network – Strongswan has connected but can not do anything

I've received data from some companies to establish a s2s connection:

Gateway VPN of the company: 195.x.37.168
IKE: Ikev1 AES256-SHA1 group 2 1440min
IPSEC: group 2 AES128-SHA1 3600 sec (60 min)
VPN gateway on the left: 185.x.192.227
Left network: 172.x.74.200 / 29
Company Network: 10.6.7.0/24,10.6.4.0/24,10.6.5.0/24,10.6.6.0/24,10.6.8.0/24
Test host (ping): 10.0.1.55

So I created this /etc/ipsec.conf

conn comp
left = 185.x.192.227
leftsubnet = 172.x.74.200 / 29
leftfirewall = yes
right = 195.x.37.168
rightsubnet = 10.6.7.0 / 24,10.6.4.0 / 24,10.6.5.0 / 24,10.6.6.0 / 24,10.6.8.0 / 24
rightfirewall = yes
rightsourceip =% config
authby = secret
keyexchange = ikev1
keylife = 60m
auto = road
esp = aes128-sha1
ike = aes256-sha1-modp1024
ikelifetime = 1440m
lefthostaccess = yes
type = tunnel

The connection seems to be OK:

sudo ipsec up comp
generation of the request QUICK_MODE 2398914035 [ HASH SA No ID ID ]
package delivery: from 217.x.73.231[500] to 195.x.37.168[500] (204 bytes)
package received: from 195.x.37.168[500] at 217.x.73.231[500] (172 bytes)
Answer parsed QUICK_MODE 2398914035 [ HASH SA No ID ID ]
CHILD_SA comp {123} established with SPI c776f6f6_i a38bf565_o and TS 172.x.74.200 / 29 === 10.x.7.0 / 24
connection & # 39; comp & # 39; successfully established

sudo ipsec status

Routed connections:
lpp {122}: ROUTED, TUNNEL, asks 4
lpp {122}: 172.x.74.200 / 29 === 10.6.4.0/24 10.6.5.0/24 10.6.6.0/24 10.6.7.0/24 10.6.8.0/24

But I can not mess anything of the company network.

linux – How to configure the StrongSwan VPN server as a router

I have a StrongSwan VPN server running Ubuntu 16.04.5 LTS. The public IP is 51.x.x.x. The site-to-site configuration between my StrongSwan VPN server and the other VPN server, which is an ASA cisco firewall with public IP 41.10.10.2, is working properly.

Once the tunnel is enabled, I could ping and telnet to the 41.10.11.3 private server behind the Cisco ASA firewall. The 41.10.11.3 server is not accessible through open Internet access except through the VPN tunnel. Note that the IP address is a public IP address.

I've configured this strongswan VPN server for it to act as a bridge between my private 192.168.0.0/16 network and the cisco ASA firewall (my Strongswan vpn server private IP is 192.168.0.8). That is, I want to be able to ping or telnet in 41.10.11.3 from 192.168.0.13, via the Strongswan VPN server, acting as a router.

My VPN server has two NICS: Ens18 that carries a public IP address and Ens19 with a private IP address.

I've defined two areas on my VPN server: public and internal areas. I've assigned a public interface to a public zone and a private interface to an inner zone

I managed to execute this command on the packet transmission but I do not see its sudo effect firewall-cmd –permanent –direct –passthrough ipv4 -t nat -I POSTROUTING -o ens18 -j MASQUERADE -s 192.168.0.0/23 -d 41.220.79.242

When I try to ping 41.10.11.3, it fails. 100% packet loss.

Here are my configurations on the Strongswan VPN server:

sore @ ubuntu-vpnserver: ~ $ firewall-cmd sudo –list-all –zone = public [sudo] password for sore: public (default, active) interfaces: ens18 sources: services: dhcpv6-client ports ssh ipsec: 4500 / udp 500 / protocols udp: masquerade: yes following ports: port = 4500: proto = udp: toport = 443: toaddr = 137.74.50.58 port = 500: proto = udp: toport = 443: toaddr = 137.74.50.58 port = 4500: proto = udp: toport = 443: toaddr = 192.168.0.13 port = 500: proto = udp: toport = 443: toaddr = 192.168.0.13 icmp blocks: rich rules: rule protocol value = "ah" accept rule protocol value = "esp" accept

Here is my file / etc / network / interfaces

auto ens18 iface ens18 inet static address 51.xxx net mask 255.255.255.255 broadcast 51.xxx post-up route add 54.36.12x.x dev ens18 post-up route add default gw 54.36.12x.x pre-descent road del 54.36.12x .x dev ens18 pre-down route of default gw 56.36.12x.x DNS name servers 213.186.xx

auto ens19 iface ens19 inet static address 192.168.0.8 net mask 255.255.254.0 getway 192.168.0.1

