[strongSwan] Strongswan is not responding for IKE packets from CISCO vpn client

SaRaVanAn saravanan.nagarajan87 at gmail.com
Tue Apr 3 09:04:44 CEST 2012


Hi Andreas,
  Please find the topology and error scenario below


Cisco Vpn (eth1)              (eth1)
(eth0)                                 (eth0)
Client           ---------------------- StrongSwan
------------------------------------------- Strongswan (VPN server)
                                            (Gateway)
20.1.1.1                      20.1.1.2
172.31.114.239                         172.31.114.227
                                                       (NAT MASQUERADE)


I have established a tunnel between Strongwan Gateway and Strongwan VPN
server, the tunnel is up and
its working fine. Now I m trying to establish a tunnel between Cisco Vpn
Client and Strongswan VPN server
natted via Strongswan Gateway, but I found that Strongswan is not
responding for the IKE packets from Cisco VPN
client. I have confirmed this with the help of tcpdump on eth0 in Stronswan
VPN server. But
the tunnel between Cisco VPN client and Strongswan vpn server is working
fine, if there is no tunnel established between Strongswan Gateway and
Strongswan VPN server, so I could not suspect configuration error also.
Please share your views on this.

Configuration details
+++++++++++++++

Strongswan Gateway
++++++++++++++++

Nat:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


ipsec.conf
+++++++

config setup

        plutostart=no

        charondebug=all

        nat_traversal=yes



conn site-site

        keyexchange=ikev2

        right=172.31.114.227

        left=172.31.114.239

        authby=secret

        ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024

        auto=add

ipsec.secrets
++++++++++

172.31.114.239 172.31.114.227 : PSK "sachin"


Strongswan VPN server

+++++++++++++++++++++

ca vpnca

          cacert=caCert.pem

          #crluri=crl.pem

          auto=add



config setup

          plutostart=yes

          #plutodebug=control

          charonstart=yes

          charondebug="net 0"

          nat_traversal=yes

          crlcheckinterval=10m

          strictcrlpolicy=no



conn %default

        ikelifetime=60m

        keylife=20m

        rekeymargin=3m

        keyingtries=1

        leftupdown="sudo -E ipsec _updown"



# Add connections here.

conn cisco-vpn

          type=tunnel

          keyexchange=ikev1

          ike=aes256-sha1-modp1536!

          esp=aes256-sha1!

          dpdaction=clear

          dpddelay=300s

          left=%defaultroute

          leftsubnet=0.0.0.0/0


leftcert=dutCert.pem

          leftid="C=CH, O=strongSwan, CN=strongswan"

          right=%any

          rightsourceip=%addrpool

          pfs=no

          authby=xauthrsasig

          xauth=server

          auto=add


conn site-site

        keyexchange=ikev2

        right=172.31.114.239

        left=172.31.114.227

        authby=secret

        ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
      auto=add

ipsec.secrets
+++++++++++

: RSA dutKey.pem

tester : XAUTH "tester"

172.31.114.227 172.31.114.239 : PSK "sachin"

Regards,
Saravanan N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120403/450ee2c1/attachment.html>


More information about the Users mailing list