Site-to-site VPN with Strongswan (opensource)

peterpan13888 · ‎01-23-2014

Hi all,

I wonder whether anyone has successfully configured site-to-site IPSec VPN tunnel with CalAmp LTE Fusion device (a cellular mobile router). Somehow I cannot establish the vpn tunnel under different configurations and I know it is running opensource strongswan. Interestingly, CalAmp has an older model Vanguard 3000 for 3G and the vpn tunnel works fine. Any advice will be invaluable.

Thanks!!

HULK · ‎01-23-2014

Hello Sir,

Have you got a chance to take a pcap on this, from that pcap, we will come to know whether the point of failure in phase-1 or in Phase-2 negotiation.

You can verify the same from the PAN system logs as well.

Thanks

rjavgal · ‎08-17-2019

i got it to work for this topology - between 10.1.0.101 and 10.1.0.201v2 worked for me , v1 implementation in SS seems to be flakyike and ipsec cryptoike and ipsec crypto

Step1 : Server side Config :

install and configure strongswan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
sudo apt update && sudo apt upgrade -y
sudo apt-get install strongswan
 
 
  
 
Set the following kernel parameters:
cat >> /etc/sysctl.conf << EOF
net.ipv4.ipforward = 1
net.ipv4.conf.all.acceptredirects = 0
net.ipv4.conf.all.send_redirects = 0 EOF
 
sysctl -p /etc/sysctl.conf
 
vi /etc/ipsec.conf
 
vi /etc/ipsec.secrets

vi /etc/ipsec.conf

ipsec.conf

root@rithvik-gpcs-client-1:/home/rithvik# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
#config setup
    # strictcrlpolicy=yes
    # uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start
#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start
#
#
#
config setup
        charondebug="all"
        uniqueids=yes
        strictcrlpolicy=no
conn %default
# connection to paris datacenter
conn ubuntu-client-to-firewall #
  leftid=10.1.0.101
  leftsubnet=10.1.0.0/16
  right=10.1.0.201
  rightsubnet=10.1.0.0/16
  ike=aes256-sha2_256-modp1024!
  esp=aes256-sha2_256!
  keyingtries=0
  ikelifetime=1h
  lifetime=8h
  dpddelay=30
  dpdtimeout=120
  dpdaction=restart
  authby=secret
  auto=start
  keyexchange=ikev2
  type=tunnel
root@rithvik-gpcs-client-1:/home/rithvik#

vi /etc/ipsec.secrets

/etc/ipsec.secrets

root@rithvik-gpcs-client-1:/home/rithvik# cat /etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
10.1.0.101 10.1.0.201 : PSK '123456'
#PSK "123456"
root@rithvik-gpcs-client-1:/home/rithvik#

Unlock your full community experience!

Site-to-site VPN with Strongswan (opensource)

Site-to-site VPN with Strongswan (opensource)

Show your appreciation!