[strongSwan] remote access tunnels: strongSwan (initiator) <--> CISCO ASA

Sorin Laposi sorin.l at mail.com
Fri Mar 10 16:58:37 CET 2017 

I am a strongSwan/IPsec newbie experimenting and trying to set up a remote
access tunnel from a Debian host running strongSwan to a CISCO ASA.

ASCII-drawing of my network (also attached in the .tar.gz):

              eth1                    outside       inside
+--------------+     +--------+          +-----------+       +-----+
|Debian testing|-----| hub    |----------| CISCO ASA |-------| PC  |
+--------------+     +--------+          +-----------+       +-----+
192.168.0.207            |
                         |
                   +-----------+
                   |Debian     |
                   |(W-shark)  |
                   +-----------+
                    192.168.0.1

* Debian testing (IPsec road warrior running strongSwan 5.5.1):
IP: 192.168.0.207/24
firewall: disabled, default policy: ACCEPT on all chains

* CISCO ASA 5506:
outside: 192.168.0.201/24
inside: 10.30.0.1/24
--8<----
ciscoasa(config)# show version
Cisco Adaptive Security Appliance Software Version 9.6(1)
Device Manager Version 7.6(1)
-->8----

* PC:
IP: 10.30.0.2/24
default gw: 10.30.0.1 (ASA)

* Debian (Wireshark sniffer): used to capture IKEv1, ESP
IP: 192.168.0.1/24

My first/immediate problem is that if I do not name the tunnel-group
"192.168.0.207" (the IP of the tunnel initiator host) I can't get the tunnel up.
I'd like to be able to have different tunnel-group names (like: "tunnel-group
marketing", "tunnel-group economy", etc.) and not something like
"tunnel-group 192.168.0.207" because this is silly. Plus I can't know
beforehand what IP-addresses my roaming clients are going to have in a
real-world scenario.

The second issue I have is that when I manage to get the tunnel established
(by having "tunnel-group 192.168.0.207" on ASA) I still can't get traffic
through the tunnel (for example ping the PC from the Debian testing host).

I am providing logs, config files and network captures for my two test cases
in the attached tarball.

Any help/hint about what I am doing wrong or missing is greatly appreciated!

Oh, one more thing: is there any convenient way to do online searches in
the mailing list archive?

---
Sorin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logs.tar.gz
Type: application/octet-stream
Size: 40778 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170310/8e6cb72d/attachment-0001.obj>

More information about the Users mailing list