CISCO + StrongSwan: NO PROPOSAL IS CHOSEN

That's my first post here, and I'd like to thank you for your help right off the bat. I'm developing a custom DMVPN solution for Unix. For this, I use OpenNHRP and StrongSwan. To test it, I use a router CISCO and UNIX Box. Currently, I can not establish the IPSEc connection between two machines without a chosen proposal. The very simple configuration of StrongSwan is:

connections {
conn12233 {
local_addrs = 192.168.200.2
remote_addrs = 192.168.200.1
proposals = default
local {
auth = psk
}
remote {
auth = psk
}
children {
conn12233 {
#esp_proposals = default
esp_proposals = aes256-sha256-3des, default
rekey_time = 10m
mode = transport
}
}
}
version = 2
mobike = no
}

secrets {
ike-conn12233 {
secret = secret
}
}

And my Cisco configuration:

(...)

proposal crypto ikev2 proposal ikev2
encryption aes-cbc-256 aes-cbc-128 aes-cbc-192
integrity sha256 sha512
group 14 2
!
crypto policy ikev2 IKEPOLICYLOCAL
match any fvrf
match local game 192.168.200.1
proposal ikev2-proposal
!
crypto keychain ikev2
peer everything
address 0.0.0.0 0.0.0.0
pre-shared key
!
peer 192.168.200.2
address 192.168.200.2
pre-shared key
!
!
!
crypto profile ikev2 IKEPROFILE
to match the remote address of identity 0.0.0.0
pre-sharing remote authentication
pre-sharing local authentication
keychain local keychain
!
!
!
!
!
crypto isakmp policy 1
encr 3des
hash sha256
pre-sharing authentication
group 14
secret key isakmp secret address 0.0.0.0
!
!
crypto ipsec transform-set transform-gre esp-3des esp-sha256-hmac
mode of transport
Crypto ipsec transform-set transform-gre-transport esp-3des esp-sha256-hmac
mode of transport
crypto transformation game ipsec TS esp-3des esp-sha256-hmac
mode of transport
!
crypto profile ipsec IPSECPROFILE
set transform-set TS
set profile ikev2 IKEPROFILE
!
!
crypto profile ipsec dmvpn-protect3
define transform-set transform-gre-transport
!
!
!
!
!
!
Tunnel0 interface
ip address 10.255.255.1 255.255.255.0
no ip redirects
ip nhrp dynamic multicast map
ip nhrp network identifier 1
ip ospf network broadcast
GigabitEthernet tunnel source0 / 1
tunnel mode gre multipoint
tunnel protection ipsec profile IPSECPROFILE
!
Embedded-Service-Engine interface0 / 0
no ip address
to close
!
GigabitEthernet interface0 / 0
ip address dhcp
to close
automatic duplex
automatic speed
!
GigabitEthernet interface0 / 1
ip address 192.168.200.1 255.255.255.0
automatic duplex
automatic speed
(...)

The result of swanctl –initiate –child conn12233 is:

[IKE]    launch of IKE_SA 192_168_200_2-to-192_168_200_1_MAIN[423] 192.168.200.1
[ENC] generation of IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET]    package delivery: from 192.168.200.2[500] 192.168.200.1[500] (794 bytes)
[NET] package received: from 192.168.200.1[500] 192.168.200.2[500] (38 bytes)
[ENC] IKE_SA_INIT response analyzed 0 [ N(INVAL_KE) ]
[IKE]    the counterpart did not accept DH group ECP_256, he asked MODP_2048
[IKE] launch of IKE_SA 192_168_200_2-to-192_168_200_1_MAIN[423] 192.168.200.1
[ENC] generation of IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET]    package delivery: from 192.168.200.2[500] 192.168.200.1[500] (986 bytes)
[NET] package received: from 192.168.200.1[500] 192.168.200.2[500] (464 bytes)
[ENC] IKE_SA_INIT response analyzed 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
[IKE]    received Cisco removal reason reasoner ID
[ENC] received an unknown vendor ID: 46: 4c: 45: 58: 56: 50: 4e: 2d: 53: 55: 50: 50: 4f: 52: 54: 45: 44
[CFG] no IDi configured, use the IP address
[IKE] authentication of & quot; 192.168.200.2 & quot; (myself) with pre-shared key
[IKE] establishment of CHILD_SA 192_168_200_2-to-192_168_200_1 {6196}
[ENC] generate IKE_AUTH request 1 [ IDi AUTH N(USE_TRANSP) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET]    package delivery: from 192.168.200.2[4500] 192.168.200.1[4500] (288 bytes)
[NET] package received: from 192.168.200.1[4500] 192.168.200.2[4500] (160 bytes)
[ENC] IKE_AUTH response analyzed 1 [ V IDr AUTH N(NO_PROP) ]
[IKE]    authentication of & quot; 192.168.200.1 & quot; with pre-shared key successful
[IKE] IKE_SA 192_168_200_2-to-192_168_200_1_MAIN[423] established between 192.168.200.2[192.168.200.2]... 192.168.200.1[192.168.200.1]
[IKE]    reorganization of programming in 13195s
[IKE] Maximum IKE_SA lifetime: 14635s
[IKE] NO_PROPOSAL_CHOSEN received, no CHILD_SA built
[IKE] could not establish CHILD_SA, retaining IKE_SA
Failed to initialize: CHILD_SA failed to establish 192_168_200_2-to-192_168_200_1 & # 39;

What challenges me is the debug output of CISCO:

https://pastebin.com/HF7BdDvf

What is the problem here? I looked for the answer but all that I found was very confusing.