[strongSwan] Migration from Openswan to Strongswan
Pavel Arnošt
pavel.arnost at valvera.cz
Tue May 10 11:51:30 CEST 2011
Hi,
I tried to migrate our Openswan VPN (2.6.21) to Strongswan VPN (4.5.1) on our CentOS 5 server. Openswan package is from official CentOS repository (openswan-2.6.21-5.el5_6.4), Strongswan package have been built from this spec file: http://developer.intra2net.com/git/?p=strongswan-rpm;a=blob_plain;f=strongswan.spec;hb=e2bb0076fce6d44ee80cff4b20d90a0eee1fa689
I slightly modified configuration for IKEv1 keying, ipsec.conf looks like:
config setup
charonstart=no
plutodebug="control"
conn %default
keyexchange=ikev1
authby=secret
conn CONN
type=tunnel
left=A.A.A.A
leftsubnet=192.168.52.0/24
right=B.B.B.B
rightsubnet=10.10.0.0/16
auto=start
auth=esp
ikelifetime=28800s
keylife=3600s
compress=no
ike=3des-sha1-modp1024
esp=3des-sha1
pfs=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart
Both ISAKMP and IPsec SA were succesfully established, ip xfrm policy output was the same as output from Openswan. But...
In tcpdump, I saw incoming ESP traffic from B.B.B.B, but no ESP traffic from our address A.A.A.A. Ping to 10.10.255.1 returned no response, so I think that policies were in place (with turned off VPN, ping returned "host unreachable" from far away gateway). I added "iptables -I FORWARD -j ACCEPT" rule to iptables to rule out problem with firewall.
Do you have any idea what can be wrong?
Thanks,
Regards,
Pavel Arnost
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110510/e8df5251/attachment.html>
More information about the Users
mailing list