[strongSwan] Strongswan in AWS (NATed), connecting to Cisco 72xx, fails
Florin Andrei
florin at andrei.myip.org
Tue May 19 03:35:28 CEST 2015
Noel,
That's it. The PSK was wrong. Also, the other side uses IKEv1, whereas
the implicit default with Strongswan is IKEv2. I've explicitly enforced
IKEv1. Works great now.
Other potential issues: The other side is picky about cipher suites, so
I had to add some explicit cipher suite lists. Also, we're running
Strongswan in Amazon, and AWS is doing 1:1 NAT for our instances, so I
added some conf items for that. Key lifetimes were also important to
tweak.
Not sure if all the config lines here are mandatory, but anyway, this is
what works for us now:
########################################
config setup
nat_traversal=yes
conn %default
conn us2them
authby=psk
left=%any
leftsubnet=our_subnet/netmask
leftid=private.ip.of.our.VPN.instance
right=ip.of.their.VPN.gateway
rightsubnet=their_subnet/netmask
rightid=ip.of.their.VPN.gateway
auto=start
ike = some-list-of-ciphers-that-works
esp = some-other-list-of-ciphers-that-works
ikelifetime = some-lifetime-interval
lifetime = some-other-lifetime-interval
forceencaps = yes
keyexchange=ikev1
########################################
Again, this is for Strongswan in the AWS cloud, connecting to Cisco 72xx
with some custom settings.
Thank you.
--
Florin Andrei
http://florin.myip.org/
More information about the Users
mailing list