[strongSwan] Strongswan is not responding for IKE packets from CISCO vpn client

SaRaVanAn saravanan.nagarajan87 at gmail.com
Tue Apr 3 20:44:36 CEST 2012 

Hi Andreas,
   This is the critical topology I have been digging through for a month.
It would be great, if you share your views on this, as you are a virtuoso
in this field.

Regards,
Saravanan N

On Tue, Apr 3, 2012 at 12:04 AM, SaRaVanAn
<saravanan.nagarajan87 at gmail.com>wrote:

> Hi Andreas,
>   Please find the topology and error scenario below
>
>
> Cisco Vpn (eth1)              (eth1)
> (eth0)                                 (eth0)
> Client           ---------------------- StrongSwan
> ------------------------------------------- Strongswan (VPN server)
>                                             (Gateway)
> 20.1.1.1                      20.1.1.2
> 172.31.114.239                         172.31.114.227
>                                                        (NAT MASQUERADE)
>
>
> I have established a tunnel between Strongwan Gateway and Strongwan VPN
> server, the tunnel is up and
> its working fine. Now I m trying to establish a tunnel between Cisco Vpn
> Client and Strongswan VPN server
> natted via Strongswan Gateway, but I found that Strongswan is not
> responding for the IKE packets from Cisco VPN
> client. I have confirmed this with the help of tcpdump on eth0 in
> Stronswan VPN server. But
> the tunnel between Cisco VPN client and Strongswan vpn server is working
> fine, if there is no tunnel established between Strongswan Gateway and
> Strongswan VPN server, so I could not suspect configuration error also.
> Please share your views on this.
>
> Configuration details
> +++++++++++++++
>
> Strongswan Gateway
> ++++++++++++++++
>
> Nat:
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
>
> ipsec.conf
> +++++++
>
> config setup
>
>         plutostart=no
>
>         charondebug=all
>
>         nat_traversal=yes
>
>
>
> conn site-site
>
>         keyexchange=ikev2
>
>         right=172.31.114.227
>
>         left=172.31.114.239
>
>         authby=secret
>
>         ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
>
>         auto=add
>
> ipsec.secrets
> ++++++++++
>
> 172.31.114.239 172.31.114.227 : PSK "sachin"
>
>
> Strongswan VPN server
>
> +++++++++++++++++++++
>
> ca vpnca
>
>           cacert=caCert.pem
>
>           #crluri=crl.pem
>
>           auto=add
>
>
>
> config setup
>
>           plutostart=yes
>
>           #plutodebug=control
>
>           charonstart=yes
>
>           charondebug="net 0"
>
>           nat_traversal=yes
>
>           crlcheckinterval=10m
>
>           strictcrlpolicy=no
>
>
>
> conn %default
>
>         ikelifetime=60m
>
>         keylife=20m
>
>         rekeymargin=3m
>
>         keyingtries=1
>
>         leftupdown="sudo -E ipsec _updown"
>
>
>
> # Add connections here.
>
> conn cisco-vpn
>
>           type=tunnel
>
>           keyexchange=ikev1
>
>           ike=aes256-sha1-modp1536!
>
>           esp=aes256-sha1!
>
>           dpdaction=clear
>
>           dpddelay=300s
>
>           left=%defaultroute
>
>           leftsubnet=0.0.0.0/0
>
>
> leftcert=dutCert.pem
>
>           leftid="C=CH, O=strongSwan, CN=strongswan"
>
>           right=%any
>
>           rightsourceip=%addrpool
>
>           pfs=no
>
>           authby=xauthrsasig
>
>           xauth=server
>
>           auto=add
>
>
> conn site-site
>
>         keyexchange=ikev2
>
>         right=172.31.114.239
>
>         left=172.31.114.227
>
>         authby=secret
>
>         ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
>       auto=add
>
> ipsec.secrets
> +++++++++++
>
> : RSA dutKey.pem
>
> tester : XAUTH "tester"
>
> 172.31.114.227 172.31.114.239 : PSK "sachin"
>
> Regards,
> Saravanan N
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120403/18c0d6ac/attachment.html>

More information about the Users mailing list