[strongSwan] Ubuntu and openswan migration to strongswan

Rudi Barnard rudi at flickswitch.co.za
Sat Feb 16 08:09:48 CET 2019 

Hi,

Have been using openswan on Ubuntu 14.04 on AWS EC2 for site to site
connections (Ikev1 + PSK).
Recently upgraded an image of the Ubuntu EC2 instance from 14.04 to 18.04.
Result is that openswan gets replaced with Strongswan. I eventually did a
scratch install of strongswan and also installed the Cisco plugin for
multiple subnet support.

Now testing one of the MANY VPNs we have previously setup on openswan.
Tunnels are up but ip xfrm policy / state shows no entry and therefore I
assume that there is config issue.

Very new with Strongswan so not sure where to start troubleshooting.

Thanks.

Connections:
 Conn1:  %any...%any  IKEv1, dpddelay=300s
 Conn1:   local:  [52.x.x.x] uses pre-shared key authentication
 Conn1:   remote: [196.y.y.y] uses pre-shared key authentication
 Conn1:     child:  52.y.x.y/32 === a.a.a.a/32 b.b.b.b./32 TUNNEL,
dpdaction=clear
Security Associations (1 up, 0 connecting):
 Conn1[3]: ESTABLISHED 2 seconds ago,
196.y.y.y[52.x.x.x]...196.y.y.y[196.y.y.y]
 Conn1:[3]: IKEv1 SPIs: 003afabcd1191ddf_i f84ca9def5333a82_r*, rekeying
disabled
 Conn1:[3]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024

ip xfrm policy:
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0

ipsec.conf
config setup
        strictcrlpolicy=yes
        uniqueids = no
        charondebug="ike 1, knl 1, cfg 0"

# Add connections here.
conn Conn1
        auto=start
        compress=no
        type=tunnel
        keyexchange=ikev1
        fragmentation=yes
        forceencaps=yes
        dpdaction=clear
        dpddelay=300s
        rekey=no
        aggressive=no
        authby=psk
        ike=3des-md5-modp1024
        ikelifetime=86400s
        esp=3des-md5-modp1024
        lifetime=3600s
        leftauth=psk
        left=%defaultroute (also tried %any, but same result)
        leftid=52.x.x.x
        leftsubnet=52.y.x.y/32
        rightauth=psk
        rightid=196.y.y.y
        rightsubnet=a.a.a.a/b.b.b.b/32

Also currently still using iptables entry's from legacy openswan
configuration for rightsubnet SNAT:

iptables -t nat -A POSTROUTING -s 172.x.x.x/32 -d a.a.a.a/32 -j SNAT --to
52.y.x.y
iptables -t nat -A POSTROUTING -s 172.x.x.x/32 -d b.b.b.b/32 -j SNAT --to
52.y.x.y
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20190216/bb6df487/attachment.html>

More information about the Users mailing list