1. Overview

Secure connection is mandatory nowadays, almost each device provide security service ass additional to prevent threats or to create secure communication between endpoint. IP Security was defined in RFC 4301 and be standard for each vendor to implement in their device. However, inter-operability test must be done for assure the device can inter-working properly.

1.1 Strongswan

StrongSwan is an Open Source IPsec implementation. It was originally based on the discontinued FreeS/WAN project and the X.509 patch that we developed. In order to have a stable IPsec platform to base the extensions of the X.509 capability on, we decided to launch the strongSwan project in 2005. 
StrongSwan originally was designed for Linux, but has since been ported to Android, FreeBSD, Mac OS X, Windows and other platforms. The focus of strongSwan is on:
  1. Simplicity of configuration
  2. Strong encryption and authentication methods
  3. Powerful IPsec policies supporting large and complex VPN networks
  4. Modular design with great expandability

1.2 Integrated Service Adapter of Nokia 7750 SR

Nokia Integrated Service Adapters (ISAs) extend the level of networking functionality and processing capability for integrated services and applications on the Nokia 7750 Service Router (SR) and Nokia 7450 Ethernet Service Switch (ESS). – Nokia IP
Figure 1 - 7750 SR ISA Modul
With ISA extended module, it’s possible to run many value added service in existing 7750 SR without external appliance, because a single ISA equivalent to multiple external appliances, example: Application Assurance, L2TP Network Service (LNS), Carrier Grade Network Address Translation (CG-NAT) Services,   WLAN services, Virtualized Residential Gateway, IPSec services, IP tunneling services, Video services – RET and FCC.
IPSec Service running on MS-ISA, MS-ISA functions as a resource module for the system, providing encapsulation and (for IPSec) encryption functions. The IPSec encryption functions provided by the MS-ISA are applicable for many applications including: encrypted SDPs, video wholesale, site-to-site encrypted tunnel, and remote access VPN concentration. Below the architecture of IPSec implementation in 7750 SR using ISA

Figure 2 - IPSec Implementation Architecture
From the picture above, there are 2 typical networks are bridged by ISA, they are Public Network or called unsecure/untrusted network, and Private Network or called secure/trusted network. This network met 2 type of service in 7750 SR Box, one is public service that meet public network, and kind of service that implemented is VPRN or IES. Another one is private service that meet private network, VPRN is using for this service. Traffic from the public network may need to be authenticated and encrypted inside an IPSec tunnel to reach the private network. In this way, the authenticity, confidentiality, integrity of accessing the private network can be enforced.
ISA provides a variety of encryption features required to establish bi-directional IPSec tunnels including:
  • Control Plane:
    • Manual Keying
    • Dynamic Keying: IKEv1/v2
    • IKEv1 Mode: Main and Aggressive
    • Authentication: Pre-Shared-Key /xauth with RADIUS support/X.509v3 Certificate/EAP
    • Perfect Forward Secrecy (PFS)
    • DPD
    • NAT-Traversal
    • Security Policy
  • Data Plane:
    • ESP (with authentication) Tunnel mode
    • Authentication Algorithm: MD5/SHA1/SHA256/SHA384/SHA512/AES-XCBC
    • Encryption Algorithm: DES/3DES/AES128/AES192/AES256
    • DH-Group: 1/2/5/14/15
    • Anti-Replay Protection
    • N:M IPSec ISA card redundancy
ISA module has 2 logical port called virtual port, this port provide for public and private network, when ISA module acting as IP-tunnel modules.  There are two types of tunnel interfaces and SAPs:
  • Public tunnel interface: configured in the public service; outgoing tunnel packets have a source IP address in this subnet
  • Public tunnel SAP: associated with the public tunnel interface; a logical access point to the MS-ISA card in the public service
  • Private tunnel interface: configured in the private service; can be used to define the subnet for remote access IPSec clients.
  • Private tunnel SAP: associated with the private tunnel interface, a logical access point to the MS-ISA card in the private service
  • Flow traffic in ISA module:
  • Outbound Traffic, from private service instance, clear traffic forward to ISA module, then it’s encapsulated. Adding tunnel header then forward it from ISA module to public network using public interface in Public VPRN
  • Inbound Traffic, come from public network with encrypted, then the traffic forward it to ISA module. This module has responsibility to decrypt then forward the traffic to private service using private interface 

