# ipsec.conf - strongSwan IPsec configuration fileconfig setup # strictcrlp

1. # ipsec.conf - strongSwan IPsec configuration file
2. config setup
3. # strictcrlpolicy=yes
4. # uniqueids = no
5. charondebug="dmn 2, mgr 2, ike 2, chd 2, cfg 2, knl 2, net 2, esp 2"
6.  
7. conn tun1
8. auto=start
9. authby=secret
10.  
11. left=%defaultroute
12. leftid=<STRONGSWAN_HOST_PUBLIC_IP>
13. right=<CISCO_ASA_PUBLIC_IP>
14. type=tunnel
15. leftauth=psk
16. rightauth=psk
17. keyexchange=ikev1
18. ike=aes256-sha1-modp1024
19. ikelifetime=86400s
20. keylife=240m
21.  
22. #rekeymargin=3m
23.  
24. esp=aes256-sha1
25. lifetime=28800s
26. keyingtries=%forever
27.  
28. leftsubnet=<VPN_EIP_ADDRESS>/32
29. rightsubnet=<SITE_B_NETWORK>/29
30. dpddelay=10s
31. dpdtimeout=30s
32. dpdaction=restart
33. mark=100
34.  
35. Chain PREROUTING (policy ACCEPT)
36. target prot opt source destination
37. DNAT all -- anywhere <VPN_EIP_ADDRESS> to:172.31.1.202
38.  
39. Chain INPUT (policy ACCEPT)
40. target prot opt source destination
41.  
42. Chain OUTPUT (policy ACCEPT)
43. target prot opt source destination
44.  
45. Chain POSTROUTING (policy ACCEPT)
46. target prot opt source destination
47. SNAT all -- <SITE_A_MSG_SERVER> <SITE_B_MSG_SERVER> to:<VPN_EIP_ADDRESS>
48. SNAT all -- 172.31.0.39 <SITE_B_MSG_SERVER> to:<VPN_EIP_ADDRESS>
49.  
50. eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
51. inet 172.31.0.39 netmask 255.255.255.0 broadcast 172.31.0.255
52. inet6 fe80::10f4:6ff:fe3a:97b2 prefixlen 64 scopeid 0x20<link>
53. ether 12:f4:06:3a:97:b2 txqueuelen 1000 (Ethernet)
54. RX packets 25214495 bytes 7356353946 (6.8 GiB)
55. RX errors 0 dropped 0 overruns 0 frame 0
56. TX packets 23561604 bytes 2610819486 (2.4 GiB)
57. TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
58.  
59. lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
60. inet 127.0.0.1 netmask 255.0.0.0
61. inet6 ::1 prefixlen 128 scopeid 0x10<host>
62. loop txqueuelen 1000 (Local Loopback)
63. RX packets 90620 bytes 5506216 (5.2 MiB)
64. RX errors 0 dropped 0 overruns 0 frame 0
65. TX packets 90620 bytes 5506216 (5.2 MiB)
66. TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
67.  
68. tun1: flags=209<UP,POINTOPOINT,RUNNING,NOARP> mtu 1419
69. inet 172.31.0.0 netmask 255.255.255.0 destination <SITE_B_NETWORK>
70. inet6 fe::5e:ac:27 prefixlen 64 scopeid 0x20<link>
71. tunnel txqueuelen 1000 (IPIP Tunnel)
72. RX packets 26213 bytes 5770610 (5.5 MiB)
73. RX errors 0 dropped 0 overruns 0 frame 0
74. TX packets 17158 bytes 1304176 (1.2 MiB)
75. TX errors 1012692 dropped 0 overruns 0 carrier 1012692 collisions 0
76.  
77. # IP Links
78. sudo ip link add tun1 type vti local 172.31.0.39 remote <CISCO_PUB_IP> key 100
79. sudo ip addr add 172.31.0.0/16 remote <SITE_B_NETWORK>/29 dev tun1
80. sudo ip link set tun1 up mtu 1419
81.  
82. # Forwarding
83. sudo iptables -t mangle -A FORWARD -o tun1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
84. sudo iptables -t mangle -A INPUT -p esp -s <CISCO_IP> -d <STRONGSWAN_PUBLIC_IP> -j MARK --set-xmark 100
85.  
86. # NAT
87. sudo iptables -t nat -A PREROUTING -d <VPN_EIP_ADDRESS>/32 -j DNAT --to-destination <SITE_A_MSG_SERVER>
88.  
89. sudo iptables -t nat -A POSTROUTING -s <SITE_A_MSG_SERVER>/32 -d <SITE_B_DEVICE>/32 -j SNAT --to-source <VPN_EIP_ADDRESS>
90. sudo iptables -t nat -A POSTROUTING -s 172.31.0.39/32 -d <SITE_B_DEVICE>/32 -j SNAT --to-source <VPN_EIP_ADDRESS>
91.  
92. # Add Routes
93. sudo ip route add <SITE_B_NETWORK>/29 dev tun1 metric 100
94.  
95. net.ipv4.ip_forward = 1
96. net.ipv4.conf.eth0.disable_xfrm = 1
97. net.ipv4.conf.eth0.disable_policy = 1
98. net.ipv4.conf.tun1.rp_filter = 2
99. net.ipv4.conf.tun1.disable_policy = 1