[strongSwan] Two problems with cisco and sonicwall.
Jordi Casanellas
matalaaranya at gmail.com
Tue Mar 21 13:18:08 CET 2017
Hello,
I'm have solution with Sonicwall.
I'm have a problem with ASA cisco.
My vpn is working only ping in cisco to strongswan, ping strongwsan to
cisco not working.
*ipsec statusall (not up tunnel)*
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64,
x86_64):
uptime: 55 seconds, since Mar 21 13:07:21 2017
malloc: sbrk 1462272, mmap 0, used 295840, free 1166432
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default
stroke updown
Listening IP addresses:
81.25.126.250
10.200.1.1
Connections:
evindustria: 81.25.126.250...80.28.231.246 IKEv1
evindustria: local: uses pre-shared key authentication
evindustria: remote: uses pre-shared key authentication
evindustria: child: 10.200.1.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (0 up, 0 connecting):
none
*ipsec statusall (up tunnel ping cisco to strongswan):*
ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64,
x86_64):
uptime: 4 minutes, since Mar 21 13:07:21 2017
malloc: sbrk 1462272, mmap 0, used 312352, free 1149920
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 1
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation
constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default
stroke updown
Listening IP addresses:
81.25.126.250
10.200.1.1
Connections:
evindustria: 81.25.126.250...80.28.231.246 IKEv1
evindustria: local: [81.25.126.250] uses pre-shared key authentication
evindustria: remote: uses pre-shared key authentication
evindustria: child: 10.200.1.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
evindustria[31]: ESTABLISHED 12 seconds ago,
81.25.126.250[81.25.126.250]...80.28.231.246[80.28.231.246]
evindustria[31]: IKEv1 SPIs: 9e663b4657e88fe0_i* 75b645cf74cacf00_r,
rekeying disabled
evindustria[31]: IKE proposal:
3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
evindustria[31]: Tasks queued: QUICK_MODE
evindustria[31]: Tasks active: MODE_CONFIG
evindustria{1}: INSTALLED, TUNNEL, ESP SPIs: c3c119e2_i dc7652ea_o
evindustria{1}: 3DES_CBC/HMAC_SHA1_96, 400 bytes_i (4 pkts, 6s ago), 400
bytes_o (4 pkts, 6s ago), rekeying disabled
evindustria{1}: 10.200.1.0/24 === 192.168.1.0/24
*iptables-save*
is empty (but vpn to sonicwall is working perfectly).
*ip route show table all*
default via 81.25.126.1 dev eth0
10.200.1.0/24 dev eth1 proto kernel scope link src 10.200.1.1
81.25.126.0/24 dev eth0 proto kernel scope link src 81.25.126.250
broadcast 10.200.1.0 dev eth1 table local proto kernel scope link src
10.200.1.1
local 10.200.1.1 dev eth1 table local proto kernel scope host src
10.200.1.1
broadcast 10.200.1.255 dev eth1 table local proto kernel scope link src
10.200.1.1
broadcast 81.25.126.0 dev eth0 table local proto kernel scope link src
81.25.126.250
local 81.25.126.250 dev eth0 table local proto kernel scope host src
81.25.126.250
broadcast 81.25.126.255 dev eth0 table local proto kernel scope link
src 81.25.126.250
broadcast 127.0.0.0 dev lo table local proto kernel scope link src
127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src
127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link
src 127.0.0.1
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101
local ::1 dev lo proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth1 proto kernel metric 256
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101
local ::1 dev lo table local proto none metric 0
local fe80::dc16:64ff:fe75:7721 dev lo table local proto none metric 0
local fe80::f49f:97ff:feac:5e0f dev lo table local proto none metric 0
ff00::/8 dev eth0 table local metric 256
ff00::/8 dev eth1 table local metric 256
unreachable default dev lo table unspec proto kernel metric 4294967295
error -101
*Config vpn:*
config setup
conn evindustria
left=81.25.126.250
leftsourceip=10.200.1.1
leftsubnet=10.200.1.0/24
leftid=%any
right=80.28.231.246
rightid=%any
rightsubnet=192.168.1.0/24
#Encriptacio
keyingtries=3
esp=3des-sha1-modp1024
ike=3des-sha1-modp1024
authby=secret
keyexchange=ikev1
rekey=no
reauth=no
#lifetime
dpdtimeout=15s
dpddelay=5s
compress=yes
#fragmentation=yes
ikelifetime=60s
lifetime=86400s
# This allows the VPN to come up automatically when openswan starts
auto=add
type=tunnel
IPSEC Secrets:
81.25.126.250 80.28.231.246 : PSK 'PASSWORD CORRECT'
I am waiting for your answer.
Only the VPN works by pinging from the Cisco ASA to Strongwsan
On the other hand I have problems also with a Fortigate but we go in steps.
Thank you very much.
2017-03-21 11:22 GMT+01:00 Noel Kuntze <noel at familie-kuntze.de>:
> Hello Jordi,
>
> Please provide the required information as described on the wiki page
> about help requests[1].
> We can then help you effectively.
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>
> --
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170321/4e94c7d8/attachment.html>
More information about the Users
mailing list