[strongSwan] Tunnel issues

Philip L Hutson philip at plh9.com
Tue Jul 7 02:36:09 CEST 2015 

I am trying to setup a vpn tunnel from an embedded linux system (Linux system-0004338 2.6.37 #7 Mon Jun 22 14:45:53 PDT 2015 armv7l GNU/Linux) to a cisco asa. I have a working solution but not the preferred one. 
One of my first problems was when I let strong swan add the routes it didn’t over write the default route so no traffic would go through. I was able to solve this by using the an up/down script. But I would prefer that strong swan added/removed the routes. 
The routes it added looked like this
 ip route
10.255.254.180/30 dev usb1  src 10.255.254.180 
0.0.0.0/1 via 10.255.254.181 dev usb1  src 10.3.10.18 
128.0.0.0/1 via 10.255.254.181 dev usb1  src 10.3.10.18 
default via 10.255.254.181 dev usb1 

where the default route at the bottom was there already.
The route table before was
 ip route
10.255.254.180/30 dev usb1  src 10.255.254.180 
default via 10.255.254.181 dev usb1 

The second issue is with the system time fix plugin. After the device gets a valid time from ntp over the tunnel it invalidates the client sa. 
time fix config 
system time fix <http://pastebin.com/B5WHHbLE>
LOGFILE <http://pastebin.com/0yu1YFKm> showing the sa being invalidated


The configuration I would like is where if usb1 goes up (after having been up before) strong swan reconnects the tunnel. Currently if usb1 goes down (for longer than dpd) and then comes up again and the dhcp client gets/assigns an address to usb1 strong swan does not reconnect the tunnel. If I use ipsec up home it comes back up.
My current working ipsec.conf <http://pastebin.com/B7vPqqDd>
charon.conf <http://pastebin.com/zY6ZzZgC>
updown script <http://pastebin.com/JGksUE8p>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150706/c493552b/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3835 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150706/c493552b/attachment.bin>

More information about the Users mailing list