[strongSwan] StrongSWAN <-> Cisco router IOS 12.4

Andreas Steffen andreas.steffen at strongswan.org
Tue May 11 17:08:59 CEST 2010 

Hello François,

I don't see anything special in your configuration file except
that it looks like an Openswan configuration.

I assume that the strongSwan side is

   right=192.168.1.218

which makes use of a port forwarding setup (NAT traversal seems
not to be enabled) on the router

   rightnexthop=192.168.1.1

in order to be reachable from the Internet and that

   left=81.246.56.89

is the Cisco IOS box. In order to give you some help I would need
the output of

   ipsec statusall

and

   ip -s xfrm state

   ip -s xfrm policy

after the successful connection setup and after a failed ping.

Best regards

Andreas

On 05/11/2010 03:47 PM, François Van Ingelgom wrote:
> Hi everyone!
>
> I'm trying to setup Strongswan (debian package) with a Cisco router (IOS 12.4).
>
> Both servers are on the same subnet (our public subnet) for testing purposes.
>
> Here is my ipsec.conf for strongswan:
>
> version	2.0	# conforms to second version of ipsec.conf specification
>
> config setup
> 	interfaces="ipsec0=eth0"
> conn %default
>         ikelifetime=86400
>         keylife=3600
>         keyingtries=%forever
>         authby=secret
>         auth=esp
>         ike=aes128-sha1-modp1024!
>         esp=aes128-sha1!
>         pfs=no
>         dpdaction=hold
>         dpddelay=60
>         dpdtimeout=500
>
> conn tunnelipsec
> 	type=tunnel
> 	auto=start
>         left=81.246.56.89
> 	leftnexthop=81.246.56.65
> 	leftsubnet=192.168.16.0/24
> 	right=192.168.1.218
> 	rightnexthop=192.168.1.1
>         rightsubnet=192.168.18.0/24
>
> include /etc/ipsec.d/examples/no_oe.conf
>
> And here is my ipsec.secrets
>
> 81.246.56.89: PSK "SecretTunnelPass"
>
> I'm sorry, i don't have the cisco config right here but it's a classical non tunnel configuration (esp-aes esp-sha-hmac aes128 and sha).
>
> In fact, the connection can be established but when i try to ping the other end, the cisco fails claiming that he has no route for the network connected to the strongswan....
>
> I really have no idea how to set it up, and i've been searching for a very long time now :/
>
> I anybody would have any idea, hints or anything, i'll greatly appreciate :)
>
> Thanks a lot
>
> François Van Ingelgom -- PCSOL
>
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list