[strongSwan] strongSwan- Cisco RV042 site-to-site VPN issues

Leon K leon.kuper at gmail.com
Sun Apr 28 17:24:40 CEST 2019 

Hi,

I am experiencing the following issue when setting up ipsec site-to-site
vpn connection:
Initially everything works fine but in some period of time of inactivity
(still need to figure out when it happens) when I check the status of VPN
connection/tunnel on both sides, everything looks OK:
Cisco RV042 status "Connected", strongSwan SA (connection) - Up. But I
can't ping from the Cisco side to strongSwan, pinging restores only after
Cisco side is pinged from the strongSwan side.

strongSwan related logs:

sending keep alive to <Cisco External IP>[500]
sending DPD request
generating INFORMATIONAL_V1 request 3168494568 [ HASH N(DPD) ]
sending packet: from  <strongSwan-Internal IP> [4500] to  <Cisco External
IP> (76 bytes)
received packet: from  <Cisco External IP> 9[4500] to <strongSwan-Internal
IP> (76 bytes)

And there are no any errors, looks good, but in reality it is far from to
be OK.

Is this Cisco side problem , strongSwan or both?

My ipsec.conf:

config setup
 charondebug="ike 2, knl 3, cfg 0"

conn %default
   keyingtries=%forever
   left=%defaultroute
   leftid=34.x.x.x
   leftsubnet=10.x.x.0/24

 conn MyConn
  keyexchange=ikev1
  authby=secret
  type=tunnel
  leftauth=psk
  rightauth=psk
  right=<FQDN-DynDNS>
  rightsubnet=192.x.x.0/24
  rightid=@<FQDN-DynDNS>
  reauth=no
  ike=aes256-sha1-modp1024
  esp=aes256-sha1-modp1024
  ikelifetime=8h
  lifetime=1h
  modeconfig = push
  dpddelay=30
  dpdtimeout=180
  dpdaction=clear
  auto=route

Cisco RV042 (GUI configuration):
Local Group:  IP+Domain Name Authentication
Remote Group: IP only

Perfect Forward Secrecy - enabled
Keep Alive
DPD interval: 30 sec

I have set up a site-to-site VPN tunnel between EdgeRouter and this
strongSwan, everything works as expected, but they are both strongSwan

Cisco-EdgeRouter is experiencing the same issues as discribed above.

But Cisco-Cisco and Cisco-other (non-StrongSwan) are quite stable.

I need to make a final decision on whether to use strongSwan as a VPN
gateway on AWS VPC or swith to AWS VPN gateway. Need your help to figure
out on whether Cisco RV042 (or Linksys LRT 224)  with strongSwan or not.

Thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190428/6a4efed8/attachment.html>

More information about the Users mailing list