2. Test LAB

2.1 Topology, Interface, and Parameter Information

Below the topology that tested in LAB. There are 1 router 7750 SR with ISA module installed, and Strongswan server. 
Figure 3 - LAB Test Topology
The parameter information:
Figure 4 - Parameter Information

2.2 Configuration

Below configuration in Strongswan IPSec and 7750 SR

2.2.1. Configuration in 7750-SR

ISA module configuration
A:LAB-7750-SR7# configure card 5 mda 2 mda-type "isa-tunnel" 

ISA tunnel configuration
A:LAB-7750-SR7# configure isa tunnel-group 1 
A:LAB-7750-SR7>config>isa>tunnel-grp# info 
----------------------------------------------
            primary 5/2
            no shutdown
----------------------------------------------
A:LAB-7750-SR7>config>isa>tunnel-grp# 

IKE policy configuration
A:LAB-7750-SR7# configure ipsec ike-policy 1 
A:LAB-7750-SR7>config>ipsec>ike-policy# info 
----------------------------------------------
            ipsec-lifetime 10800
            isakmp-lifetime 21600
            dpd
----------------------------------------------
A:LAB-7750-SR7>config>ipsec>ike-policy#

ESP authentication and encryption algorithm
A:LAB-7750-SR7# configure ipsec ipsec-transform 1 
A:LAB-7750-SR7>config>ipsec>transform# info detail 
----------------------------------------------
            esp-auth-algorithm sha1
            esp-encryption-algorithm aes128
----------------------------------------------
A:LAB-7750-SR7>config>ipsec>transform#  

Public service configuration
A:LAB-7750-SR7# configure service vprn 3 
A:LAB-7750-SR7>config>service>vprn# info 
----------------------------------------------
            route-distinguisher 192.168.200.2:3
            interface "to-Internet" create
                address 10.1.0.1/30
                sap 5/1/3:100 create
                exit
            exit
            interface "Public-SecGW-7750-SR7" create
                address 10.2.0.2/30
                tos-marking-state untrusted
                sap tunnel-1.public:3 create
                exit
            exit
            static-route 10.3.0.0/30 next-hop 10.1.0.2
            service-name "Public-Net-SECGW"
            no shutdown
----------------------------------------------
A:LAB-7750-SR7>config>service>vprn# 

Private Service configuration
A:LAB-7750-SR7# configure service vprn 4 
A:LAB-7750-SR7>config>service>vprn# info 
----------------------------------------------
            ipsec
                security-policy 1 create
                    entry 1 create
                        local-ip 192.168.222.0/24
                        remote-ip 192.168.223.0/24
                    exit
                exit
            exit
            route-distinguisher 192.168.200.2:4
            interface "Strongswan-Interconnect" tunnel create
                sap tunnel-1.private:3 create
                    ipsec-tunnel "Strongswan-Interconnect" create
                        security-policy 1
                        local-gateway-address 10.2.0.1 peer 10.3.0.1 delivery-service 3
                        dynamic-keying
                            ike-policy 1
                            pre-shared-key "3k1Eb0el4d"
                            transform 1
                        exit
                        no shutdown
                    exit
                exit
            exit
            interface "Private-Client-1" create
                address 192.168.222.1/32
                loopback
            exit
            static-route 192.168.223.0/24 ipsec-tunnel "Strongswan-Interconnect"
            service-name "Private-Domain-SecGW"

