[strongSwan] Site-Site VPN issues with Cisco Devices

Tormod Macleod TMacleod at paywizard.com
Wed Oct 15 13:26:22 CEST 2014


Hi Martin,
 
Just a quick note to say that this helped me a lot. I realise that it's
a long time since you sent this email. Initially I still couldn't get my
site to site VPN to work. I returned to it in the last two weeks and now
have it working.
 
We're now trialling it for use between our data centre and our Amazon
Web Services environment with StrongSwan connecting to a Cisco router or
ASA. So far the results have been very positive. Given the increased
functionality and cost savings StrongSwan offers in comparison to
Amazon's VPN offering. I would encourage anyone thinking of moving
services to the cloud to explore StrongSwan and would be happy to share
my experience with anyone thinking of doing so. I'd also encourage
people to use GNS3 http://www.gns3.net/download/ to trial and test
StrongSwan.
 
Finally, if anyone has any experience of creating encrypted GRE tunnels
from a StrongSwan box to a Cisco router I'd love to hear from them :¬)
 
Cheers,
 
 
Tormod

>>> Martin Willi <martin at strongswan.org> 07/08/2014 12:33 >>>
Hi,

> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG] proposing traffic
selectors for other:
> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG]  10.2.0.0/24
> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG] changing proposed traffic
selectors for other:
> Aug  7 12:06:03 A0089-Mint1 charon: 09[CFG]  0.0.0.0/0

The unity plugin widens the traffic selector as initiator, to later
dynamically reduce it to what has been negotiated with the
Split-Include
Unity extension.

If the plugin is enabled, this is done on all connections where the
Unity Vendor ID has been received, which is likely with Cisco boxes.

I've recently pushed a patch [1] which disables that behavior if no
Split-Include attribute has been received on the connection. Please
try
that patch, I think it should fix this issue.

Regards
Martin

[1]http://git.strongswan.org/?p=strongswan.git;a=commitdiff;h=1a62fb0a



Please consider the environment before printing this email

*********************************************************************
  This e-mail and any attachments are confidential.  If it is not for
you, please inform us and delete it immediately without disclosing,
copying, or distributing it.  If the content is not about the business
of PayWizard Group PLC or its clients, then it is neither from nor
sanctioned by PayWizard Group PLC.  Use of this or any other PayWizard
Group PLC e-mail facility signifies consent to interception by PayWizard
Group PLC.  The views expressed in this email or any attachments may not
reflect the views and opinions of PayWizard Group PLC.  This message has
been scanned for viruses and dangerous content by MailScanner, but
PayWizard Group PLC accepts no liability for any damage caused by the
transmission of any viruses.  PayWizard Group PLC is a public limited
company registered in Scotland (SC175703) with its registered office at
Cluny Court, John Smith Business Park, Kirkcaldy, Fife, KY2 6QJ. 
********************************************************************

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141015/0575767f/attachment.html>


More information about the Users mailing list