Hi,
I tried to migrate our Openswan VPN (2.6.21) to Strongswan VPN (4.5.1) on our
CentOS 5 server. Openswan package is from official CentOS repository
(openswan-2.6.21-5.el5_6.4), Strongswan package have been built from this spec
file:
http://developer.intra2net.com/git/?p=strongswan-rpm;a=blob_plain;f=strongswan.spec;hb=e2bb0076fce6d44ee80cff4b20d90a0eee1fa689
I slightly modified configuration for IKEv1 keying, ipsec.conf looks like:
config setup
charonstart=no
plutodebug="control"
conn %default
keyexchange=ikev1
authby=secret
conn CONN
type=tunnel
left=A.A.A.A
leftsubnet=192.168.52.0/24
right=B.B.B.B
rightsubnet=10.10.0.0/16
auto=start
auth=esp
ikelifetime=28800s
keylife=3600s
compress=no
ike=3des-sha1-modp1024
esp=3des-sha1
pfs=yes
dpddelay=30
dpdtimeout=120
dpdaction=restart
Both ISAKMP and IPsec SA were succesfully established, ip xfrm policy output
was the same as output from Openswan. But...
In tcpdump, I saw incoming ESP traffic from B.B.B.B, but no ESP traffic from
our address A.A.A.A. Ping to 10.10.255.1 returned no response, so I think that
policies were in place (with turned off VPN, ping returned "host unreachable"
from far away gateway). I added "iptables -I FORWARD -j ACCEPT" rule to
iptables to rule out problem with firewall.
Do you have any idea what can be wrong?
Thanks,
Regards,
Pavel Arnost
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