2.2.2. Configuration in Strongswan

IP route to Security Gateway
[root@strongswan-achyarnurandidotnet-s1 ~]# cat /etc/sysconfig/network-scripts/route-Tunnel_to_SR7
ADDRESS0=10.1.0.0
NETMASK0=255.255.255.252
GATEWAY0=10.3.0.2
METRIC0=100
ADDRESS1=10.2.0.0
NETMASK1=255.255.255.252
GATEWAY1=10.3.0.2
METRIC1=10
[root@strongswan-achyarnurandidotnet-s1 ~]#

Enable Ipfowarding rules
sysctl -w net.ipv4.ip_forward=0

Ipsec.conf
[root@strongswan-achyarnurandidotnet-s1 ~]# cat /etc/strongswan/ipsec.conf
config setup

conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret


conn strongswan-7750SR
        left=10.3.0.1
        leftsubnet=192.168.223.0/24
        leftid=10.3.0.1
        leftfirewall=yes
        esp=aes128-sha1
        ike=aes128-sha1-modp1024!
        right=10.2.0.1
        rightid=10.2.0.1
        rightsubnet=192.168.222.0/24
        auto=start
[root@strongswan-achyarnurandidotnet-s1 ~]#

Ipsec.secrets
[root@strongswan-achyarnurandidotnet-s1 ~]# cat /etc/strongswan/ipsec.secrets
# ipsec.secrets - strongSwan IPsec secrets file

10.3.0.1 10.2.0.1 : PSK 3k1Eb0el4d

[root@strongswan-achyarnurandidotnet-s1 ~]#

2.3 Validation

2.3.1. Validation in 7750-SR

ISA card and tunnel validation
A:LAB-7750-SR7# show mda 5/2

===============================================================================
MDA 5/2
===============================================================================
Slot  Mda   Provisioned Type                            Admin     Operational
                Equipped Type (if different)            State     State
-------------------------------------------------------------------------------
      2     isa-tunnel                                  up        up
                isa-ms                                                
===============================================================================
A:LAB-7750-SR7#

A:LAB-7750-SR7# show isa tunnel-group 1 

===============================================================================
ISA Tunnel Groups
===============================================================================
Tunnel    PrimaryIsa             BackupIsa    ActiveIsa    Admin     Oper
GroupId                                                    State     State
-------------------------------------------------------------------------------
1         5/2                    0/0          5/2          Up        Up
-------------------------------------------------------------------------------
No. of ISA Tunnel Groups: 1
===============================================================================
A:LAB-7750-SR7#

IKE policy 
A:LAB-7750-SR7# show ipsec ike-policy 1 

===============================================================================
IPsec IKE policy Configuration Detail
===============================================================================
Policy Id        : 1                    IKE Mode         : main
DH Group         : Group2               Auth Method      : psk
PFS              : False                PFS DH Group     : Group2
Auth Algorithm   : Sha1                 Encr Algorithm   : Aes128
ISAKMP Lifetime  : 21600                IPsec Lifetime   : 10800
NAT Traversal    : Disabled             
NAT-T Keep Alive : 0                    Behind NAT Only  : True
DPD              : Enabled              
DPD Interval     : 30                   DPD Max Retries  : 3
Description      : (Not Specified)
IKE Version      : 1                    Own Auth Method  : symmetric
Peer to Cert     : No-Match             
Relay Unsol Attr : (Not Specified)
Auto EAP Method  : cert                 Auto EAP Own     : cert
===============================================================================

ESP policy
A:LAB-7750-SR7# show ipsec transform 1  

=================================================================
IPsec Transforms
=================================================================
TransformId    EspAuthAlgorithm    EspEncryptionAlgorithm
-----------------------------------------------------------------
1              Sha1                Aes128
-----------------------------------------------------------------

VPRN Public
A:LAB-7750-SR7# show router 3 interface 

===============================================================================
Interface Table (Service: 3)
===============================================================================
Interface-Name                   Adm         Opr(v4/v6)  Mode    Port/SapId
   IP-Address                                                    PfxState
-------------------------------------------------------------------------------
Public-SecGW-7750-SR7            Up          Up/Down     VPRN    tunnel-1.publ*
   10.2.0.2/30                                                   n/a
to-Internet                      Up          Up/Down     VPRN    5/1/3:100
   10.1.0.1/30                                                   n/a
-------------------------------------------------------------------------------
Interfaces : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
A:LAB-7750-SR7# show router 3 route-table 

