[strongSwan] Strongswan is not responding for IKE packets from CISCO vpn client
SaRaVanAn
saravanan.nagarajan87 at gmail.com
Tue Apr 3 09:04:44 CEST 2012
Hi Andreas,
Please find the topology and error scenario below
Cisco Vpn (eth1) (eth1)
(eth0) (eth0)
Client ---------------------- StrongSwan
------------------------------------------- Strongswan (VPN server)
(Gateway)
20.1.1.1 20.1.1.2
172.31.114.239 172.31.114.227
(NAT MASQUERADE)
I have established a tunnel between Strongwan Gateway and Strongwan VPN
server, the tunnel is up and
its working fine. Now I m trying to establish a tunnel between Cisco Vpn
Client and Strongswan VPN server
natted via Strongswan Gateway, but I found that Strongswan is not
responding for the IKE packets from Cisco VPN
client. I have confirmed this with the help of tcpdump on eth0 in Stronswan
VPN server. But
the tunnel between Cisco VPN client and Strongswan vpn server is working
fine, if there is no tunnel established between Strongswan Gateway and
Strongswan VPN server, so I could not suspect configuration error also.
Please share your views on this.
Configuration details
+++++++++++++++
Strongswan Gateway
++++++++++++++++
Nat:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
ipsec.conf
+++++++
config setup
plutostart=no
charondebug=all
nat_traversal=yes
conn site-site
keyexchange=ikev2
right=172.31.114.227
left=172.31.114.239
authby=secret
ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
auto=add
ipsec.secrets
++++++++++
172.31.114.239 172.31.114.227 : PSK "sachin"
Strongswan VPN server
+++++++++++++++++++++
ca vpnca
cacert=caCert.pem
#crluri=crl.pem
auto=add
config setup
plutostart=yes
#plutodebug=control
charonstart=yes
charondebug="net 0"
nat_traversal=yes
crlcheckinterval=10m
strictcrlpolicy=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
leftupdown="sudo -E ipsec _updown"
# Add connections here.
conn cisco-vpn
type=tunnel
keyexchange=ikev1
ike=aes256-sha1-modp1536!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
left=%defaultroute
leftsubnet=0.0.0.0/0
leftcert=dutCert.pem
leftid="C=CH, O=strongSwan, CN=strongswan"
right=%any
rightsourceip=%addrpool
pfs=no
authby=xauthrsasig
xauth=server
auto=add
conn site-site
keyexchange=ikev2
right=172.31.114.239
left=172.31.114.227
authby=secret
ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
auto=add
ipsec.secrets
+++++++++++
: RSA dutKey.pem
tester : XAUTH "tester"
172.31.114.227 172.31.114.239 : PSK "sachin"
Regards,
Saravanan N
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120403/450ee2c1/attachment.html>
More information about the Users
mailing list