left = local and right = remote is just our recommendation in order to help your orientation. strongSwan works equally well with left and right swapped. I was just wondering that remote end used private network addresses which are not routable.
Best regards Andreas On 05/11/2010 05:20 PM, François Van Ingelgom wrote: > In fact, no, the strongswan side is: left=81.246.56.89 > > The Cisco IOS: right=192.168.1.218. > > I'll try to recreate the configuration tomorrow with the two ends in > our 81.246.56.64/27 subnet. > > From what i understood in ipsec.conf documentation left is the actual > local machine and right is the remote one, is that correct? > > Thanks for your help, i'll post what you asked tomorrow. > > François Van Ingelgom -- PCSOL > > > > > Le 11 mai 2010 à 17:08, Andreas Steffen a écrit : > >> Hello François, >> >> I don't see anything special in your configuration file except that >> it looks like an Openswan configuration. >> >> I assume that the strongSwan side is >> >> right=192.168.1.218 >> >> which makes use of a port forwarding setup (NAT traversal seems not >> to be enabled) on the router >> >> rightnexthop=192.168.1.1 >> >> in order to be reachable from the Internet and that >> >> left=81.246.56.89 >> >> is the Cisco IOS box. In order to give you some help I would need >> the output of >> >> ipsec statusall >> >> and >> >> ip -s xfrm state >> >> ip -s xfrm policy >> >> after the successful connection setup and after a failed ping. >> >> Best regards >> >> Andreas >> >> On 05/11/2010 03:47 PM, François Van Ingelgom wrote: >>> Hi everyone! >>> >>> I'm trying to setup Strongswan (debian package) with a Cisco >>> router (IOS 12.4). >>> >>> Both servers are on the same subnet (our public subnet) for >>> testing purposes. >>> >>> Here is my ipsec.conf for strongswan: >>> >>> version 2.0 # conforms to second version of ipsec.conf >>> specification >>> >>> config setup interfaces="ipsec0=eth0" conn %default >>> ikelifetime=86400 keylife=3600 keyingtries=%forever >>> authby=secret auth=esp ike=aes128-sha1-modp1024! >>> esp=aes128-sha1! pfs=no dpdaction=hold dpddelay=60 >>> dpdtimeout=500 >>> >>> conn tunnelipsec type=tunnel auto=start left=81.246.56.89 >>> leftnexthop=81.246.56.65 leftsubnet=192.168.16.0/24 >>> right=192.168.1.218 rightnexthop=192.168.1.1 >>> rightsubnet=192.168.18.0/24 >>> >>> include /etc/ipsec.d/examples/no_oe.conf >>> >>> And here is my ipsec.secrets >>> >>> 81.246.56.89: PSK "SecretTunnelPass" >>> >>> I'm sorry, i don't have the cisco config right here but it's a >>> classical non tunnel configuration (esp-aes esp-sha-hmac aes128 >>> and sha). >>> >>> In fact, the connection can be established but when i try to ping >>> the other end, the cisco fails claiming that he has no route for >>> the network connected to the strongswan.... >>> >>> I really have no idea how to set it up, and i've been searching >>> for a very long time now :/ >>> >>> I anybody would have any idea, hints or anything, i'll greatly >>> appreciate :) >>> >>> Thanks a lot >>> >>> François Van Ingelgom -- PCSOL >>> ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
