[strongSwan] Two problems with cisco and sonicwall.

Jordi Casanellas matalaaranya at gmail.com
Sun Mar 19 14:20:30 CET 2017 

Hello,

I followed the sonicwall manual to the letter, but after 48h the tunnel
drops and there is no possibility of lifting the tunnel from any side.
I can only lift it by entering the sonicwall and the vpn by dialing
renegociate. (i'm restart ipsec and force up tunnel and not working only
renegociate in sonicwall).

The parameters that you quote me "In sonicwall, activate keep a live in
advanced tab, in ipsec.conf put auto = start" I have them as you told me
following the tutorial.

I gave you the route table 220
Ip route show table 220
172.20.1.0/24 dev eth0 scope link

I only see the route of the sonicwall vpn, I have 3 up more raised.
2 cisco and a Zyxel.

In all I happen something similar, there is no traffic and only from one
side or renegotiating with it to work correctly the VPN.
If you need more data, I'll give it to you.
I also give you the iptables in case you can help (camouflaging the ips).

~# iptables -L
-- START ---
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp
flags:ACK/ACK
ACCEPT     all  --  anywhere             anywhere             state
ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED
ACCEPT     udp  --  anywhere             anywhere             udp
spt:domain dpt
                s:1024:65535
ACCEPT     icmp --  anywhere             anywhere             icmp
echo-reply
ACCEPT     icmp --  anywhere             anywhere             icmp
destination-u
              nreachable
ACCEPT     icmp --  anywhere             anywhere             icmp
source-quench
ACCEPT     icmp --  anywhere             anywhere             icmp
time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp
parameter-pro
              blem
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:auth
ACCEPT     icmp --  anywhere             anywhere             icmp
echo-request
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport
dpor
      ts smtp,submission
ACCEPT     tcp  --  anywhere             anywhere             tcp
dpts:ftp-data:
                ftp
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport
dpor
      ts pop3,pop3s
ACCEPT     tcp  --  anywhere             anywhere             tcp multiport
dpor
      ts imap2,imap3,imaps
ACCEPT     tcp  --  anywhere             anywhere             tcp
dpts:webmin:10
                010
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:20000
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp
dpt:ipsec-nat-
                t
ACCEPT     udp  --  anywhere             anywhere             udp
dpts:re-mail-c
                k:58
ACCEPT     tcp  --  anywhere             anywhere             tcp
dpts:re-mail-c
                k:58
ACCEPT     all  --  172.20.1.0/24        anywhere
ACCEPT     all  --  192.168.4.0/24       anywhere
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  192.168.3.0/24       anywhere
ACCEPT     all  --  192.168.3.0/24       anywhere
ACCEPT     all  --  192.168.6.0/24       anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  172.20.1.0/24        10.200.1.0/24        policy match
dir i
      n pol ipsec reqid 1 proto esp
ACCEPT     all  --  10.200.1.0/24        172.20.1.0/24        policy match
dir o
      ut pol ipsec reqid 1 proto esp
ACCEPT     all  --  10.200.1.0/24        192.168.3.0/24       policy match
dir o
      ut pol ipsec reqid 1 proto esp
ACCEPT     all  --  192.168.3.0/24       10.200.1.0/24        policy match
dir i
      n pol ipsec reqid 1 proto esp
ACCEPT     all  --  192.168.4.0/24       10.200.1.0/24        policy match
dir i
      n pol ipsec reqid 1 proto esp
ACCEPT     all  --  10.200.1.0/24        192.168.4.0/24       policy match
dir o
      ut pol ipsec reqid 1 proto esp
ACCEPT     all  --  192.168.6.0/24       10.200.1.0/24        policy match
dir i
      n pol ipsec reqid 1 proto esp
ACCEPT     all  --  10.200.1.0/24        192.168.6.0/24       policy match
dir o
      ut pol ipsec reqid 1 proto esp
ACCEPT     all  --  192.168.6.0/24       10.200.1.0/24        policy match
dir i
      n pol ipsec reqid 1 proto esp
ACCEPT     all  --  10.200.1.0/24        192.168.1.0/24       policy match
dir o
      ut pol ipsec reqid 1 proto esp
ACCEPT     all  --  192.168.1.0/24       10.200.1.0/24        policy match
dir i
      n pol ipsec reqid 1 proto esp

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere
205.red-80-32-138.staticip.rima-tde.net
                                          udp dpt:isakmp
ACCEPT     esp  --  anywhere
205.red-80-32-138.staticip.rima-tde.net

ACCEPT     udp  --  anywhere             8x.1xx.1.2x.static.user.ono.com
 udp dp
        t:isakmp
ACCEPT     esp  --  anywhere             8x.1xx.1.2x.static.user.ono.com
ACCEPT     udp  --  anywhere             default              udp dpt:isakmp
ACCEPT     esp  --  anywhere             default
----- END ---

As I understand routes 220 are not necessary as long as this is correct in
the policies. (Maybe I misunderstood).

Ip xfrm policy
Src 0.0.0.0/0 dst 0.0.0.0/0
         Socket in priority 0 ptype main
Src 0.0.0.0/0 dst 0.0.0.0/0
         Socket out priority 0 ptype main
Src 0.0.0.0/0 dst 0.0.0.0/0
         Socket in priority 0 ptype main
Src 0.0.0.0/0 dst 0.0.0.0/0
         Socket out priority 0 ptype main
Src :: / 0 dst :: / 0
         Socket in priority 0 ptype main
Src :: / 0 dst :: / 0
         Socket out priority 0 ptype main
Src :: / 0 dst :: / 0
         Socket in priority 0 ptype main
Src :: / 0 dst :: / 0
         Socket out priority 0 ptype main

That when I lift the vpn forcing the correct routes appear.
Also what I do not know if it is normal since the debian that I have
installed strongswan did not reach any subnet of any vpn raised. I do not
know if this is normal.

Thank you!


2017-03-19 10:38 GMT+01:00 Faycal BEKHTI <f.bekhti at paris-turf.com>:

> Hello ,
>
> In sonicwall , activate keep a live in advanced tab  , in ipsec.conf put
> auto=start
>
> https://support.sonicwall.com/kb/sw13753
>
> Télécharger Outlook pour Android <https://aka.ms/ghei36>
>
> ------------------------------
> *From:* Users <users-bounces at lists.strongswan.org> on behalf of Jordi
> Casanellas <matalaaranya at gmail.com>
> *Sent:* Friday, March 17, 2017 8:10:57 AM
> *To:* users at lists.strongswan.org
> *Subject:* [strongSwan] Two problems with cisco and sonicwall.
>
> Hello,
>
> I'm have a strongswan configured to connect sonicwall.  The tunnel its ok
> and work perfectly but 8h disconect and not renegociate,  but in sonicwall
> click in button renegociate and work perfectly.  Can you help me?.
>
> With cisco asa i'm have a another problem only up tunnel,  create ping on
> cisco to strongswan.
>
> In my strongswan not working ping to any subnet vpn.
>
> Thank you!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170319/6719bc7d/attachment-0001.html>

More information about the Users mailing list