[strongSwan] Cisco 3845 integrating with Strongswan 5.4 Centos 7 AWS VPC
jhunter at voxboxcoms.co.uk
Tue Nov 8 18:36:16 CET 2016
I was wondering if anyone has had this same issue.
we have a number of servers in a VPC in AWS and we are building IPSEC
tunnels with an end customer who are using a Cisco 3845, and we want to
establish a site to site connection.
We are using servers with an Elastic IP, and can establish the tunnel,
however I cannot seem to initiate connections from the AWS server running
strongswan, out to the Cisco, for example ICMP, or SMPP, however if the
Cisco intiates a PING, the tunnel becomes active.
I notice until that point ip xfrm policy has no content populated, please
can someone let me know what I may be missing?
the status of the strongswan command shows ;
Status of IKE charon daemon (strongSwan 5.4.0, Linux
uptime: 9 minutes, since Nov 08 17:05:11 2016
malloc: sbrk 1622016, mmap 0, used 483808, free 1138208
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509
revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr
kernel-netlink resolve socket-default farp stroke vici updown eap-identity
eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic
xauth-eap xauth-pam xauth-noauth dhcp
Listening IP addresses:
THW-FW-B: 172.31.12.91...<CustomerPublicIPFirewall> IKEv1,
THW-FW-B: local: [<ElasticIP>] uses pre-shared key authentication
THW-FW-B: remote: [<CustomerPublicIPFirewall>] uses pre-shared key
THW-FW-B: child: <ElasticIP>/32 === <CustomerSubnet> TUNNEL,
Security Associations (1 up, 0 connecting):
THW-FW-B: ESTABLISHED 9 minutes ago,
THW-FW-B: IKEv1 SPIs: 0cc86f09022b466c_i* cfb875944d065524_r,
pre-shared key reauthentication in 7 hours
THW-FW-B: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
However As I say, when I try and ping the far side subnet, it doesnt try to
go through the tunnel/create a child policy, however if the far end sends a
ping, it creates a tunnel, and from that point onwards I can initiate a
ipsec.conf shown below;
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
charondebug="ike, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Users