1

I have website, which displays data, received from gsm modems. So i am trying to connect my website to GSM network provider using vpn.

Provider side there is a Cisco 3900, configured as site to site vpn server and my side i have strongswan installed on debian linux and configured as client.

I am using this guide for client configuration http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

On the GSM network provider side configuration is like this:

  • VPN Equipments version: Cisco 3900
  • VPN Modules: DES+3DES+AES
  • VPN Gateway IP: "VpnGatewayIP"
  • Hosts Using VPN: 10.248.64.0/20

Tunnel Information

Phase 1 (IKE)

  • Authentication Method: Pre-Shared Key
  • Encryption Schema: IKE
  • Perfect Forward Secrecy- IKE: DH Group-5
  • Encryption Algorithm: AES256
  • Hashing Algorithm: SHA1
  • Renegotiate IKE SA every: 86400 seconds

Phase 2 (IPSEC)

  • IPSec: ESP
  • Perfect Forward Secrecy-IPSEC: DH Group-5
  • Encryption Algorithm IPSec: AES256
  • Hashing Algorithm IPSec: SHA1
  • Renegotiate IPSec SA every: 3600 seconds
  • Aggressive Mode: NOT IN USE

This is content of my configuration file /etc/ipsec.conf

config setup
        strictcrlpolicy=no
        charondebug="ike 1, knl 2, cfg 0"

conn %default
     ikelifetime=1440m
     keylife=60m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev1
     authby=secret

conn "providerVPN"
     left=MyServerIP
     leftsubnet=MyServerIP/32
     leftid=MyServerIP
     leftfirewall=yes
     right=VpnGatewayIP
     rightsubnet=10.248.64.0/20
     rightid=VpnGatewayIP
     auto=add
     ike=aes256-sha1-modp1536
     esp=aes256-sha1

and PSK file /etc/ipsec.secrets

MyServerIP VpnGatewayIP : PSK someSecretKey

starting client like this

/etc/init.d/ipsec start

after this ifconfig did not displays any new connection and "ipsec status" gives me the output

Security Associations (0 up, 0 connecting):
  none

There is a log from /var/log/daemon.log

Sep  6 17:54:12 gmapfish ipsec[1221]: ipsec starter stopped
Sep  6 17:54:15 gmapfish ipsec[1320]: Starting strongSwan 5.2.1 IPsec [starter]...
Sep  6 17:54:15 gmapfish charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-686-pae, i686)
Sep  6 17:54:15 gmapfish charon: 00[KNL] known interfaces and IP addresses:
Sep  6 17:54:15 gmapfish charon: 00[KNL]   lo
Sep  6 17:54:15 gmapfish charon: 00[KNL]     127.0.0.1
Sep  6 17:54:15 gmapfish charon: 00[KNL]     ::1
Sep  6 17:54:15 gmapfish charon: 00[KNL]   eth0
Sep  6 17:54:15 gmapfish charon: 00[KNL]     "MyServerIP"
Sep  6 17:54:15 gmapfish charon: 00[KNL]     10.19.0.5
Sep  6 17:54:15 gmapfish charon: 00[KNL]     df80::501:a8ef:ef9f:a321
Sep  6 17:54:15 gmapfish charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Sep  6 17:54:15 gmapfish charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)
Sep  6 17:54:15 gmapfish charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  6 17:54:15 gmapfish charon: 00[JOB] spawning 16 worker threads
Sep  6 17:54:15 gmapfish charon: 07[KNL] "VpnGatewayIP" is not a local address or the interface is down
Sep  6 17:54:15 gmapfish ipsec[1320]: charon (1348) started after 60 ms

Any suggestion what is wrong with my settings?

3

1 Answer 1

1

Finally i found solution for my problem, it was only configuration issue.

instead of auto=add there must be auto=start and esp=aes256-sha1 must be esp=aes256-sha1-modp1536

I also added db parameters, but for work it's optional. If you change just this two parameters, it will work.

Final working configuration is like this.

# ipsec.conf - strongSwan IPsec configuration file                                                                                                                             

# basic configuration                                                                                                                                                           

config setup
    charondebug="ike 4, knl 4, cfg 4, net 4, esp 4, dmn 4,  mgr 4"
        #uniqueids = no                                                                                                                                                         

conn %default
    ikelifetime=1440m
    keylife=60m
    rekeymargin=3m
    keyingtries=1
    mobike=no
    keyexchange=ikev1
    dpdaction=clear
    dpddelay=200s

conn "providerVPN"
    type=tunnel
    auto=start
    aggressive=no
    esp=aes256-sha1-modp1536
    ike=aes256-sha1-modp1536

    right=VpnGatewayIP
    rightsubnet=10.248.64.0/20
    rightid=VpnGatewayIP
    rightauth=psk

    left=MyServerIP
    leftsubnet=MyServerIP/32
    leftid=MyServerIP
    leftauth=psk

    dpddelay=30s
    dpdaction=hold
    dpdtimeout=120s
    ikelifetime=86400s
    lifetime=86400s

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .