[strongSwan] Cisco IPSec VPN with StrongSwan across CGNAT
Chandrasekhar S
chandu5 at matrebyte.com
Tue Apr 5 17:01:52 CEST 2016
Hi,
We are working to setup an IPSec PSK VPN between the 4G router and
StrongSwan which resides on a public server in road warrior configuration,
with the 4G router being the road warrior clients.
Cisco 819 4G router ( Road warrior client) ---------------CGNAT
-------------------------- StrongSwan server
We are able to establish an IPSec VPN between the Cisco 819 4G router and
Strongswan, with a direct connection, wherein there is no CGNAT, this is
over the gigabit interface and strongswan local server. The moment we
introduce CGNAT with strongswan in the cloud, we are unable to get the
IPSec VPN working.
We are getting an error, please help/guide us here:
*Apr 5 14:39:38.822: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 100.76.145.121:500, remote=
125.16.240.98:500,
local_proxy= 192.168.1.0/255.255.255.0/256/0,
remote_proxy= 10.56.138.86/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 5 14:39:38.822: ISAKMP: (0):SA request profile is (NULL)
*Apr 5 14:39:38.822: ISAKMP: (0):Created a peer struct for 125.16.240.98,
peer port 500
*Apr 5 14:39:38.822: ISAKMP: (0):New peer created peer = 0x1E10DE4
peer_handle = 0x80000012
*Apr 5 14:39:38.822: ISAKMP: (0):Locking peer struct 0x1E10DE4, refcount 1
for isakmp_initiator
*Apr 5 14:39:38.822: ISAKMP: (0):local port 500, remote port 500
*Apr 5 14:39:38.822: ISAKMP: (0):set new node 0 to QM_IDLE
*Apr 5 14:39:38.822: ISAKMP: (0):insert sa successfully sa = 10937C0
*Apr 5 14:39:38.822: ISAKMP: (0):Can not start Aggressive mode, trying Main
mode.
*Apr 5 14:39:38.822: ISAKMP: (0):found peer pre-shared key matching
125.16.240.98
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Apr 5 14:39:38.822: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 5 14:39:38.822: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
*Apr 5 14:39:38.822: ISAKMP: (0):beginning Main Mode exchange
*Apr 5 14:39:38.822: ISAKMP-PAK: (0):sending packet to 125.16.240.98
my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:39:38.822: ISAKMP: (0):Sending an IKE IPv4 Packet..
Success rate is 0 percent (0/1)
Router#
*Apr 5 14:39:42.626: ISAKMP-PAK: (0):received packet from 125.16.240.98
dport 500 sport 500 Global (I) MM_NO_STATE
**Apr 5 14:39:42.626: ISAKMP-ERROR: (0):Couldn't find node: message_id
2939252457*
**Apr 5 14:39:42.626: ISAKMP-ERROR: (0):(0): Unknown Input
IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1*
*Apr 5 14:39:42.626: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 5 14:39:42.626: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM1
*Apr 5 14:39:42.626: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of
Informational mode failed with peer at 125.16.240.98
*Apr 5 14:39:48.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Apr 5 14:39:48.826: ISAKMP: (0):: incrementing error counter on sa,
attempt 1 of 5: retransmit phase 1
*Apr 5 14:39:48.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Apr 5 14:39:48.826: ISAKMP-PAK: (0):sending packet to 125.16.240.98
my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:39:48.826: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 5 14:39:50.286: ISAKMP-PAK: (0):received packet from 125.16.240.98
dport 500 sport 500 Global (I) MM_NO_STATE
