[strongSwan] StrongSWAN <-> Cisco router IOS 12.4

François Van Ingelgom francois.vaningelgom at pcsol.be
Tue May 11 17:20:51 CEST 2010 

In fact, no, the strongswan side is: left=81.246.56.89

The Cisco IOS:  right=192.168.1.218.

I'll try to recreate the configuration tomorrow with the two ends in our 81.246.56.64/27 subnet.

From what i understood in ipsec.conf documentation left is the actual local machine and right is the remote one, is that correct?

Thanks for your help, i'll post what you asked tomorrow.

François Van Ingelgom -- PCSOL




Le 11 mai 2010 à 17:08, Andreas Steffen a écrit :

> Hello François,
> 
> I don't see anything special in your configuration file except
> that it looks like an Openswan configuration.
> 
> I assume that the strongSwan side is
> 
>  right=192.168.1.218
> 
> which makes use of a port forwarding setup (NAT traversal seems
> not to be enabled) on the router
> 
>  rightnexthop=192.168.1.1
> 
> in order to be reachable from the Internet and that
> 
>  left=81.246.56.89
> 
> is the Cisco IOS box. In order to give you some help I would need
> the output of
> 
>  ipsec statusall
> 
> and
> 
>  ip -s xfrm state
> 
>  ip -s xfrm policy
> 
> after the successful connection setup and after a failed ping.
> 
> Best regards
> 
> Andreas
> 
> On 05/11/2010 03:47 PM, François Van Ingelgom wrote:
>> Hi everyone!
>> 
>> I'm trying to setup Strongswan (debian package) with a Cisco router (IOS 12.4).
>> 
>> Both servers are on the same subnet (our public subnet) for testing purposes.
>> 
>> Here is my ipsec.conf for strongswan:
>> 
>> version	2.0	# conforms to second version of ipsec.conf specification
>> 
>> config setup
>> 	interfaces="ipsec0=eth0"
>> conn %default
>>        ikelifetime=86400
>>        keylife=3600
>>        keyingtries=%forever
>>        authby=secret
>>        auth=esp
>>        ike=aes128-sha1-modp1024!
>>        esp=aes128-sha1!
>>        pfs=no
>>        dpdaction=hold
>>        dpddelay=60
>>        dpdtimeout=500
>> 
>> conn tunnelipsec
>> 	type=tunnel
>> 	auto=start
>>        left=81.246.56.89
>> 	leftnexthop=81.246.56.65
>> 	leftsubnet=192.168.16.0/24
>> 	right=192.168.1.218
>> 	rightnexthop=192.168.1.1
>>        rightsubnet=192.168.18.0/24
>> 
>> include /etc/ipsec.d/examples/no_oe.conf
>> 
>> And here is my ipsec.secrets
>> 
>> 81.246.56.89: PSK "SecretTunnelPass"
>> 
>> I'm sorry, i don't have the cisco config right here but it's a classical non tunnel configuration (esp-aes esp-sha-hmac aes128 and sha).
>> 
>> In fact, the connection can be established but when i try to ping the other end, the cisco fails claiming that he has no route for the network connected to the strongswan....
>> 
>> I really have no idea how to set it up, and i've been searching for a very long time now :/
>> 
>> I anybody would have any idea, hints or anything, i'll greatly appreciate :)
>> 
>> Thanks a lot
>> 
>> François Van Ingelgom -- PCSOL
>> 
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: fvaningelgom.jpg
Type: image/jpeg
Size: 16835 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20100511/3e860840/attachment.jpg>
-------------- next part --------------

More information about the Users mailing list