Site-to-site VPN with Strongswan (opensource)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Site-to-site VPN with Strongswan (opensource)

Not applicable

Hi all,

I wonder whether anyone has successfully configured site-to-site IPSec VPN tunnel with CalAmp LTE Fusion device (a cellular mobile router). Somehow I cannot establish the vpn tunnel under different configurations and I know it is running opensource strongswan. Interestingly, CalAmp has an older model Vanguard 3000 for 3G and the vpn tunnel works fine. Any advice will be invaluable.

Thanks!!

2 REPLIES 2

L7 Applicator

Hello Sir,

Have you got a chance to take a pcap on this,  from that pcap, we will come to know  whether the point of failure in phase-1 or in Phase-2 negotiation.

You can verify the same from the PAN system logs as well.

Thanks

L0 Member

i got it to work for this topology - between 10.1.0.101 and 10.1.0.201i got it to work for this topology - between 10.1.0.101 and 10.1.0.201v2 worked for me , v1 implementation in SS seems to be flakyv2 worked for me , v1 implementation in SS seems to be flakyike and ipsec cryptoike and ipsec cryptoike and ipsec cryptoike and ipsec crypto

 

Step1 :  Server side Config : 

 

install and configure strongswan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
sudo apt update && sudo apt upgrade -y
sudo apt-get install strongswan
 
 
  
 
Set the following kernel parameters:
cat >> /etc/sysctl.conf << EOF
net.ipv4.ipforward = 1
net.ipv4.conf.all.acceptredirects = 0
net.ipv4.conf.all.send_redirects = 0 EOF
 
sysctl -p /etc/sysctl.conf
 
vi /etc/ipsec.conf
 
vi /etc/ipsec.secrets

 

vi /etc/ipsec.conf
ipsec.conf
root@rithvik-gpcs-client-1:/home/rithvik# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
#config setup
    # strictcrlpolicy=yes
    # uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start
#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start
#
#
#
config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
conn %default
# connection to paris datacenter
conn ubuntu-client-to-firewall #
  leftid=10.1.0.101
  leftsubnet=10.1.0.0/16
  right=10.1.0.201
  rightsubnet=10.1.0.0/16
  ike=aes256-sha2_256-modp1024!
  esp=aes256-sha2_256!
  keyingtries=0
  ikelifetime=1h
  lifetime=8h
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  authby=secret
  auto=start
  keyexchange=ikev2
  type=tunnel
root@rithvik-gpcs-client-1:/home/rithvik#

 

 

vi /etc/ipsec.secrets
/etc/ipsec.secrets
root@rithvik-gpcs-client-1:/home/rithvik# cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
10.1.0.101 10.1.0.201 : PSK '123456'
#PSK "123456"
root@rithvik-gpcs-client-1:/home/rithvik#
  • 10427 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!