**Apr 5 14:39:50.286: ISAKMP-ERROR: (0):Couldn't find node: message_id
702674192*
**Apr 5 14:39:50.286: ISAKMP-ERROR: (0):(0): Unknown Input
IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1*
**Apr 5 14:39:50.286: ISAKMP: (0):Input = IKE_MESG_FROM_PEER,
IKE_INFO_NOTIFY*
**Apr 5 14:39:50.286: ISAKMP: (0):Old State = IKE_I_MM1 New State =
IKE_I_MM1*
*StrongSwan output:*
06[CFG] received stroke: add connection 'ciscoios'
06[CFG] left nor right host is our side, assuming left=local
06[CFG] added configuration 'ciscoios'
11[NET] received packet: from 106.206.153.204[13418] to 10.56.138.86[500]
(168 bytes)
11[ENC] parsed ID_PROT request 0 [ SA V V V V ]
11[IKE] no IKE config found for 10.56.138.86...106.206.153.204, sending
NO_PROPOSAL_CHOSEN
11[ENC] generating INFORMATIONAL_V1 request 2939252457 [ N(NO_PROP) ]
11[NET] sending packet: from 10.56.138.86[500] to 106.206.153.204[13418]
(40 bytes)
04[NET] received packet: from 106.206.153.204[13418] to 10.56.138.86[500]
(168 bytes)
04[ENC] parsed ID_PROT request 0 [ SA V V V V ]
04[IKE] no IKE config found for 10.56.138.86...106.206.153.204, sending
NO_PROPOSAL_CHOSEN
04[ENC] generating INFORMATIONAL_V1 request 702674192 [ N(NO_PROP) ]
04[NET] sending packet: from 10.56.138.86[500] to 106.206.153.204[13418]
(40 byt
Regards,
Chandu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160405/7f004bfa/attachment-0001.html>
-------------- next part --------------
Router#ping
Protocol [ip]:
Target IP address: 10.56.138.86
Repeat count [5]: 1
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Ingress ping [n]:
Source address or interface: vlan3
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0x0000ABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 10.56.138.86, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1
*Apr 5 14:39:38.822: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 100.76.145.121:500, remote= 125.16.240.98:500,
local_proxy= 192.168.1.0/255.255.255.0/256/0,
remote_proxy= 10.56.138.86/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 5 14:39:38.822: ISAKMP: (0):SA request profile is (NULL)
*Apr 5 14:39:38.822: ISAKMP: (0):Created a peer struct for 125.16.240.98, peer port 500
*Apr 5 14:39:38.822: ISAKMP: (0):New peer created peer = 0x1E10DE4 peer_handle = 0x80000012
*Apr 5 14:39:38.822: ISAKMP: (0):Locking peer struct 0x1E10DE4, refcount 1 for isakmp_initiator
*Apr 5 14:39:38.822: ISAKMP: (0):local port 500, remote port 500
*Apr 5 14:39:38.822: ISAKMP: (0):set new node 0 to QM_IDLE
*Apr 5 14:39:38.822: ISAKMP: (0):insert sa successfully sa = 10937C0
*Apr 5 14:39:38.822: ISAKMP: (0):Can not start Aggressive mode, trying Main mode.
*Apr 5 14:39:38.822: ISAKMP: (0):found peer pre-shared key matching 125.16.240.98
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-rfc3947 ID
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-07 ID
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-03 ID
*Apr 5 14:39:38.822: ISAKMP: (0):constructed NAT-T vendor-02 ID
*Apr 5 14:39:38.822: ISAKMP: (0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
*Apr 5 14:39:38.822: ISAKMP: (0):Old State = IKE_READY New State = IKE_I_MM1
*Apr 5 14:39:38.822: ISAKMP: (0):beginning Main Mode exchange
*Apr 5 14:39:38.822: ISAKMP-PAK: (0):sending packet to 125.16.240.98 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:39:38.822: ISAKMP: (0):Sending an IKE IPv4 Packet..
