I am trying to setup a vpn tunnel from an embedded linux system (Linux system-0004338 2.6.37 #7 Mon Jun 22 14:45:53 PDT 2015 armv7l GNU/Linux) to a cisco asa. I have a working solution but not the preferred one. One of my first problems was when I let strong swan add the routes it didn’t over write the default route so no traffic would go through. I was able to solve this by using the an up/down script. But I would prefer that strong swan added/removed the routes. The routes it added looked like this ip route 10.255.254.180/30 dev usb1 src 10.255.254.180 0.0.0.0/1 via 10.255.254.181 dev usb1 src 10.3.10.18 128.0.0.0/1 via 10.255.254.181 dev usb1 src 10.3.10.18 default via 10.255.254.181 dev usb1
where the default route at the bottom was there already. The route table before was ip route 10.255.254.180/30 dev usb1 src 10.255.254.180 default via 10.255.254.181 dev usb1 The second issue is with the system time fix plugin. After the device gets a valid time from ntp over the tunnel it invalidates the client sa. time fix config system time fix <http://pastebin.com/B5WHHbLE> LOGFILE <http://pastebin.com/0yu1YFKm> showing the sa being invalidated The configuration I would like is where if usb1 goes up (after having been up before) strong swan reconnects the tunnel. Currently if usb1 goes down (for longer than dpd) and then comes up again and the dhcp client gets/assigns an address to usb1 strong swan does not reconnect the tunnel. If I use ipsec up home it comes back up. My current working ipsec.conf <http://pastebin.com/B7vPqqDd> charon.conf <http://pastebin.com/zY6ZzZgC> updown script <http://pastebin.com/JGksUE8p>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
