[strongSwan] Two problems with cisco and sonicwall.
Jordi Casanellas
matalaaranya at gmail.com
Tue Mar 21 18:35:34 CET 2017
Hello,
Perfect I have managed to raise all the tunnels, but now I need to
pass the traffic between each tunnel, I understand that this is
already the subject of iptables.
You could give me the example of allowing traffic from 10.200.1.1 to
192.168.2.1 and back
Thank you very much for your help.
2017-03-21 16:38 GMT+01:00 Jordi Casanellas <matalaaranya at gmail.com>:
> Hello,
>
> Thank you very much, I have finally been able to up the tunel
> correctly with the ASA.
>
> I have three tunnels left to raise.
>
> One against a fortigate, zyxel and a netgear.
>
> Fortigate:
>
> ipsec statusall
>
> Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):
> uptime: 60 seconds, since Mar 21 16:30:24 2017
> malloc: sbrk 1462272, mmap 0, used 312736, free 1149536
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 1
> loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
> sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr
> kernel-netlink resolve socket-default stroke updown
> Listening IP addresses:
> 81.25.126.250
> 10.200.1.1
> Connections:
> evamsterdam: 81.25.126.250...46.16.59.216 IKEv1/2
> evamsterdam: local: [81.25.126.250] uses pre-shared key authentication
> evamsterdam: remote: [46.16.59.216] uses pre-shared key authentication
> evamsterdam: child: 10.200.1.0/24 === 172.20.1.0/24 TUNNEL
> Routed Connections:
> evamsterdam{1}: ROUTED, TUNNEL
> evamsterdam{1}: 10.200.1.0/24 === 172.20.1.0/24
> Security Associations (1 up, 0 connecting):
> evamsterdam[3]: CONNECTING, 81.25.126.250[%any]...46.16.59.216[%any]
> evamsterdam[3]: IKEv2 SPIs: 03306b155e476faf_i* 0000000000000000_r
> evamsterdam[3]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD
> IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE
> IKE_AUTH_LIFETIME IKE_MOBIKE
>
>
> iptables-save
> is empty (but vpn to sonicwall and cisco is working perfectly).
>
> Configure vpn:
>
>
> config setup
>
> conn evamsterdam
>
> left=81.25.126.250
> leftsubnet=10.200.1.0/24
> leftid=81.25.126.250
> right=46.16.59.216
> rightid=46.16.59.216
> rightsubnet=172.20.1.0/24
> #Encriptacio
> keyingtries=0
> esp=3des-sha1-modp1024
> ike=3des-sha1-modp1024
> keyexchange=ikev1
> authby=secret
> rekey=yes
> #lifetime
> ikelifetime=60s
> lifetime=8h
> auto=route
> #compress=no
> #forceencaps=yes
>
> ipsec.secrets its fine.
>
> Error in log: no IKE config found for 81.25.126.250...95.97.32.250,
> sending NO_PROPOSAL_CHOSEN
>
> Thank you!
>
> 2017-03-21 13:58 GMT+01:00 Noel Kuntze <noel at familie-kuntze.de>:
>> On 21.03.2017 13:18, Jordi Casanellas wrote:
>>> My vpn is working only ping in cisco to strongswan, ping strongwsan to cisco not working.
>>
>>> conn evindustria
>>> leftsourceip=10.200.1.1
>> That's invalid.
>> Remove leftsourceip.
>>
>>> esp=3des-sha1-modp1024
>>> ike=3des-sha1-modp1024
>> Bad cipher suite. Upgrade that.
>>
>>> # This allows the VPN to come up automatically when openswan starts
>>> auto=add
>>
>> That's just wrong. "auto=add" only adds the configuration to charon, but doesn't do anything else with it.
>> It's neither initiated, nor used to install trap policies.
>> Configure "auto=route".
>>
>>> Only the VPN works by pinging from the Cisco ASA to Strongwsan
>>
>> That's because you configured auto=add.
>>
>> Please stop sending HTML formatted emails. Send plaintext instead. It's unnecessarily difficult to handle it.
>>
>> --
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>>
More information about the Users
mailing list