[strongSwan] Newbie Question... IP ROUTES
Hello, I am a relative newbie with strongswan but i have sucessfully gotten it installed and working on my CENTOS Linux Box. I am having a weird issue but I am sure it will be a quick fix when someone points me in the right direction. First a brief layout... Server 1(10.0.2.3)10.0.2.0/24 network10.0.2.1 sonicwall nsa240 router(static public ip)---internet cloud-(also static public ip) linux box 10.0.3.1- 10.0.3.0/24 network --- Server B (10.0.3.2) The VPN tunnel is up and running. From server1 I can ping 10.0.3.2 and 10.0.3.1 without any issues. However I can not ping 10.0.2.3 or 10.0.2.1 from 10.0.3.2. When i run a tracert from 10.0.3.1 to 10.0.2.1 it appears the traffic is going out my router interface instead over the vpn interface. So my guess as to my problem is i need to add a route so that all traffic from 10.0.3.0 goes to 10.0.2.0. This is the weird part, I have a firewall entry already in there for that. iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.2.0/24 10.0.3.0/24 policy match dir in pol ipsec reqid 16385 proto esp ACCEPT all -- 10.0.3.0/24 10.0.2.0/24 policy match dir out pol ipsec reqid 16385 proto esp Chain OUTPUT (policy ACCEPT) target prot opt source destination So i am looking for any advice as to what i could be doing wrong here. i feel i am 99% there to perfection... ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
[strongSwan] Notification message 40501 connecting to Cisco router
Hi, This is my first post to this forum. I would like to thank everyone that has worked on this project. I have been using strongSwan in a road warrior configuration to connect to Cisco routers. I have been able to do this with several customers but recently when I tried to connect to a new customer I received a 40501 Notification message. After doing some research on the Internet I found the following email indicating that this notification relates to Cisco load balancing: http://sourceforge.net/mailarchive/forum.php?thread_name=alpine.lfd.2.00.0901271415230.2...@oynqr.eqh.erqung.pbzforum_name=ipsec-tools-devel Has strongSwan been tested with Cisco load balancing? Has anyone else run into this problem? I found a work around to the problem by connecting to the last server in the load balancing cluster, which does not return the 40501 notification, and the connection works fine. This will due for my initial testing but without support for load balancing I will not be able to use strongSwan. The output from the failed connection follows: # ipsec up test 002 test #1: initiating Main Mode 104 test #1: STATE_MAIN_I1: initiate 003 test #1: ignoring Vendor ID payload [FRAGMENTATION c000] 106 test #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 test #1: ignoring Vendor ID payload [Cisco-Unity] 003 test #1: received Vendor ID payload [XAUTH] 003 test #1: ignoring Vendor ID payload [79d4400d1135dfa224392efd403473aa] 003 test #1: ignoring Vendor ID payload [Cisco VPN 3000 Series] 108 test #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 test #1: received Vendor ID payload [Dead Peer Detection] 002 test #1: Peer ID is ID_FQDN: '@test.localdomain' 002 test #1: ISAKMP SA established 004 test #1: STATE_MAIN_I4: ISAKMP SA established 003 test #1: Notify Message Type of ISAKMP Notification Payload has an unknown value: 40501 003 test #1: malformed payload in packet Thanks, Rod ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
Re: [strongSwan] Notification message 40501 connecting to Cisco router
Hi Rod, no, strongSwan hasn't been tested with Cisco load balancing and does not recognize the 40501 notification. Probably Cisco wants to redirect the IPsec SA to an alternative VPN gateway. Best regards Andreas rriver...@verizon.net wrote: Hi, This is my first post to this forum. I would like to thank everyone that has worked on this project. I have been using strongSwan in a road warrior configuration to connect to Cisco routers. I have been able to do this with several customers but recently when I tried to connect to a new customer I received a 40501 Notification message. After doing some research on the Internet I found the following email indicating that this notification relates to Cisco load balancing: http://sourceforge.net/mailarchive/forum.php?thread_name=alpine.lfd.2.00.0901271415230.2...@oynqr.eqh.erqung.pbzforum_name=ipsec-tools-devel Has strongSwan been tested with Cisco load balancing? Has anyone else run into this problem? I found a work around to the problem by connecting to the last server in the load balancing cluster, which does not return the 40501 notification, and the connection works fine. This will due for my initial testing but without support for load balancing I will not be able to use strongSwan. The output from the failed connection follows: # ipsec up test 002 test #1: initiating Main Mode 104 test #1: STATE_MAIN_I1: initiate 003 test #1: ignoring Vendor ID payload [FRAGMENTATION c000] 106 test #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 test #1: ignoring Vendor ID payload [Cisco-Unity] 003 test #1: received Vendor ID payload [XAUTH] 003 test #1: ignoring Vendor ID payload [79d4400d1135dfa224392efd403473aa] 003 test #1: ignoring Vendor ID payload [Cisco VPN 3000 Series] 108 test #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 test #1: received Vendor ID payload [Dead Peer Detection] 002 test #1: Peer ID is ID_FQDN: '@test.localdomain' 002 test #1: ISAKMP SA established 004 test #1: STATE_MAIN_I4: ISAKMP SA established 003 test #1: Notify Message Type of ISAKMP Notification Payload has an unknown value: 40501 003 test #1: malformed payload in packet Thanks, Rod == Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution!www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===[ITA-HSR]== smime.p7s Description: S/MIME Cryptographic Signature ___ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users