We are in process of replacing a Microsoft TMG server with a CentOS server. For VPN we decided to use strongswan due to instabilities with libreswan. But, strongswan has some weird issues with several subnets on either side. The current (libreswan) working config has leftsubnets={10.x.x.0/24,172.y.y.0/24} and rightsubnets={10.y.y.0/24,172.z.z.0/24}. How to port this libreswan configuration to strongswan? I have tried making several conns with a single leftsubnet and rightsubnet in each, configuration file seems to be parsed properly, but no SAs get established (connecting 0, up 0). Do I miss a something?
Current config is like this:
conn hmmm
left=86.x.x.x
right=y.y.y.84
keyexchange=ikev1
authby=secret
type=tunnel
auto=start
ike=aes256-sha1-modp1024
rekey=yes
leftsubnet=10.x.x.0/24
rightsubnet=10.y.y.0/24
conn hmmm-2
also=hmmm
leftsubnet=172.y.y.0/24
rightsubnet=172.z.z.0/24
Logs say "no proposal", however this IKEv1 setting is what worked with libreswan. The other end is Cisco ASA under our control, but since we need an in-place swap of firewalls, we cannot perform connection upgrade to IKEv2.
This configuration misses
espparameter to specify IKEv1 quick mode parameters to be used with IPsec connection in question. Just that. Extra parameters wereleftauth=pskandrightauth=pskto conform with non-deprecated syntax (authbyis deprecated),mobike=nojust in case, andikelifetime=8handlifebytes=4608000000to match the other side's SA lifetime settings. This is the missing line:I was expecting ESP to use IKE parameters to set up quick mode SAs, but probably misread the manual.