[strongSwan] attempting vpn from amazon's aws to cisco asa running 8.2.2 firmware
John Jolet
jjolet at drillinginfo.com
Mon Oct 15 21:11:21 CEST 2012
I'm attempting to create a strongswan vpn from a gateway in the amazon
aws into my asa at the office (site to site). the asa is at 8.2.2, and
the strongswan is 4.5.2-1.2 (default package from ubuntu 12.04). I've
got the tunnel created successfully, but can't get traffic to flow. i
have a test node in amazon with a route to my gateway, and i can see the
traffic hit the gateway from that test node either with tcpdump, or ip
xfrm monitor. however the traffic never arrives at the inside interface
of the asa. traffic from my local lan arrives on the asa, but is never
seen on the vpn gateway, either with tcpdump or ip xfrm. what concerns
me is that my research suggests that there should be a in, fwd, and out
policy for EACH direction. however ip xfrm policy shows:
src A.B.0.0/16 dst C.D.0.0/16
dir out priority 1923
tmpl src A.B.1.38 dst <asa outside interface>
proto esp reqid 16384 mode tunnel
src C.D.0.0/16 dst A.B.0.0/16
dir fwd priority 1923
tmpl src <asa outside interface> dst <vpn gateway local ip>
proto esp reqid 16384 mode tunnel
src C.D.0.0/16 dst A.B.0.0/16
dir in priority 1923
tmpl src <asa outside interface> dst <vpn gateway local ip>
proto esp reqid 16384 mode tunnel
should i not see six policies, not 3?
here is the config on the swan side (ip addresses hidden and mangled):
conn tunnel
leftid=<vpn gateway public ip>
type=tunnel
keyexchange=ikev1
authby=secret
pfs=no
esp=3des-sha1-modp1024
forceencaps=yes
left=<vpn gateway local ip>
leftsourceip=<vpn gateay local ip>
#left=%defaultroute
leftsubnet=A.B.0.0/16
leftfirewall=no
#leftfirewall=yes
rightid=<asa outside interface>
right=<asa outside interface>
rightnexthop=<asa inside interface>
#right=%any
rightsubnet=C.D.0.0/16
auto=start
#auto=add
More information about the Users
mailing list