[strongSwan] strongSwan- Cisco RV042 site-to-site VPN issues

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Apr 28 17:34:10 CEST 2019 

Hello Leon,

Please provide all information listed on the HelpRequests page.

Kind regards

Noel

Am 28.04.19 um 17:24 schrieb Leon K:
> Hi,
> 
> I am experiencing the following issue when setting up ipsec site-to-site vpn connection:
> Initially everything works fine but in some period of time of inactivity (still need to figure out when it happens) when I check the status of VPN connection/tunnel on both sides, everything looks OK:
> Cisco RV042 status "Connected", strongSwan SA (connection) - Up. But I can't ping from the Cisco side to strongSwan, pinging restores only after Cisco side is pinged from the strongSwan side.
> 
> strongSwan related logs:
> 
> sending keep alive to <Cisco External IP>[500]
> sending DPD request
> generating INFORMATIONAL_V1 request 3168494568 [ HASH N(DPD) ]
> sending packet: from  <strongSwan-Internal IP> [4500] to  <Cisco External IP> (76 bytes)
> received packet: from  <Cisco External IP> 9[4500] to <strongSwan-Internal IP> (76 bytes)
> 
> And there are no any errors, looks good, but in reality it is far from to be OK.
> 
> Is this Cisco side problem , strongSwan or both?
> 
> My ipsec.conf:
> 
> config setup
>  charondebug="ike 2, knl 3, cfg 0"
> 
> conn %default
>    keyingtries=%forever
>    left=%defaultroute
>    leftid=34.x.x.x
>    leftsubnet=10.x.x.0/24
>   
>  conn MyConn
>   keyexchange=ikev1
>   authby=secret
>   type=tunnel
>   leftauth=psk
>   rightauth=psk
>   right=<FQDN-DynDNS>
>   rightsubnet=192.x.x.0/24
>   rightid=@<FQDN-DynDNS>
>   reauth=no
>   ike=aes256-sha1-modp1024
>   esp=aes256-sha1-modp1024
>   ikelifetime=8h
>   lifetime=1h
>   modeconfig = push
>   dpddelay=30
>   dpdtimeout=180
>   dpdaction=clear
>   auto=route 
> 
> Cisco RV042 (GUI configuration):
> Local Group:  IP+Domain Name Authentication
> Remote Group: IP only
> 
> Perfect Forward Secrecy - enabled
> Keep Alive
> DPD interval: 30 sec
> 
> I have set up a site-to-site VPN tunnel between EdgeRouter and this strongSwan, everything works as expected, but they are both strongSwan
> 
> Cisco-EdgeRouter is experiencing the same issues as discribed above.
> 
> But Cisco-Cisco and Cisco-other (non-StrongSwan) are quite stable.
> 
> I need to make a final decision on whether to use strongSwan as a VPN gateway on AWS VPC or swith to AWS VPN gateway. Need your help to figure out on whether Cisco RV042 (or Linksys LRT 224)  with strongSwan or not.
> 
> Thanks in advance.
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190428/90709f0a/attachment-0001.sig>

More information about the Users mailing list