[Openswan Users] Connexion from OpenSwan to a Cisco gateway

Olivier Thomas othomas at webtyss.com
Sun Sep 20 03:55:00 EDT 2015


Hi,

I want to connect to a Cisco VPN gateway located at my customer by using
Openswan.
My customer gave me credentials with a PCF file which is for a client to
site VPN configuration. It was not possible to get site to site config.
>From a windows host with the Cisco Client, it works. Then I successfully
installed Openswan on my linux box which acts as a router/NAT gateway for
my other machines behind. I converted the PCF file to an openswan
configuration file and I succesfully established IPSec connexion from
openswan.
The command "ipsec look" shows me the dynamically assigned IP address
received from the Cisco gateway and the routes pushed by the Cisco gateway.

However I have two problems :
- If I try to connect from my Openswan machine to one of the authorized
servers behind the Cisco gateway (ex: telnet or wget, whatever
protocol...), it does't work. the command "ip xfrm monitor" doesn't display
any packet going through the tunnel. I suspect I may need to add some
iptable rules but it seems stange for me because if I do the parallel with
Windows Cisco VPN client, it works immediately and I can reach machines
behind the Cisco gateway.
- I also would like to connect from my hosts behind my Linux Openswan to
the other machines behing the Cisco gateway by doing some kind of NAT or
masquerading of their source IP addresses. First it doesn't work, but if I
add on the Openswan box an iptable rule like "iptables -t nat -A
POSTROUTING -d W.X.Y.Z -j SNAT --to A.B.C.D "  , where W.X.Y.Z stands for
the server I try to reach and A.B.C.D stands for the dynamic address
assigned by the Cisco gateway, then it works !!! But the problem is that
A.B.C.D is dynamic so it may change and I don't want to have to change this
rule manually all the time...

Maybe something is wrong with my ipsec.conf or I miss an option...here it
is :

conn myconf
     ike=3des-md5-modp1024
     aggrmode=yes
     authby=secret
     left=%defaultroute
     leftid=@myself
     leftxauthclient=yes
     leftxauthusername=mylogin
     leftmodecfgclient=yes
     right=H.I.J.K
     rightxauthserver=yes
     rightmodecfgserver=yes
     pfs=no
     auto=start
     remote_peer_type=cisco

ipsec.secrets
     @myself H.I.J.K : PSK "aaaaaaaaaaa"
     @mylogin : XAUTH "bbbbbbbbb"


Thanks for your support !
O.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20150920/221223ec/attachment.html>


More information about the Users mailing list