[strongSwan] StrongSWAN <-> Cisco router IOS 12.4

Tue May 11 17:34:34 CEST 2010

left = local and right = remote

is just our recommendation in order to help your orientation.
strongSwan works equally well with left and right swapped.
I was just wondering that remote end used private network
addresses which are not routable.

Best regards

Andreas

On 05/11/2010 05:20 PM, François Van Ingelgom wrote:
> In fact, no, the strongswan side is: left=81.246.56.89
>
> The Cisco IOS:  right=192.168.1.218.
>
> I'll try to recreate the configuration tomorrow with the two ends in
> our 81.246.56.64/27 subnet.
>
> From what i understood in ipsec.conf documentation left is the actual
> local machine and right is the remote one, is that correct?
>
> Thanks for your help, i'll post what you asked tomorrow.
>
> François Van Ingelgom -- PCSOL
>
>
>
>
> Le 11 mai 2010 à 17:08, Andreas Steffen a écrit :
>
>> Hello François,
>>
>> I don't see anything special in your configuration file except that
>> it looks like an Openswan configuration.
>>
>> I assume that the strongSwan side is
>>
>> right=192.168.1.218
>>
>> which makes use of a port forwarding setup (NAT traversal seems not
>> to be enabled) on the router
>>
>> rightnexthop=192.168.1.1
>>
>> in order to be reachable from the Internet and that
>>
>> left=81.246.56.89
>>
>> is the Cisco IOS box. In order to give you some help I would need
>> the output of
>>
>> ipsec statusall
>>
>> and
>>
>> ip -s xfrm state
>>
>> ip -s xfrm policy
>>
>> after the successful connection setup and after a failed ping.
>>
>> Best regards
>>
>> Andreas
>>
>> On 05/11/2010 03:47 PM, François Van Ingelgom wrote:
>>> Hi everyone!
>>>
>>> I'm trying to setup Strongswan (debian package) with a Cisco
>>> router (IOS 12.4).
>>>
>>> Both servers are on the same subnet (our public subnet) for
>>> testing purposes.
>>>
>>> Here is my ipsec.conf for strongswan:
>>>
>>> version	2.0	# conforms to second version of ipsec.conf
>>> specification
>>>
>>> config setup interfaces="ipsec0=eth0" conn %default
>>> ikelifetime=86400 keylife=3600 keyingtries=%forever
>>> authby=secret auth=esp ike=aes128-sha1-modp1024!
>>> esp=aes128-sha1! pfs=no dpdaction=hold dpddelay=60
>>> dpdtimeout=500
>>>
>>> conn tunnelipsec type=tunnel auto=start left=81.246.56.89
>>> leftnexthop=81.246.56.65 leftsubnet=192.168.16.0/24
>>> right=192.168.1.218 rightnexthop=192.168.1.1
>>> rightsubnet=192.168.18.0/24
>>>
>>> include /etc/ipsec.d/examples/no_oe.conf
>>>
>>> And here is my ipsec.secrets
>>>
>>> 81.246.56.89: PSK "SecretTunnelPass"
>>>
>>> I'm sorry, i don't have the cisco config right here but it's a
>>> classical non tunnel configuration (esp-aes esp-sha-hmac aes128
>>> and sha).
>>>
>>> In fact, the connection can be established but when i try to ping
>>> the other end, the cisco fails claiming that he has no route for
>>> the network connected to the strongswan....
>>>
>>> I really have no idea how to set it up, and i've been searching
>>> for a very long time now :/
>>>
>>> I anybody would have any idea, hints or anything, i'll greatly
>>> appreciate :)
>>>
>>> Thanks a lot
>>>
>>> François Van Ingelgom -- PCSOL
>>>

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==