[strongSwan] unable to setup site-to-site

Andreas Steffen andreas.steffen at strongswan.org
Tue Mar 8 20:10:40 CET 2011 

On 03/08/2011 07:25 PM, maverick me wrote:
> Hi,
>
> I am having trouble with setting up site-to-site with remote network.
> I have a single server with public ip where I have installed strongswan.
>
>
> Remote admin has shared the following settings:
>
> ************************************************************************************************************************************
>
> Peer IP:- 202.56.XXX.YYY
>
> Pre-shared key ########### ( share through phone )
> *
> For IKE Policy *
> Encryption 3DES
> Authentication SHA
> Diffie-Hellman Group 2
> *
> For IPSec Policy*
> Encryption 3DES
> Authentication SHA
> enable perfect forwarding secrecy(pfs)
> Diffie-Hellman Group 1
>
> your local pool IP :- 10.2.28.24
>
> your remote network IP:- 10.2.84.68
>
> ************************************************************************************************************************************
>
> On the basis of this, I have created following ipsec.conf
>
>
> config setup
>          plutostart=yes
>          plutodebug=all
>          plutostderrlog=/var/log/plutoerr.log
plutostderrlog parameter is not supported

>
> conn %default
>          keyexchange=ikev1
>          type=tunnel
>          ikelifetime=86400
>
>
> conn myconn
>          left=119.82.AAA.BBB
>          leftsourceip=10.2.28.24
>          right=202.56.XXX.YYY
>          rightsubnet=10.2.84.68/32 <http://10.2.84.68/32>
>          esp=3des-sha1-modp768
modp768 DH group is not supported since it is awfully weak

>          ike=3des-sha1-modp1024
>          auth=esp
>          authby=secret
>          pfs=yes
>          auto=start
>
>
> ********************************************************************************************************************************************************************************************************
>
>
> ]# ipsec status
> 000 "myconn":
> 10.2.28.24/32===119.82.69.67[119.82.69.67]...202.56.229.168[202.56.229.168]===10.2.84.68/32
> unrouted; eroute owner: #0
> 000 "myconn":   newest ISAKMP SA: #0; newest IPsec SA: #0;
> 000
> 000 #44: "myconn" STATE_QUICK_I1 (sent QI1, expecting QR1);
> EVENT_RETRANSMIT in 30s
> 000
>
>
> Remote side admin is asking me to NAT private IP. Any suggesstion how
> that can be achived.

Regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list