[strongSwan] Strongswan to Cisco router configuration help

Bharath Kumar cbkumar at gmail.com
Thu Apr 18 02:12:46 CEST 2013

Hi Brian,

I know you mentioned non-ASA/non-PIX but an FYI, I have Cisco ASA working
with Strongswan 5.0.1 on CentOS 6.2. This is what I have on Strongswan
side. I have commented few lines to mark the difference. Also, in my case,
the Cisco always initiates the connections - Strongswan never does.

conn cisco-asa-cert                    // Your vpn1
        authby=pubkey                  // I use certificate-based
authentication. Use auth=secret is using pre-shared keys
        left=%defaultroute              // Could be Strongswan IP but
%defaultroute chooses the IP of the default interface
        leftcert=vpngwCert.pem      // How Strongswan identifies to the
connecting clients (Cisco)
        leftsubnet=      // The subnet behind Strongswan
        right=%any                        // IP of the cisco. Router can
connect with any IP
        rightcert=ciscoasa.pem       // Certificate of the connecting cisco
        rightsubnet=  // Subnet behind the connecting cisco
        forceencaps=yes                // Force ESP packets to be
encapsulated inside UDP.
        mark=20                            // xfrm marks. This and below
are something that I am trying to. YOU WON'T NEED THIS
        leftupdown=/usr/local/etc/ipsec.d/scripts/asa_mark_updown // YOU
WON'T NEED this.

It works great with this config. Not sure but I felt you left and right are
possibly interchanged?? More details on your network config would help.

Bharath Kumar

On Tue, Apr 16, 2013 at 1:50 PM, Brian secmang <secmang at hotmail.com> wrote:

> Hello,
>          We've been struggling with getting a working vpn tunnel up
> between a Strongswan Linux host and a Cisco ISR router (1941).  We're
> trying to setup a subnet-subnet VPN.
> Does anyone have a working configuration of a working setup between any
> Cisco router (non-ASA,non-PIX), and a Strongswan server?
> Details:
> Strongswan vU4.4.1 with kernel 2.6.32-5-amd64
> ipsec.conf:
> config setup
>        plutodebug=control
>        crlcheckinterval=180
>        strictcrlpolicy=no
>        nat_traversal=yes
>        charonstart=no
> conn %default
>        ikelifetime=3600s
>        keylife=20m
>        rekeymargin=3m
>        keyingtries=1
>        keyexchange=ikev1
> conn vpn1
>        left=                       # Cisco ISR
>        leftsubnet=         # User subnet  (peer1)
>        right=                       # StrongSwan Linux (peer2)
>        rightsubnet=         # Network users will access
>        auto=start
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130417/cecaf1b0/attachment.html>

More information about the Users mailing list