I am attempting to use strongSwan 4.5.3-5.4.1 on openSUSE 12.1 (x86_64) to provide an endpoint to a Microsoft Azure Virtual Network using the 90-day free trial preview (https://www.windowsazure.com).
Has anyone else created a succssful connection? If so, please can you give me guidance on how to confugure strongSwan? My initial configuration will be on openSUSE (where NetworkManager is available) but I hope to move to an OpenWrt router (Backfire 10.03.1) later. Microsoft provide sample configurations for various devices. The example below is for a Cisco router. Many thanks in anticipation -- John Connett ====================================================================== ! Microsoft Corporation ! Windows Azure Virtual Network ! This configuration template applies to Cisco ISR 2900 Series Integrated Services Routers running IOS 15.0. ! It configures an IPSec VPN tunnel connecting your on-premise VPN device with the Azure gateway. ! --------------------------------------------------------------------------------------------------------------------- ! ACL rules ! ! Proper ACL rules are needed for permitting cross-premise network traffic. access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange> <SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange> <SP_AzureNetworkWildcardBits> ! --------------------------------------------------------------------------------------------------------------------- ! Internet Key Exchange (IKE) configuration ! ! This section specifies the authentication, encryption, hashing, Diffie-Hellman, and lifetime parameters for the Phase ! 1 negotiation and the main mode security association. We have picked an arbitrary policy # "10" as an example. If ! that happens to conflict with an existing policy, you may choose to use a different policy #. crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 28800 exit crypto isakmp key <SP_PresharedKey> address <SP_AzureGatewayIpAddress> ! --------------------------------------------------------------------------------------------------------------------- ! IPSec configuration ! ! This section specifies encryption, authentication, tunnel mode properties for the Phase 2 negotiation crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac mode tunnel exit ! --------------------------------------------------------------------------------------------------------------------- ! Crypto map configuration ! ! This section defines a crypto map that binds the cross-premise network traffic to the ! IPSec transform set and remote peer. We have picked an arbitrary ID # "10" as an example. If ! that happens to conflict with an existing crypto map, you may choose to use a different ID #. crypto map <RP_IPSecCryptoMap> 10 ipsec-isakmp set peer <SP_AzureGatewayIpAddress> set security-association lifetime seconds 3600 set security-association lifetime kilobytes 102400000 set transform-set <RP_IPSecTransformSet> match address <RP_AccessList> exit ! --------------------------------------------------------------------------------------------------------------------- ! External interface configuration ! ! This section binds to the external interface of the router so that the cross-premise network traffic matching the ! traffic selector defined in the crypto map will be properly encrypted and transmitted via the IPSec VPN tunnel. It ! also adjusts the TCPMSS value properly to avoid fragmentation interface <NameOfYourOutsideInterface> no crypto map crypto map <RP_IPSecCryptoMap> ip tcp adjust-mss 1350 exit ====================================================================== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
