[strongSwan] Strongswan is not responding for IKE packets from CISCO vpn client
SaRaVanAn
saravanan.nagarajan87 at gmail.com
Wed Apr 4 11:02:20 CEST 2012
Hi Friends,
Any help on this query???
On Wed, Apr 4, 2012 at 12:14 AM, SaRaVanAn
<saravanan.nagarajan87 at gmail.com>wrote:
> Hi Andreas,
> This is the critical topology I have been digging through for a month.
> It would be great, if you share your views on this, as you are a virtuoso
> in this field.
>
> Regards,
> Saravanan N
>
>
> On Tue, Apr 3, 2012 at 12:04 AM, SaRaVanAn <
> saravanan.nagarajan87 at gmail.com> wrote:
>
>> Hi Andreas,
>> Please find the topology and error scenario below
>>
>>
>> Cisco Vpn (eth1) (eth1)
>> (eth0) (eth0)
>> Client ---------------------- StrongSwan
>> ------------------------------------------- Strongswan (VPN server)
>> (Gateway)
>> 20.1.1.1 20.1.1.2
>> 172.31.114.239 172.31.114.227
>> (NAT MASQUERADE)
>>
>>
>> I have established a tunnel between Strongwan Gateway and Strongwan VPN
>> server, the tunnel is up and
>> its working fine. Now I m trying to establish a tunnel between Cisco Vpn
>> Client and Strongswan VPN server
>> natted via Strongswan Gateway, but I found that Strongswan is not
>> responding for the IKE packets from Cisco VPN
>> client. I have confirmed this with the help of tcpdump on eth0 in
>> Stronswan VPN server. But
>> the tunnel between Cisco VPN client and Strongswan vpn server is working
>> fine, if there is no tunnel established between Strongswan Gateway and
>> Strongswan VPN server, so I could not suspect configuration error also.
>> Please share your views on this.
>>
>> Configuration details
>> +++++++++++++++
>>
>> Strongswan Gateway
>> ++++++++++++++++
>>
>> Nat:
>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>
>>
>> ipsec.conf
>> +++++++
>>
>> config setup
>>
>> plutostart=no
>>
>> charondebug=all
>>
>> nat_traversal=yes
>>
>>
>>
>> conn site-site
>>
>> keyexchange=ikev2
>>
>> right=172.31.114.227
>>
>> left=172.31.114.239
>>
>> authby=secret
>>
>> ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
>>
>> auto=add
>>
>> ipsec.secrets
>> ++++++++++
>>
>> 172.31.114.239 172.31.114.227 : PSK "sachin"
>>
>>
>> Strongswan VPN server
>>
>> +++++++++++++++++++++
>>
>> ca vpnca
>>
>> cacert=caCert.pem
>>
>> #crluri=crl.pem
>>
>> auto=add
>>
>>
>>
>> config setup
>>
>> plutostart=yes
>>
>> #plutodebug=control
>>
>> charonstart=yes
>>
>> charondebug="net 0"
>>
>> nat_traversal=yes
>>
>> crlcheckinterval=10m
>>
>> strictcrlpolicy=no
>>
>>
>>
>> conn %default
>>
>> ikelifetime=60m
>>
>> keylife=20m
>>
>> rekeymargin=3m
>>
>> keyingtries=1
>>
>> leftupdown="sudo -E ipsec _updown"
>>
>>
>>
>> # Add connections here.
>>
>> conn cisco-vpn
>>
>> type=tunnel
>>
>> keyexchange=ikev1
>>
>> ike=aes256-sha1-modp1536!
>>
>> esp=aes256-sha1!
>>
>> dpdaction=clear
>>
>> dpddelay=300s
>>
>> left=%defaultroute
>>
>> leftsubnet=0.0.0.0/0
>>
>>
>> leftcert=dutCert.pem
>>
>> leftid="C=CH, O=strongSwan, CN=strongswan"
>>
>> right=%any
>>
>> rightsourceip=%addrpool
>>
>> pfs=no
>>
>> authby=xauthrsasig
>>
>> xauth=server
>>
>> auto=add
>>
>>
>> conn site-site
>>
>> keyexchange=ikev2
>>
>> right=172.31.114.239
>>
>> left=172.31.114.227
>>
>> authby=secret
>>
>> ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
>> auto=add
>>
>> ipsec.secrets
>> +++++++++++
>>
>> : RSA dutKey.pem
>>
>> tester : XAUTH "tester"
>>
>> 172.31.114.227 172.31.114.239 : PSK "sachin"
>>
>> Regards,
>> Saravanan N
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120404/0fd5ecc1/attachment.html>
More information about the Users
mailing list