[strongSwan] issue connecting strongswan from EC2 instance to Cisco device

John Gathm john.gathm at gmail.com
Tue Sep 13 19:08:21 CEST 2016 

Hello,

I'm trying to connect a Strongswan Client hosted on Amazon EC2 public (not
VPC) to a Cisco device over ikev1.
Since we are hosted on EC2, we have the EC2 gateway NAT in front of our
instance.


I have done a Virtuabox simulation setup using 4 Linux VM and Strongswan, ie
Linux1 /my EC2 <------>  Linux 2  / 1:1 NAT <-----------> Linux 3 / Cisco
VPN <----------> Linux 4 / remote server to access.
Using this, I have validated my "Linux1/EC2" is should be to communicate
over IPSec with NAT-T over a 1:1 NAT. It works... with Strongswan as server.

However, it does not work with the Cisco VPN device we're trying to connect
to

the Strongswan clients keeps rekeying phase 1 (ie ipsec status all keps
looping between CONNECTING/ESTABLISHED continuously)


Adding modeconfig=push as suggested by the documentation makes the Security
Association stable, however the connections get stuck trying to negociate
phase 2, in tasks queued: QUICK_MODE
I can see with tcpdump that NAT-T packets are sent, I see the first
response from the Cisco device over NAT-T but nothing more.

16:56:28.391047 IP ip-10-104-164-139.eu-west-1.compute.internal.isakmp
> vpn_cisco_gateway.isakmp: isakmp: phase 1 I ident
16:56:28.470397 IP vpn_cisco_gateway.isakmp >
ip-10-104-164-139.eu-west-1.compute.internal.isakmp: isakmp: phase 1 R ident
16:56:28.485469 IP ip-10-104-164-139.eu-west-1.compute.internal.isakmp
> vpn_cisco_gateway.isakmp: isakmp: phase 1 I ident
16:56:28.566259 IP vpn_cisco_gateway.isakmp >
ip-10-104-164-139.eu-west-1.compute.internal.isakmp: isakmp: phase 1 R ident
16:56:28.648297 IP ip-10-104-164-139.eu-west-1.compute.internal.ipsec-nat-t
> vpn_cisco_gateway.ipsec-nat-t: NONESP-encap: isakmp: phase 1 I ident[E]
16:56:28.731272 IP vpn_cisco_gateway.ipsec-nat-t >
ip-10-104-164-139.eu-west-1.compute.internal.ipsec-nat-t: NONESP-encap:
isakmp: phase 1 R ident[E]
16:56:52.596800 IP ip-10-104-164-139.eu-west-1.compute.internal.ipsec-nat-t
> vpn_cisco_gateway.ipsec-nat-t: isakmp-nat-keep-alive
and nothing more exept keepalives


Any help or suggestion to help how to troubleshoot further the issue are
welcome.
regards
J.G


the local and remote configurations are, with context:
123.123.22.22: using some public ip address for the internal network, on
purpose to avoid collision with VPN provider
PUBLIC_EC2_IP_ADDRESS  is our public EC2 elastic IP address.
VPN_GATEWAY_PUBLIC_IP the public IP address of the remote VPN Cisco device
VPN_GATEWAY_INTERNAL_IP internal IP address of the remote VPN Cisco device
SERVER_IP_BEHIND_VPN_GATEWAY is the address of remote server&service we
want to access from our EC2 instance over the IPSEC Tunnel
VPN_REMOTE_NETWORK  the remote network & mask that includes the two
previous hosts
OUR_VPN_PROVIDER_GATEWAY is the next hop gateway for the Cisco VPN to reach
the internet


config setup
    charondebug="knl 3, ike 4,esp 4,cfg 4, mgr 4, net4"

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    authby=secret

conn test
    left=%any
    leftsourceip=123.123.22.22
    leftid=PUBLIC_EC2_IP_ADDRESS
    leftfirewall=yes
    right=VPN_GATEWAY_PUBLIC_IP
    rightid=VPN_GATEWAY_PUBLIC_IP
    rightsubnet=VPN_REMOTE_NETWORK  / 27
    auto=add
    modeconfig=push #or disable
    ike=3des-md5-modp1024!
    esp=aes-sha1!

the Cisco device configuration is :


crypto keyring keyring_customer
 pre-shared-key address PUBLIC_EC2_IP_ADDRESS key THE_SECRET_PSK
!
crypto isakmp profile profile_customer
 vrf vrf_customer
 keyring keyring_customer
 match identity address PUBLIC_EC2_IP_ADDRESS 255.255.255.255
!
crypto map cmallserv1 130 ipsec-isakmp
 description customer_vpn
 set peer PUBLIC_EC2_IP_ADDRESS
set transform-set ts-esp-aes256-esp-sha-hmac
 set isakmp-profile profile_customer
 match address access_list_customer
!
ip route PUBLIC_EC2_IP_ADDRESS 255.255.255.255 TenGigabitEthernet0/1/0.1300
OUR_VPN_PROVIDER_GATEWAY
ip route vrf vrf_customer 123.123.22.22 255.255.255.255
TenGigabitEthernet0/1/0.1300 OUR_VPN_PROVIDER_GATEWAY global
!
ip access-list extended access_list_customer
permit ip host VPN_GATEWAY_INTERNAL_IP host 123.123.22.22

permit ip host SERVER_IP_BEHIND_VPN_GATEWAY host 123.123.22.22
!
router bgp 6000
 scope vrf icssmsc:vrf_customer
  address-family ipv4
   redistribute static
!
end
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160913/3c4c6af3/attachment-0001.html>

More information about the Users mailing list