Success rate is 0 percent (0/1)
Router#
*Apr 5 14:39:42.626: ISAKMP-PAK: (0):received packet from 125.16.240.98 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 5 14:39:42.626: ISAKMP-ERROR: (0):Couldn't find node: message_id 2939252457
*Apr 5 14:39:42.626: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Apr 5 14:39:42.626: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 5 14:39:42.626: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM1
*Apr 5 14:39:42.626: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 125.16.240.98
*Apr 5 14:39:48.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Apr 5 14:39:48.826: ISAKMP: (0):: incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
*Apr 5 14:39:48.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Apr 5 14:39:48.826: ISAKMP-PAK: (0):sending packet to 125.16.240.98 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:39:48.826: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 5 14:39:50.286: ISAKMP-PAK: (0):received packet from 125.16.240.98 dport 500 sport 500 Global (I) MM_NO_STATE
*Apr 5 14:39:50.286: ISAKMP-ERROR: (0):Couldn't find node: message_id 702674192
*Apr 5 14:39:50.286: ISAKMP-ERROR: (0):(0): Unknown Input IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY: state = IKE_I_MM1
*Apr 5 14:39:50.286: ISAKMP: (0):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Apr 5 14:39:50.286: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_I_MM1
*Apr 5 14:39:58.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Apr 5 14:39:58.826: ISAKMP: (0):: incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
*Apr 5 14:39:58.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Apr 5 14:39:58.826: ISAKMP-PAK: (0):sending packet to 125.16.240.98 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:39:58.826: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 5 14:40:08.822: IPSEC:(SESSION ID = 2) (key_engine) request timer fired: count = 1,
(identity) local= 100.76.145.121:0, remote= 125.16.240.98:0,
local_proxy= 192.168.1.0/255.255.255.0/256/0,
remote_proxy= 10.56.138.86/255.255.255.255/256/0
*Apr 5 14:40:08.822: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 100.76.145.121:500, remote= 125.16.240.98:500,
local_proxy= 192.168.1.0/255.255.255.0/256/0,
remote_proxy= 10.56.138.86/255.255.255.255/256/0,
protocol= ESP, transform= esp-aes esp-sha-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Apr 5 14:40:08.822: ISAKMP: (0):set new node 0 to QM_IDLE
*Apr 5 14:40:08.822: ISAKMP-ERROR: (0):SA is still budding. Attached new ipsec request to it. (local 100.76.145.121, remote 125.16.240.98)
*Apr 5 14:40:08.822: ISAKMP-ERROR: (0):Error while processing SA request: Failed to initialize SA
*Apr 5 14:40:08.822: ISAKMP-ERROR: (0):Error while processing KMI message 0, error 2.
*Apr 5 14:40:08.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Apr 5 14:40:08.826: ISAKMP: (0):: incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
*Apr 5 14:40:08.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Apr 5 14:40:08.826: ISAKMP-PAK: (0):sending packet to 125.16.240.98 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:40:08.826: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 5 14:40:18.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Apr 5 14:40:18.826: ISAKMP: (0):: incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
*Apr 5 14:40:18.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Apr 5 14:40:18.826: ISAKMP-PAK: (0):sending packet to 125.16.240.98 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:40:18.826: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 5 14:40:28.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Apr 5 14:40:28.826: ISAKMP: (0):: incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
*Apr 5 14:40:28.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE
*Apr 5 14:40:28.826: ISAKMP-PAK: (0):sending packet to 125.16.240.98 my_port 500 peer_port 500 (I) MM_NO_STATE
*Apr 5 14:40:28.826: ISAKMP: (0):Sending an IKE IPv4 Packet.
*Apr 5 14:40:38.822: IPSEC:(SESSION ID = 2) (key_engine) request timer fired: count = 2,
(identity) local= 100.76.145.121:0, remote= 125.16.240.98:0,
local_proxy= 192.168.1.0/255.255.255.0/256/0,
remote_proxy= 10.56.138.86/255.255.255.255/256/0
*Apr 5 14:40:38.826: ISAKMP: (0):retransmitting phase 1 MM_NO_STATE...
*Apr 5 14:40:38.826: ISAKMP: (0):peer does not do paranoid keepalives.
*Apr 5 14:40:38.826: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 125.16.240.98)
*Apr 5 14:40:38.826: ISAKMP-ERROR: (0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 125.16.240.98)
*Apr 5 14:40:38.826: ISAKMP: (0):Unlocking peer struct 0x1E10DE4 for isadb_mark_sa_deleted(), count 0
*Apr 5 14:40:38.826: ISAKMP: (0):Deleting peer node by peer_reap for 125.16.240.98: 1E10DE4
*Apr 5 14:40:38.826: ISAKMP: (0):deleting node 129176622 error FALSE reason "IKE deleted"
*Apr 5 14:40:38.826: ISAKMP: (0):deleting node -90631767 error FALSE reason "IKE deleted"
