[strongSwan] Strongswan is not responding for IKE packets from CISCO vpn client
SaRaVanAn
saravanan.nagarajan87 at gmail.com
Wed Apr 4 11:35:41 CEST 2012
Hi Cristina,
Yeah. Your understanding is great. Let me explain our scenario briefly
1) First, I want to establish a tunnel between Strongswan gateway and
Strongswan VPN server(site-site) for normal traffic through gateway.
2) Second, I want to establish a tunnel between Cisco VPN client and
Strongswan VPN server (remote access VPN) for remote users.
I don't really need to transmit IKE packets of a remote user to go via the
site-site VPN tunnel. All I need is 2 VPN tunnels as you mentioned in
Second Point (If Not case).
But I don't know to bypass the IKE packets from going via site-site tunnel,
which is creating problem for me right now. I have tried all the bypass
rules
for achieving it, but it was not working out.
Please I need your guidance to solve this issue. Awaiting for your reply.
Thanks in Advance,
Saravanan N
On Wed, Apr 4, 2012 at 2:49 PM, Cristina Vintila <cristina.vintila at gmail.com
> wrote:
> Hey, Saravan,
>
> Are you trying to setup a client-to-server/remote-access VPN tunnel (Cisco
> VPN client -to- Strongwan VPN server), INSIDE an existing VPN tunnel (from
> Strongswan GW To Strongswan VPN server, which is site-to-site) ?
>
> If so: why this scenario?
> If not: please confirm you expect to see 2 VPN tunnels between Strongswan
> GW and Strongswan VPN Server: one being the initial one you establish, and
> then another one, natted, between the cisco client and the strongswan vpn
> server. Is that correct?
>
> Thanks,
> Cristina
>
> On Wed, Apr 4, 2012 at 11:02 AM, SaRaVanAn <
> saravanan.nagarajan87 at gmail.com> wrote:
>
>> Hi Friends,
>> Any help on this query???
>>
>>
>> On Wed, Apr 4, 2012 at 12:14 AM, SaRaVanAn <
>> saravanan.nagarajan87 at gmail.com> wrote:
>>
>>> Hi Andreas,
>>> This is the critical topology I have been digging through for a
>>> month. It would be great, if you share your views on this, as you are a
>>> virtuoso in this field.
>>>
>>> Regards,
>>> Saravanan N
>>>
>>>
>>> On Tue, Apr 3, 2012 at 12:04 AM, SaRaVanAn <
>>> saravanan.nagarajan87 at gmail.com> wrote:
>>>
>>>> Hi Andreas,
>>>> Please find the topology and error scenario below
>>>>
>>>>
>>>> Cisco Vpn (eth1) (eth1)
>>>> (eth0) (eth0)
>>>> Client ---------------------- StrongSwan
>>>> ------------------------------------------- Strongswan (VPN server)
>>>> (Gateway)
>>>> 20.1.1.1 20.1.1.2
>>>> 172.31.114.239 172.31.114.227
>>>> (NAT MASQUERADE)
>>>>
>>>>
>>>> I have established a tunnel between Strongwan Gateway and Strongwan VPN
>>>> server, the tunnel is up and
>>>> its working fine. Now I m trying to establish a tunnel between Cisco
>>>> Vpn Client and Strongswan VPN server
>>>> natted via Strongswan Gateway, but I found that Strongswan is not
>>>> responding for the IKE packets from Cisco VPN
>>>> client. I have confirmed this with the help of tcpdump on eth0 in
>>>> Stronswan VPN server. But
>>>> the tunnel between Cisco VPN client and Strongswan vpn server is
>>>> working fine, if there is no tunnel established between Strongswan Gateway
>>>> and Strongswan VPN server, so I could not suspect configuration error also.
>>>> Please share your views on this.
>>>>
>>>> Configuration details
>>>> +++++++++++++++
>>>>
>>>> Strongswan Gateway
>>>> ++++++++++++++++
>>>>
>>>> Nat:
>>>> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>>>>
>>>>
>>>> ipsec.conf
>>>> +++++++
>>>>
>>>> config setup
>>>>
>>>> plutostart=no
>>>>
>>>> charondebug=all
>>>>
>>>> nat_traversal=yes
>>>>
>>>>
>>>>
>>>> conn site-site
>>>>
>>>> keyexchange=ikev2
>>>>
>>>> right=172.31.114.227
>>>>
>>>> left=172.31.114.239
>>>>
>>>> authby=secret
>>>>
>>>> ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
>>>>
>>>> auto=add
>>>>
>>>> ipsec.secrets
>>>> ++++++++++
>>>>
>>>> 172.31.114.239 172.31.114.227 : PSK "sachin"
>>>>
>>>>
>>>> Strongswan VPN server
>>>>
>>>> +++++++++++++++++++++
>>>>
>>>> ca vpnca
>>>>
>>>> cacert=caCert.pem
>>>>
>>>> #crluri=crl.pem
>>>>
>>>> auto=add
>>>>
>>>>
>>>>
>>>> config setup
>>>>
>>>> plutostart=yes
>>>>
>>>> #plutodebug=control
>>>>
>>>> charonstart=yes
>>>>
>>>> charondebug="net 0"
>>>>
>>>> nat_traversal=yes
>>>>
>>>> crlcheckinterval=10m
>>>>
>>>> strictcrlpolicy=no
>>>>
>>>>
>>>>
>>>> conn %default
>>>>
>>>> ikelifetime=60m
>>>>
>>>> keylife=20m
>>>>
>>>> rekeymargin=3m
>>>>
>>>> keyingtries=1
>>>>
>>>> leftupdown="sudo -E ipsec _updown"
>>>>
>>>>
>>>>
>>>> # Add connections here.
>>>>
>>>> conn cisco-vpn
>>>>
>>>> type=tunnel
>>>>
>>>> keyexchange=ikev1
>>>>
>>>> ike=aes256-sha1-modp1536!
>>>>
>>>> esp=aes256-sha1!
>>>>
>>>> dpdaction=clear
>>>>
>>>> dpddelay=300s
>>>>
>>>> left=%defaultroute
>>>>
>>>> leftsubnet=0.0.0.0/0
>>>>
>>>>
>>>> leftcert=dutCert.pem
>>>>
>>>> leftid="C=CH, O=strongSwan, CN=strongswan"
>>>>
>>>> right=%any
>>>>
>>>> rightsourceip=%addrpool
>>>>
>>>> pfs=no
>>>>
>>>> authby=xauthrsasig
>>>>
>>>> xauth=server
>>>>
>>>> auto=add
>>>>
>>>>
>>>> conn site-site
>>>>
>>>> keyexchange=ikev2
>>>>
>>>> right=172.31.114.239
>>>>
>>>> left=172.31.114.227
>>>>
>>>> authby=secret
>>>>
>>>> ike=aes128-aes256-sha1-modp1536-modp2048,3des-sha1-md5-modp1024
>>>> auto=add
>>>>
>>>> ipsec.secrets
>>>> +++++++++++
>>>>
>>>> : RSA dutKey.pem
>>>>
>>>> tester : XAUTH "tester"
>>>>
>>>> 172.31.114.227 172.31.114.239 : PSK "sachin"
>>>>
>>>> Regards,
>>>> Saravanan N
>>>>
>>>>
>>>
>>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120404/4fbcfa89/attachment.html>
More information about the Users
mailing list