On Thu, 26 Jul 2012 10:15:19 +0100, John Connett <[email protected]> wrote: > I am attempting to use strongSwan 4.5.3-5.4.1 on openSUSE 12.1 > (x86_64) to provide an endpoint to a Microsoft Azure Virtual Network > using the 90-day free trial preview (https://www.windowsazure.com).
Despite a private e-mail pointing me to http://wiki.strongswan.org/projects/strongswan/wiki/AwsVpc I have had no success in creating a tunnel between my HomeNetwork and my CloudSubnet via a Microsoft Azure Virtual Network. I have almost no experience configuring VPNs and would appreciate it if anyone with greater familiarity could point me to my, possibly obvious, errors. From left to right the network path is roughly as follows: HomeNetwork 192.168.199.0/24 master.home 192.168.199.10 (strongSwan 5.0.0) router.home 192.168.199.1 (OpenWrt 10.03.1) VPNGatewayAddress 86.30.202.35 (skylon.dyndns.org) GatewaySubnet 10.4.1.0/24 AzureGatewayIpAddress 168.63.60.212 CloudSubnet 10.4.2.0/24 TestNetwork 10.4.0.0/16 My router is forwarding ESP; ISAKMP (UDP 500); and IPSEC-NAT-T (UDP 4500) to the strongSwan host. I have also added a static route from 10.4.2.0/24 to that host. Copies of my unsuccessful ipec.conf and ipsec.secrets files are at the end of this message. I can capture network traffic at both my router and the strongSwan host if that will aid diagnosis. In the following I have attempted to convert the parts of the Microsoft generated Cisco configuration into strongSwan equivalents. Again, if there are obvious errors please let me know. Many thanks -- John Connett ==== Cisco ISR 2900 - IOS 15.0 ======================================= access-list <RP_AccessList> permit ip <SP_OnPremiseNetworkIpRange> \ <SP_OnPremiseNetworkWildcardBits> <SP_AzureNetworkIpRange> \ <SP_AzureNetworkWildcardBits> crypto isakmp policy 10 authentication pre-share encryption aes hash sha group 2 lifetime 28800 exit crypto isakmp key <SP_PresharedKey> address <SP_AzureGatewayIpAddress> ==== strongSwan 5.0.0 ================================================ conn Azure leftsubnet=<SP_OnPremiseNetworkIpRange>/<Bits> rightsubnet=<SP_AzureNetworkIpRange>/<Bits> keyexchange=ikev2 authby=psk ike=aes128-sha1-modp1024! ikelifetime=8h ====================================================================== ==== Cisco ISR 2900 - IOS 15.0 ======================================= crypto ipsec transform-set <RP_IPSecTransformSet> esp-aes esp-sha-hmac mode tunnel exit ==== strongSwan 5.0.0 ================================================ conn Azure esp=aes128-sha1! ====================================================================== ==== Cisco ISR 2900 - IOS 15.0 ======================================= crypto map <RP_IPSecCryptoMap> 10 ipsec-isakmp set peer <SP_AzureGatewayIpAddress> set security-association lifetime seconds 3600 set security-association lifetime kilobytes 102400000 set transform-set <RP_IPSecTransformSet> match address <RP_AccessList> exit interface <NameOfYourOutsideInterface> no crypto map crypto map <RP_IPSecCryptoMap> ip tcp adjust-mss 1350 exit ==== strongSwan 5.0.0 ================================================ conn Azure lifetime=1h lifebytes=104857600000 ==== Notes =========================================================== What is the strongSwan equivalent of "set peer"? ====================================================================== ==== /usr/local/etc/ipsec.conf======================================== # ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup charonstart=yes plutostart=no # VPN connection conn Azure left=192.168.199.10 leftid=86.30.202.35 leftsourceip=%config leftsubnet=192.168.199.0/24 leftfirewall=yes lefthostaccess=yes right=168.63.60.212 rightsubnet=10.4.2.0/24 forceencaps=yes keyexchange=ikev2 ike=aes128-sha1-modp1024! ikelifetime=8h esp=aes128-sha1! lifetime=1h lifebytes=104857600000 authby=psk auto=start ====================================================================== ==== /usr/local/etc/ipsec.secrets ==================================== 86.30.202.35 168.63.60.212 : PSK "<secret>" ====================================================================== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