*Apr 5 14:40:38.826: ISAKMP: (0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
*Apr 5 14:40:38.826: ISAKMP: (0):Old State = IKE_I_MM1 New State = IKE_DEST_SA
*Apr 5 14:40:38.826: IPSEC(key_engine): got a queue event with 1 KMI message(s)
-------------- next part --------------
Starting strongSwan 5.4.0 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.4.0, Linux 3.10.0-327.3.1.el7.x86_64, x86_64)
00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
00[CFG] loading secrets from '/usr/local/etc/ipsec.secrets'
00[CFG] loaded IKE secret for 125.16.240.98 %any
00[CFG] line 3: missing ' : ' separator
00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke vici updown xauth-generic
00[JOB] spawning 16 worker threads
charon (5432) started after 20 ms
06[CFG] received stroke: add connection 'ciscoios'
06[CFG] left nor right host is our side, assuming left=local
06[CFG] added configuration 'ciscoios'
11[NET] received packet: from 106.206.153.204[13418] to 10.56.138.86[500] (168 bytes)
11[ENC] parsed ID_PROT request 0 [ SA V V V V ]
11[IKE] no IKE config found for 10.56.138.86...106.206.153.204, sending NO_PROPOSAL_CHOSEN
11[ENC] generating INFORMATIONAL_V1 request 2939252457 [ N(NO_PROP) ]
11[NET] sending packet: from 10.56.138.86[500] to 106.206.153.204[13418] (40 bytes)
04[NET] received packet: from 106.206.153.204[13418] to 10.56.138.86[500] (168 bytes)
04[ENC] parsed ID_PROT request 0 [ SA V V V V ]
04[IKE] no IKE config found for 10.56.138.86...106.206.153.204, sending NO_PROPOSAL_CHOSEN
04[ENC] generating INFORMATIONAL_V1 request 702674192 [ N(NO_PROP) ]
04[NET] sending packet: from 10.56.138.86[500] to 106.206.153.204[13418] (40 bytes)
^C00[DMN] signal of type SIGINT received. Shutting down
charon stopped after 200 ms
ipsec starter stopped
-------------- next part --------------
Building configuration...
Current configuration : 4695 bytes
!
! Last configuration change at 13:14:22 UTC Tue Apr 5 2016 by admin
!
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
ethernet lmi ce
!
crypto pki trustpoint TP-self-signed-166567200
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-166567200
revocation-check none
rsakeypair TP-self-signed-166567200
!
!
crypto pki certificate chain TP-self-signed-166567200
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363635 36373230 30301E17 0D313630 34303530 38343535
365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3136 36353637
32303030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
8FFDE824 9BEDE4ED F26CBA92 B6B6C085 F340B93A 1769B956 98A4014B 945D5CAF
935E7018 B08979BF 825718D4 F714B3BA F6A0AB95 68AF251D 0D22E906 062B2A1D
EF5F48E2 754CDB6C C29B14B5 83F65D55 9CFA49D5 DC38A95E C18522DA 48F27297
166EACAC 864676F6 72A34404 E390F6A5 F83F5B5A 637CC1FE E52B2BA6 6F09C387
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 16801411 0D1FA120 7F3CDFA2 78F181A8 2C0A99DE B61C2930 1D060355
1D0E0416 0414110D 1FA1207F 3CDFA278 F181A82C 0A99DEB6 1C29300D 06092A86
4886F70D 01010505 00038181 007ECF68 25989D4D 9485935B 5FEEA41F 651A1EA8
6CF25618 32F10C88 99F6F20A FA7E3072 058E3715 DE7714E1 4D8106ED 5B315EF9
22E9D2B9 CAD961D0 E1044950 CF01100E A6D06B84 28CE500B 842EDCCE D42980FE
8048EB64 3A0B1D9B B9BB015E 3ED20C74 97B836FE 40624795 3924789A F73BE16D
70526A5F DB9B680C 60125718 14
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
lease 0 2
!
!
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
!
license udi pid C819HG-4G-G-K9 sn FGL200422N5
!
!
username admin privilege 15 secret 5 $1$VIB2$ToQSRis/P//x9QwPanc/R0
!
!
!
!
!
controller Cellular 0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 125.16.240.98
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto map cmap 10 ipsec-isakmp
set peer 125.16.240.98
set transform-set TS
match address cryptoacl
!
!
!
!
!
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
crypto map cmap
!
interface Cellular1
no ip address
encapsulation slip
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 3
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
ip address 172.16.10.10 255.255.255.0
duplex auto
speed auto
crypto map cmap
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan3
ip address 192.168.1.1 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list NAT interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
ip ssh time-out 60
ip ssh authentication-retries 2
!
ip access-list extended NAT
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended cryptoacl
permit ip 192.168.1.0 0.0.0.255 host 10.56.138.86
!
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
speed 384000
line 8
no exec
speed 384000
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
!
!
end
-------------- next part --------------
A non-text attachment was scrubbed...
Name: StrongSwanConfiguration
Type: application/octet-stream
Size: 854 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160405/7f004bfa/attachment-0001.obj>
More information about the Users
mailing list