[strongSwan] Strongswan to Cisco router configuration help
cbkumar at gmail.com
Thu Apr 18 02:12:46 CEST 2013
I know you mentioned non-ASA/non-PIX but an FYI, I have Cisco ASA working
with Strongswan 5.0.1 on CentOS 6.2. This is what I have on Strongswan
side. I have commented few lines to mark the difference. Also, in my case,
the Cisco always initiates the connections - Strongswan never does.
conn cisco-asa-cert // Your vpn1
authby=pubkey // I use certificate-based
authentication. Use auth=secret is using pre-shared keys
left=%defaultroute // Could be Strongswan IP but
%defaultroute chooses the IP of the default interface
leftcert=vpngwCert.pem // How Strongswan identifies to the
connecting clients (Cisco)
leftsubnet=10.10.0.0/16 // The subnet behind Strongswan
right=%any // IP of the cisco. Router can
connect with any IP
rightcert=ciscoasa.pem // Certificate of the connecting cisco
rightsubnet=192.168.202.0/24 // Subnet behind the connecting cisco
forceencaps=yes // Force ESP packets to be
encapsulated inside UDP.
mark=20 // xfrm marks. This and below
are something that I am trying to. YOU WON'T NEED THIS
leftupdown=/usr/local/etc/ipsec.d/scripts/asa_mark_updown // YOU
WON'T NEED this.
It works great with this config. Not sure but I felt you left and right are
possibly interchanged?? More details on your network config would help.
On Tue, Apr 16, 2013 at 1:50 PM, Brian secmang <secmang at hotmail.com> wrote:
> We've been struggling with getting a working vpn tunnel up
> between a Strongswan Linux host and a Cisco ISR router (1941). We're
> trying to setup a subnet-subnet VPN.
> Does anyone have a working configuration of a working setup between any
> Cisco router (non-ASA,non-PIX), and a Strongswan server?
> Strongswan vU4.4.1 with kernel 2.6.32-5-amd64
> config setup
> conn %default
> conn vpn1
> left=192.168.0.2 # Cisco ISR
> leftsubnet=10.2.3.96/28 # User subnet (peer1)
> right=172.16.0.1 # StrongSwan Linux (peer2)
> rightsubnet=10.1.1.0/16 # Network users will access
> Users mailing list
> Users at lists.strongswan.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users