This worked for me: This end is in Amazon in a VPC with NAT-T. Other end is a
Cisco ASA. IP’s are examples and sanitized, but you’ll get the idea.
ipsec.conf
conn vpc-customerXXX
left= 172.16.1.1
leftsubnet = 172.16.1.0/24
leftfirewall= yes
leftauth= psk
leftid = 100.1.1.1
right = 100.2.2.2
rightsubnet = 192.168.1.0/24
rightauth = psk
rightfirewall = yes
closeaction = restart
auto= route
fragmentation = yes
keyexchange = ikev1
reauth = yes
forceencaps = yes
rekey = yes
installpolicy = yes
type= tunnel
dpdaction = restart
dpddelay= 10s
dpdtimeout = 60s
auto= route
ikelifetime = 3600s
lifetime= 3600s
ike = aes256-sha1-modp1536!
esp = aes256-sha1-modp1024!
aggressive = no
ipsec.secrets
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA myKey.der
172.16.1.1 : PSK “abcd
100.2.2.2 : PSK “abcd
Left is you, right is them.
They connect with your “leftid”. When I connect to another Strongswan
instance, I put in the ‘rightid' the same as ‘right’. On the other end, just
invert the stanzas is it’s Strongswan and that is behind NAT (i.e. Amazon
region to region using Strongswan).
Secrets need to reference your left (internal IP) and their right (external IP).
May be redundant, or have some overkill, but it works and is rock solid.
EKG
On Jul 8, 2015, at 5:28 PM, Colin Burrows colinburrow...@gmail.com wrote:
hi
i've been looking at https://www.strongswan.org/testresults.html
https://www.strongswan.org/testresults.html in order to try to find an
example of a net2net setup where one device is behind a nat. i intend to use
such a setup and was hoping for something i could copy but i did not find any
examples.
could you kindly send me a link to such an example if one is available.
thanks
colin
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
signature.asc
Description: Message signed with OpenPGP using GPGMail
___
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users