===============================================================================
Route Table (Service: 3)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric   
-------------------------------------------------------------------------------
10.1.0.0/30                                   Local   Local     03h24m39s  0
       to-Internet                                                  0
10.2.0.0/30                                   Local   Local     03h24m39s  0
       Public-SecGW-7750-SR7                                        0
10.3.0.0/30                                   Remote  Static    03h24m39s  5
       10.1.0.2                                                     1
-------------------------------------------------------------------------------
No. of Routes: 3
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================
A:LAB-7750-SR7# ping router 3 10.3.0.1 count 5        
PING 10.3.0.1 56 data bytes
64 bytes from 10.3.0.1: icmp_seq=1 ttl=63 time=0.689ms.
64 bytes from 10.3.0.1: icmp_seq=2 ttl=63 time=0.729ms.
64 bytes from 10.3.0.1: icmp_seq=3 ttl=63 time=0.633ms.
64 bytes from 10.3.0.1: icmp_seq=4 ttl=63 time=0.619ms.
64 bytes from 10.3.0.1: icmp_seq=5 ttl=63 time=7.99ms.

---- 10.3.0.1 PING Statistics ----
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min = 0.619ms, avg = 2.13ms, max = 7.99ms, stddev = 2.93ms
A:LAB-7750-SR7# 

VPRN Private
A:LAB-7750-SR7# show router 4 interface 

===============================================================================
Interface Table (Service: 4)
===============================================================================
Interface-Name                   Adm         Opr(v4/v6)  Mode    Port/SapId
   IP-Address                                                    PfxState
-------------------------------------------------------------------------------
Private-Client-1                 Up          Up/Down     VPRN    loopback
   192.168.222.1/32                                              n/a
Strongswan-Interconnect          Up          Up/Down     VPRN I* tunnel-1.priv*
   -                                                             -
-------------------------------------------------------------------------------
Interfaces : 2
===============================================================================
* indicates that the corresponding row element may have been truncated.
A:LAB-7750-SR7# show router 4 route-table 

===============================================================================
Route Table (Service: 4)
===============================================================================
Dest Prefix[Flags]                            Type    Proto     Age        Pref
      Next Hop[Interface Name]                                    Metric   
-------------------------------------------------------------------------------
192.168.222.1/32                              Local   Local     03h46m49s  0
       Private-Client-1                                             0
192.168.223.0/24                              Remote  Static    03h20m31s  5
       Strongswan-Interconnect (IPsec Tunnel)(Stron*"               1
-------------------------------------------------------------------------------
No. of Routes: 2
Flags: n = Number of times nexthop is repeated
       B = BGP backup route available
       L = LFA nexthop available
       S = Sticky ECMP requested
===============================================================================
* indicates that the corresponding row element may have been truncated.

Tunnel information 
A:LAB-7750-SR7# show ipsec tunnel 

===============================================================================
IPsec Tunnels
===============================================================================
TunnelName                       LocalAddress      SvcId        Admn   Keying
  SapId                            RemoteAddress     DlvrySvcId   Oper   Sec
                                                                         Plcy
-------------------------------------------------------------------------------
Strongswan-Interconnect          10.2.0.1          4            Up     Dynamic
  tunnel-1.private:3               10.3.0.1          3            Up     1
-------------------------------------------------------------------------------
IPsec Tunnels: 5
===============================================================================
A:LAB-7750-SR7# show ipsec tunnel
tunnel           tunnel-template
A:LAB-7750-SR7# show ipsec tunnel "Strongswan-Interconnect" 

