[strongSwan] Cisco 3845 integrating with Strongswan 5.4 Centos 7 AWS VPC

Jonathan Hunter jhunter at voxboxcoms.co.uk
Tue Nov 8 18:36:16 CET 2016 

Hi Guys

I was wondering if anyone has had this same issue.

we have a number of servers in a VPC in AWS and we are building IPSEC
tunnels with an end customer who are using a Cisco 3845, and we want to
establish a site to site connection.

We are using servers with an Elastic IP, and can establish the tunnel,
however I cannot seem to initiate connections from the AWS server running
strongswan, out to the Cisco, for example ICMP, or SMPP, however if the
Cisco intiates a PING, the tunnel becomes active.

I notice until that point ip xfrm policy has no content populated, please
can someone let me know what I may be missing?

the status of the strongswan command shows ;

 strongswan statusall
Status of IKE charon daemon (strongSwan 5.4.0, Linux
3.10.0-327.18.2.el7.x86_64, x86_64):
  uptime: 9 minutes, since Nov 08 17:05:11 2016
  malloc: sbrk 1622016, mmap 0, used 483808, free 1138208
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 4
  loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509
revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr
kernel-netlink resolve socket-default farp stroke vici updown eap-identity
eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic
xauth-eap xauth-pam xauth-noauth dhcp
Listening IP addresses:
  172.31.12.91
Connections:
    THW-FW-B:  172.31.12.91...<CustomerPublicIPFirewall>  IKEv1,
dpddelay=10s
    THW-FW-B:   local:  [<ElasticIP>] uses pre-shared key authentication
    THW-FW-B:   remote: [<CustomerPublicIPFirewall>] uses pre-shared key
authentication
    THW-FW-B:   child:  <ElasticIP>/32 === <CustomerSubnet> TUNNEL,
dpdaction=restart
Security Associations (1 up, 0 connecting):
    THW-FW-B[1]: ESTABLISHED 9 minutes ago,
172.31.12.91[<ElasticIP>]...<CustomerPublicIPFirewall>[<CustomerPublicIP>]
    THW-FW-B[1]: IKEv1 SPIs: 0cc86f09022b466c_i* cfb875944d065524_r,
pre-shared key reauthentication in 7 hours
    THW-FW-B[1]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024



However As I say, when I try and ping the far side subnet, it doesnt try to
go through the tunnel/create a child policy, however if the far end sends a
ping, it creates a tunnel, and from that point onwards I can initiate a
connection.

Please help!

ipsec.conf shown below;

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
    charondebug="ike, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
        ikelifetime=28800s
        keylife=3600s
        rekeymargin=3m
        keyingtries=3
        keyexchange=ikev1
        authby=secret
        type=tunnel
        dpddelay=10s
        dpdtimeout =30s
        dpdaction=restart
        rekey=yes
conn THW-FW-B
        ike=3des-sha1-modp1024
        esp=3des-sha1-modp1024
        left=172.31.12.91
        leftsubnet=<ElasticIP>
        leftid=<ElasticIP>
        leftfirewall=yes
        right=<CustomerPublicIPFirewall>
        rightsubnet=<CustomerSubnet>
        auto=start

Many thanks

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161108/52dc1a86/attachment.html>

More information about the Users mailing list