable<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">crypto map outside_map<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">no ip virtual-reassembly
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip access-list standard MCAST-DENY-ALL<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">deny any<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip access-list extended NEWSTRONGSWANTEST<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">permit gre host <<Cisco external IP>> host <<AWS External IP>><o:p></o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">permit gre host <<AWS External IP>> host <<Cisco external IP>><br>
<br>
</span><span lang="EN-US" style="font-size:10.0pt">StrongSwan configs:</span><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">iptables.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""># ipsec.conf - strongSwan IPsec configuration file<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">config setup<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> charondebug="all"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">conn van<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">type=tunnel #IPSec Type: Tunnel<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">authby=secret #Authentication via Shared Secret<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">left=%defaultroute #strongswan outside address<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">leftsubnet=0.0.0.0/0 #Local Subnets being Tunneled<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">leftid=<<AWS External IP>> #Connection PublicIP (OtherPartyConnectionId)<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">right=<<Cisco external IP>> #Remote Participant PublicIP<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">rightsubnet=0.0.0.0/0,239.100.100.13 #Remote Subnets being Tunneled<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">rightid=<<Cisco external IP>> #IKEID sent by IOS<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">auto=start<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">compress = yes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ike=3des-sha1-modp1024! #IKE Phase 1 Algorithm<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">esp=3des-sha-modp1024!<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">mark=%unique<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ikelifetime=86400<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">keyingtries=%forever #Attempts to Negotiate a Connection<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">#keylife=59m<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">#rekeymargin=3m<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">rekey=yes #Enable Rekeying<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">keyexchange=ikev1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">authby=secret<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">dpdtimeout=10 #Dead Peer Detection Timeout<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">dpddelay=3 #Dead Peer Detection Delay<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ipsec.secrets<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><br>
# ipsec.secrets - strongSwan IPsec secrets file<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">%any %any : PSK "<<key>>"<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">%any : PSK "<<key>>""<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">Strongswan.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""># strongswan.conf - strongSwan configuration file<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">#<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""># Refer to the strongswan.conf(5) manpage for details<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">#<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""># Configuration changes should be made in the included files<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">charon {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> load_modular = yes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> plugins {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> include strongswan.d/charon/*.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> }<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">include strongswan.d/*.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">strongswan.d/starter.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">starter {<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> # Location of the ipsec.conf file<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> config_file = /etc/strongswan/ipsec.conf<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">}<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">After starting strongswan status of the tunnels is as follows:
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">strongswan]# strongswan statusall<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">Status of IKE charon daemon (strongSwan 5.7.2, Linux 3.10.0-1062.12.1.el7.x86_64, x86_64):<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> uptime: 53 minutes, since Jan 21 15:45:19 2021<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> malloc: sbrk 1724416, mmap 0, used 603808, free 1120608<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> loaded plugins: charon pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius
eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">Listening IP addresses:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> 192.168.1.154<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">Connections:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van: %any...<<Cisco external IP>> IKEv1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van: local: [<<AWS External IP>>] uses pre-shared key authentication<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van: remote: [<<Cisco external IP>>] uses pre-shared key authentication<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">Security Associations (1 up, 0 connecting):<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van[2]: ESTABLISHED 53 minutes ago, 192.168.1.154[<<AWS External IP>>]...<<Cisco external IP>>[<<Cisco external IP>>]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van[2]: IKEv1 SPIs: 5d7341cbe0165876_i 44d5d21cf864ebb0_r*, pre-shared key reauthentication in 22 hours<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van{3}: REKEYED, TUNNEL, reqid 1, expires in 6 minutes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van{3}: <<AWS External IP>>/32[gre] === <<Cisco external IP>>/32[gre]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van{4}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cbe53fd4_i 530be7ab_o<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van{4}: 3DES_CBC/HMAC_SHA1_96/MODP_1024, 62413730 bytes_i, 0 bytes_o, rekeying in 36 minutes<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""> van{4}: <<AWS External IP>>/32[gre] === <<Cisco external IP>>/32[gre]<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">A gre tunnel is attempted to be created via the following command, but we are unsure if this is correct or not:<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip tunnel add 999 mode gre local 10.100.60.14 remote 10.100.60.13 ttl 255<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip link set 999 up<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New"">ip route add 10.100.60.12/30 dev 999<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">It should be noted that the multicast traffic appears to flow without the tunnel 999 interface being up on the strongswan server itself, so we are not sure that this interface is setup correctly at all.
<o:p></o:p></span></p>
</div>
</body>
</html>