===============================================================================
IPsec Tunnel Configuration Detail
===============================================================================
Service Id       : 4                    Sap Id           : tunnel-1.private:3
Tunnel Name      : Strongswan-Interconnect
Description      : None
Local Address    : 10.2.0.1
Remote Address   : 10.3.0.1
Delivery Service : 3                    Security Policy  : 1
Admin State      : Up                   Oper State       : Up
Last Oper Change : 05/30/2016 19:43:25  
Keying Type      : Dynamic              Replay Window    : None
Match TrustAnchor: N/A
TrustAnchor      : N/A                  
Cert File        : (Not Specified)
Key File         : (Not Specified)
Local Id Type    : none                 
Clear DF Bit     : false                IP MTU           : max
Pkt Too Big      : true                 Encap IP MTU     : max
Pkt Too Big Num  : 100                  Pkt Too Big Intvl: 10 secs
Oper Flags       : None
Host MDA         : 5/2                  

-------------------------------------------------------------------------------
Target Address Table
-------------------------------------------------------------------------------
Destination IP                          IP Resolved Status
-------------------------------------------------------------------------------
No Entries Found
-------------------------------------------------------------------------------
 
-------------------------------------------------------------------------------
BFD Interface
-------------------------------------------------------------------------------
BFD Designate    : no                   

-------------------------------------------------------------------------------
Dynamic Keying Parameters
-------------------------------------------------------------------------------
Transform Id1    : 1                    Transform Id2    : None
Transform Id3    : None                 Transform Id4    : None
Ike Policy Id    : 1                    Auto Establish   : disabled
Pre Shared Key   : 3k1Eb0el4d         

Certificate Status Verify
-------------------------------------------------------------------------------
Primary          : crl                  Secondary        : none
Default Result   : revoked              


-------------------------------------------------------------------------------
ISAKMP-SA
-------------------------------------------------------------------------------
State            : Up                   
Established      : 05/30/2016 19:43:26  Lifetime         : 3600
Expires          : 05/30/2016 20:43:26  

ISAKMP Statistics
--------------------
Tx Packets       : 45                   Rx Packets       : 49
Tx Errors        : 0                    Rx Errors        : 0
Tx DPD           : 40                   Rx DPD           : 0
Tx DPD ACK       : 0                    Rx DPD ACK       : 40
DPD Timeouts     : 0                    Rx DPD Errors    : 0

-------------------------------------------------------------------------------
IPsec-SA : 1, Inbound (index 2)
-------------------------------------------------------------------------------
Type             : Dynamic              
SPI              : 322566               
Auth Algorithm   : Sha1                 Encr Algorithm   : Aes128
Installed        : 05/30/2016 19:58:47  Lifetime         : 1200

Aggregate Statistics
--------------------
Bytes Processed  : 1344                 Packets Processed: 16
Crypto Errors    : 0                    Replay Errors    : 0
SA Errors        : 0                    Policy Errors    : 0

-------------------------------------------------------------------------------
IPsec-SA : 1, Outbound (index 1)
-------------------------------------------------------------------------------
Type             : Dynamic              
SPI              : 3283292661           
Auth Algorithm   : Sha1                 Encr Algorithm   : Aes128
Installed        : 05/30/2016 19:58:47  Lifetime         : 1200
                                      
Aggregate Statistics
--------------------
Bytes Processed  : 2184                 Packets Processed: 26
Crypto Errors    : 0                    Replay Errors    : 0
SA Errors        : 0                    Policy Errors    : 0

===============================================================================
Fragmentation Statistics
===============================================================================
Encapsulation Overhead                 : 73
Pre-Encapsulation
    Fragmentation Count                : 0
    Last Fragmented Packet Size        : 0
Post-Encapsulation
    Fragmentation Count                : 0
    Last Fragmented Packet Size        : 0
===============================================================================
===============================================================================
A:LAB-7750-SR7#  

