IPsec between Strongswan on AWS and Cisco IOS behind a NAT

My Strongswan :

Local IP:
Elastic IP:
OS: Ubuntu
– Customer grade broadband Internet
– Public IP: – connect to my fiber optics
– Local gateway IP:
– we need to setup porftforwarding : UDP port 4500,500, to our router interface
My Cisco:
– Cisco 1841
– fa0/1 :  – connect to My WAN router local interface
– fa0/0: – connect to my local switch / pc

My Strongswan config:


config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default

conn myremoteoffice
        left=                  #strongswan outside address
        leftsubnet=,         #network behind strongswan
        leftid=                #IKEID sent by strongswan
        right=                 #IOS outside address
        rightsubnet=        #network behind IOS
        rightid=               #IKEID sent by IOS
        ike=aes128-sha1-modp1536           #P1: modp1536 = DH group 5
        esp=aes128-sha1                   #P2


# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part. : PSK "cisco" : PSK "cisco" #this is the magic we need to add here


This is my Cisco configuration:

#our router will serve as dhcp server
ip dhcp pool dhcp_pool

ip domain name thao.com

#this configuration is for our ipsect

#ipsec policy - how ipsec authenticate / encryption method
crypto isakmp policy 10
 encr aes                    #we use aes
 authentication pre-share    #use pre-shared key - the key is defined below
 group 5

#define the pre-shared key (cisco) , when ipsec setup a tunnel , it will check the remote ip if matching, it will use the corresponding key
#in this case when we connect to it will use the key cisco

crypto isakmp key cisco address

#ipsec transformation  - "TS" is our name now
crypto ipsec transform-set TS esp-aes esp-sha-hmac 

#define our remote peer
crypto map cmap 10 ipsec-isakmp 
 set peer
 set transform-set TS   #transform info define above
 match address cryptoacl  # the traffic will be into ipsec when it match this ACL (cryptoacl) - this ACL will be defined below

#our local interface statement
interface FastEthernet0/0
 description LAN
 ip address
 ip nat inside   #we want to use NAT 
 ip virtual-reassembly in
 duplex auto
 speed auto
interface FastEthernet0/1
 description WAN
 ip address dhcp
 ip nat outside  #nat outside - this is our internet
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map cmap   #this is for the IPsec , we define the relevant ipsec information  - "cmap" is the info we define above

#our nat info  "natacl" is our access list for nat - it will define what traffic to nat
ip nat inside source list natacl interface FastEthernet0/1 overload

#cryptoacl is to determine what traffic to go through ip sect

ip access-list extended cryptoacl
 permit ip  # all traffic from our local interface to our remote subnet (strongswan) will be in ipsec
 permit ip any  #note100: this is optional , this means we want everything will be in ipsec , meaning all internet traffic from our local client will go to our strongswan to have internet, internet will not be locally
#define what to nat 
ip access-list extended natacl
 deny   ip  #we don't want the traffic to our remote subnet be in NAT
 deny   ip host #traffic to our remote strongswan public IP
 permit ip any  #note101: this means all internet will go locally , it's optional - remove this if we want all traffic go through ipsec 


In this setup, we can decide where is internet break out for our client ,
– via our remote site (strongswan)    ->  you must have the line in #note100       and remove line #note101
– via our local internet provide    -> keep the line #note101


Leave a Reply

Your email address will not be published. Required fields are marked *