So I need to set up a VPN from a Cisco IOS device to my Asus Router. Now, I think this could be done, so I used some the example here: http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
...and I'm trying to apply to my scenario. Ok, so it seems to be ok from a configuration standpoint. I added the following to a custom firewall script:
...and here is my [basic] ipsec.conf file located in /opt/etc/:
...and here is the strange part...
no matter what I do, it doesn't seem to show that ipsec is opening the udp ports for ipsec:
...what am I missing here? also, one other sidenote: someone said that they had a newer version of strongswan than 4.5.3-2. am I missing something or do i have optware/entware installed incorrectly? it doesn't seem to get any newer then this.
in advance...thanks for your help guys! i appreciate the look and time.
- v1k
...and I'm trying to apply to my scenario. Ok, so it seems to be ok from a configuration standpoint. I added the following to a custom firewall script:
Code:
# DESCRIPTION: Allow IPSEC StrongSWAN Connections
iptables -I VPN_TUNNEL_IN -i eth0 -p udp --dport 500 -j ACCEPT
iptables -I VPN_TUNNEL_IN -i eth0 -p 50 -j ACCEPT
iptables -I VPN_TUNNEL_IN -i eth0 -p udp --dport 4500 -j ACCEPT
iptables -I VPN_TUNNEL_OUT -i eth0 -d 0.0.0.0/0 -p udp --dport 500 -j ACCEPT
iptables -I VPN_TUNNEL_OUT -i eth0 -d 0.0.0.0/0 -p 50 -j ACCEPT
iptables -I VPN_TUNNEL_OUT -i eth0 -d 0.0.0.0/0 -p udp --dport 4500 -j ACCEPT...and here is my [basic] ipsec.conf file located in /opt/etc/:
Code:
conn cisco
left=%defaultroute
leftsubnet=[local_nets] #network behind strongswan
leftid=%defaultroute #IKEID sent by strongswan
leftfirewall=yes
right=[remote_ip] #IOS outside address
rightsubnet=[remote_nets] #network behind IOS
rightid=[remote_ip] #IKEID sent by IOS
auto=add
ike=aes128-md5-modp1536 #P1: modp1536 = DH group 5
esp=aes128-sha1 #P2...and here is the strange part...
no matter what I do, it doesn't seem to show that ipsec is opening the udp ports for ipsec:
Code:
udp 0 0 0.0.0.0:137 0.0.0.0:*
udp 0 0 0.0.0.0:138 0.0.0.0:*
udp 0 0 0.0.0.0:9999 0.0.0.0:*
udp 0 0 0.0.0.0:42000 0.0.0.0:*
udp 0 0 0.0.0.0:56510 0.0.0.0:*
udp 0 0 0.0.0.0:5474 0.0.0.0:*
udp 0 0 0.0.0.0:18018 0.0.0.0:*
udp 0 0 0.0.0.0:1900 0.0.0.0:*
udp 0 0 0.0.0.0:1900 0.0.0.0:*
udp 0 0 0.0.0.0:38000 0.0.0.0:*
udp 0 0 0.0.0.0:43000 0.0.0.0:*
raw 0 0 0.0.0.0:255 0.0.0.0:* 255...what am I missing here? also, one other sidenote: someone said that they had a newer version of strongswan than 4.5.3-2. am I missing something or do i have optware/entware installed incorrectly? it doesn't seem to get any newer then this.
Code:
admin@RT-AC66R:/tmp/mnt/OPTWARE/asusware/etc# ipkg list | grep swan
strongswan - 4.5.3-2 - A IPsec implementation.
admin@RT-AC66R:/tmp/mnt/OPTWARE/asusware/etc#in advance...thanks for your help guys! i appreciate the look and time.
- v1k
