0

I'm trying to connect to CISCO ASA from StrongSwan from a digital ocean droplet. Below are the configs I have: ipsec.conf

conn %default
    ikelifetime=86400s
    keylife=60m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    authby=psk
    type=tunnel

conn airtelmoney_cisco_asa
    left=x.x.x.x
    leftid=x.x.x.x
    leftsubnet=10.17.0.6
    leftsourceip=10.17.0.6

    right=y.y.y.y
    rightid=y.y.y.y
    rightikeport=1234
    rightsourceip=y.y.y.1,y.y.y.2,y.y.y.3,y.y.y.4
    auto=start
    rightsubnet=y.y.y.1,y.y.y.2,y.y.y.3,y.y.y.4
    ike=aes256-sha1-modp1024!
    esp=aes256-sha1-modp1024

IP y.y.y.3 has a service running HTTP while ip y.y.y.4 has a service running HTTPS. I can ping, telnet to both IPs successfully. I can also make a http request to y.y.y.3 successfully and get response. But the problem is on IP y.y.y.4. When I do curl, it times out. How can I trouble shoot this? Is it a network problem or it's at application level?

Wafula Samuel
  • 121
  • 3
  • 1
    If this is all of your IPSec config, the problem has nothing to do with it. Check firewalls/routing/application/... of your `y.y.y.4` – Lenniey Oct 06 '20 at 12:43
  • @Lenniey Thanks for reply, it's another team in charge of `y.y.y.4` and they're saying they can't see any traffic to that IP – Wafula Samuel Oct 06 '20 at 12:49
  • 1
    _left|rightsourceip_ are used to *negotiate* virtual IPs. To just use specific addresses inside the tunnel, simply configure them in _left|rightsubnet_ (as you already did, but use `/32` for single addresses). Also, for IKEv1, you can't use multiple addresses/subnets in _left|rightsubnet_, see [this FAQ entry](https://wiki.strongswan.org/projects/strongswan/wiki/FAQ#Multiple-subnets-per-SA). – ecdsa Oct 06 '20 at 14:30
  • @ecdsa everything was working except for https traffic – Wafula Samuel Oct 07 '20 at 08:10
  • 1
    To the same server? The config is wrong either way (see the FAQ entry and perhaps also [this page regarding virtual IPs](https://wiki.strongswan.org/projects/strongswan/wiki/VirtualIp)). – ecdsa Oct 07 '20 at 09:05
  • @ecdsa what section is wrong? – Wafula Samuel Oct 07 '20 at 09:47
  • @ecdsa They have have four IPs, y.y.y.1,y.y.y.2,y.y.y.3,y.y.y.4, each IP has it's own service. How do I correct the above config pls? – Wafula Samuel Oct 07 '20 at 10:37
  • 1
    As outlined in the FAQ entry, you need to split this into multiple conn sections, for each combination of local and remote IP address. – ecdsa Oct 07 '20 at 10:44
  • OK @ecdsa. Also when do the following apply? From strongswan documentation there's the following: rightsourceip = %config | / | - | %poolname Since 5.0.1 a comma-separated list of IP addresses / pools is accepted, for instance, to define pools of different address families. https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection – Wafula Samuel Oct 07 '20 at 11:52
  • That's used as server to assign virtual IPs to clients (see the link above for details). – ecdsa Oct 07 '20 at 13:49

0 Answers0