[strongSwan] Strongswan is not responding for IKE packets from CISCO vpn client

Cristina Vintila cristina.vintila at gmail.com
Wed Apr 4 11:19:48 CEST 2012 

Hey, Saravan,

Are you trying to setup a client-to-server/remote-access VPN tunnel (Cisco
VPN client -to- Strongwan VPN server), INSIDE an existing VPN tunnel (from
Strongswan GW To Strongswan VPN server, which is site-to-site) ?

If so: why this scenario?
If not: please confirm you expect to see 2 VPN tunnels between Strongswan
GW and Strongswan VPN Server: one being the initial one you establish, and
then another one, natted, between the cisco client and the strongswan vpn
server. Is that correct?

Thanks,
Cristina

On Wed, Apr 4, 2012 at 11:02 AM, SaRaVanAn
<saravanan.nagarajan87 at gmail.com>wrote:

> Hi Friends,
>       Any help on this query???
>
>
> On Wed, Apr 4, 2012 at 12:14 AM, SaRaVanAn <
> saravanan.nagarajan87 at gmail.com> wrote:
>
>> Hi Andreas,
>>    This is the critical topology I have been digging through for a month.
>> It would be great, if you share your views on this, as you are a virtuoso
>> in this field.
>>
>> Regards,
>> Saravanan N
>>
>>
>> On Tue, Apr 3, 2012 at 12:04 AM, SaRaVanAn <
>> saravanan.nagarajan87 at gmail.com> wrote:
>>
>>> Hi Andreas,
>>>   Please find the topology and error scenario below
>>>
>>>
>>> Cisco Vpn (eth1)              (eth1)
>>> (eth0)                                 (eth0)
>>> Client           ---------------------- StrongSwan
>>> ------------------------------------------- Strongswan (VPN server)
>>>                                             (Gateway)
>>> 20.1.1.1                      20.1.1.2
>>> 172.31.114.239                         172.31.114.227
>>>                                                        (NAT MASQUERADE)
>>>
>>>
>>> I have established a tunnel between Strongwan Gateway and Strongwan VPN
>>> server, the tunnel is up and
>>> its working fine. Now I m trying to establish a tunnel between Cisco Vpn
>>> Client and Strongswan VPN server
>>> natted via Strongswan Gateway, but I found that Strongswan is not
>>> responding for the IKE packets from Cisco VPN
>>> client. I have confirmed this with the help of tcpdump on eth0 in
>>> Stronswan VPN server. But
>>> the tunnel between Cisco VPN client and Strongswan vpn server is working
>>> fine, if there is no tunnel established between Strongswan Gateway and
>>> Strongswan VPN server, so I could not suspect configuration error also.
>>> Please share your views on this.
>>>
>>> Configuration details
>>> +++++++++++++++
>>>
>>> Strongswan Gateway
>>> ++++++++++++++++
>>>
>>> Nat:
>>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>
>>>
>>> ipsec.conf
>>> +++++++
>>>
>>> config setup
>>>
>>>         plutostart=no
>>>
>>>         charondebug=all
>>>
>>>         nat_traversal=yes
>>>
>>>
>>>
>>> conn site-site
>>>
>>>         keyexchange=ikev2
>>>
>>>         right=172.31.114.227
>>>
>>>         left=172.31.114.239
>>>
>>>         authby=secret
>>>
>>>         ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
>>>
>>>         auto=add
>>>
>>> ipsec.secrets
>>> ++++++++++
>>>
>>> 172.31.114.239 172.31.114.227 : PSK "sachin"
>>>
>>>
>>> Strongswan VPN server
>>>
>>> +++++++++++++++++++++
>>>
>>> ca vpnca
>>>
>>>           cacert=caCert.pem
>>>
>>>           #crluri=crl.pem
>>>
>>>           auto=add
>>>
>>>
>>>
>>> config setup
>>>
>>>           plutostart=yes
>>>
>>>           #plutodebug=control
>>>
>>>           charonstart=yes
>>>
>>>           charondebug="net 0"
>>>
>>>           nat_traversal=yes
>>>
>>>           crlcheckinterval=10m
>>>
>>>           strictcrlpolicy=no
>>>
>>>
>>>
>>> conn %default
>>>
>>>         ikelifetime=60m
>>>
>>>         keylife=20m
>>>
>>>         rekeymargin=3m
>>>
>>>         keyingtries=1
>>>
>>>         leftupdown="sudo -E ipsec _updown"
>>>
>>>
>>>
>>> # Add connections here.
>>>
>>> conn cisco-vpn
>>>
>>>           type=tunnel
>>>
>>>           keyexchange=ikev1
>>>
>>>           ike=aes256-sha1-modp1536!
>>>
>>>           esp=aes256-sha1!
>>>
>>>           dpdaction=clear
>>>
>>>           dpddelay=300s
>>>
>>>           left=%defaultroute
>>>
>>>           leftsubnet=0.0.0.0/0
>>>
>>>
>>> leftcert=dutCert.pem
>>>
>>>           leftid="C=CH, O=strongSwan, CN=strongswan"
>>>
>>>           right=%any
>>>
>>>           rightsourceip=%addrpool
>>>
>>>           pfs=no
>>>
>>>           authby=xauthrsasig
>>>
>>>           xauth=server
>>>
>>>           auto=add
>>>
>>>
>>> conn site-site
>>>
>>>         keyexchange=ikev2
>>>
>>>         right=172.31.114.239
>>>
>>>         left=172.31.114.227
>>>
>>>         authby=secret
>>>
>>>         ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
>>>       auto=add
>>>
>>> ipsec.secrets
>>> +++++++++++
>>>
>>> : RSA dutKey.pem
>>>
>>> tester : XAUTH "tester"
>>>
>>> 172.31.114.227 172.31.114.239 : PSK "sachin"
>>>
>>> Regards,
>>> Saravanan N
>>>
>>>
>>
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120404/4341a039/attachment.html>

More information about the Users mailing list