[strongSwan] AWS VPN to Cisco Unity

[Narendra Joshi]

Jeff Puro <jeffpuro at gmail.com> writes:

> I have an issue with a pretty standard setup using Strongswan, wherein the
> tunnel comes up properly but the traffic to the actual server is never
> marked for ESP and thus never seems to get onto the tunnel. I've confirmed
> that I do not see any traffic for esp using tcpdump, and when I do
> a traceroute to the server on the right's VPN, it always just goes to the
> internet gateway. The setup is pretty standard, but the key difference is
> the server I am attempting to connect to is using a public IP address
> (which is maybe why it attempts to go to it using the Amazon internet
> gateway). I do not see any routes in table 220 etc. I have tried numerous
> permutations to even the ipsec-tools.conf thinking that this would mark
> traffic as secured, but that doesn't work, I've also tried numerous
> iptables settings to no avail. My primary configuration is as follows:

Can you also share the output of these commands:
1) `ip xfrm policy` 
2) `ip xfrm state`

> Software versions:
>
> Ubuntu 16.04
> Strongswan: 5.3.5
>
> Configurations:
>
> ipsec.conf:
>
> config setup
>     charondebug="all"
>
> conn %default
>     ikelifetime=28800s
>     keylife=86400s
>     keyingtries=999
>     keyexchange=ikev1
>     ike=aes256-sha1-modp1536
>     type=tunnel
>
> conn vpn-conn
>     auto=start
>     type=tunnel
>     leftauth=psk
>     rightauth=psk
>     ike=aes256-sha1-modp1536!
>     esp=aes256-sha1!
>     ikelifetime=28800s
>     keylife=86400s
>     left=%defaultroute
>     leftsubnet=18.x.x.x/32
>     right=68.x.x.x
>     rightsubnet=68.x.x.x/32
>     keyingtries=999
>     keyexchange=ikev1
>     reauth=no
>     closeaction=restart
>     dpdaction=restart
>     dpddelay=60s
>     dpdtimeout=150s

-- 
Narendra Joshi