2.2.2. Validation in Strongswan

IP Route
[root@strongswan-achyarnurandidotnet-s1 ~]# ip route
default via 10.3.0.2 dev enp0s9  proto static  metric 100
10.0.2.0/30 dev enp0s8  proto kernel  scope link  src 10.0.2.1  metric 100
10.2.0.0/30 via 10.3.0.2 dev enp0s9  proto static  metric 10
10.3.0.0/30 dev enp0s9  proto kernel  scope link  src 10.3.0.1  metric 100
192.168.223.0/24 dev enp0s3  proto kernel  scope link  src 192.168.223.101  metric 100

[root@strongswan-achyarnurandidotnet-s1 ~]# ping 10.2.0.1 -c 5
PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
64 bytes from 10.2.0.1: icmp_seq=1 ttl=62 time=10.9 ms
64 bytes from 10.2.0.1: icmp_seq=2 ttl=62 time=19.3 ms
64 bytes from 10.2.0.1: icmp_seq=3 ttl=62 time=17.1 ms
64 bytes from 10.2.0.1: icmp_seq=4 ttl=62 time=15.5 ms
64 bytes from 10.2.0.1: icmp_seq=5 ttl=62 time=13.4 ms

--- 10.2.0.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 10.905/15.295/19.358/2.922 ms
[root@strongswan-achyarnurandidotnet-s1 ~]#

Strongswan status
[root@strongswan-achyarnurandidotnet-s1 ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.10.0-327.18.2.el7.x86_64, x86_64):
  uptime: 3 minutes, since May 30 08:47:49 2016
  malloc: sbrk 1593344, mmap 0, used 458784, free 1134560
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac ctr ccm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Listening IP addresses:
  192.168.223.101
  10.0.2.1
  10.3.0.1
Connections:
strongswan-7750SR:  10.3.0.1...10.2.0.1  IKEv1
strongswan-7750SR:   local:  [10.3.0.1] uses pre-shared key authentication
strongswan-7750SR:   remote: [10.2.0.1] uses pre-shared key authentication
strongswan-7750SR:   child:  192.168.223.0/24 === 192.168.222.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
strongswan-7750SR[1]: ESTABLISHED 3 minutes ago, 10.3.0.1[10.3.0.1]...10.2.0.1[10.2.0.1]
strongswan-7750SR[1]: IKEv1 SPIs: 2eb3603cf4ec87d9_i* c2bbb779a3cc5cdb_r, pre-shared key reauthentication in 50 minutes
strongswan-7750SR[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
strongswan-7750SR{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cf585cad_i 00070b3e_o
strongswan-7750SR{1}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 11 minutes
strongswan-7750SR{1}:   192.168.223.0/24 === 192.168.222.0/24
[root@strongswan-achyarnurandidotnet-s1 ~]#

Ip xfrm state
[root@strongswan-achyarnurandidotnet-s1 ~]#  ip -s xfrm state
src 10.3.0.1 dst 10.2.0.1
        proto esp spi 0x00070b3e(461630) reqid 1(0x00000001) mode tunnel
        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
        auth-trunc hmac(sha1) 0xbea2db15e8a524f5383a3178eddc9d4283b85869 (160 bits) 96
        enc cbc(aes) 0x346b0bc307800505395676db7d125628 (128 bits)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 994(sec), hard 1200(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2016-05-30 08:47:50 use -
        stats:
          replay-window 0 replay 0 failed 0
src 10.2.0.1 dst 10.3.0.1
        proto esp spi 0xcf585cad(3478674605) reqid 1(0x00000001) mode tunnel
        replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
        auth-trunc hmac(sha1) 0x7cdae981dad7bb11d948764fb49cb79bc30279bb (160 bits) 96
        enc cbc(aes) 0x8fbc00264591c8555b20af85191d778e (128 bits)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 922(sec), hard 1200(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2016-05-30 08:47:50 use -
        stats:
          replay-window 0 replay 0 failed 0
[root@strongswan-achyarnurandidotnet-s1 ~]#

Ip route table list 220
[root@strongswan-achyarnurandidotnet-s1 ~]# ip route list table 220
192.168.222.0/24 via 10.3.0.2 dev enp0s9  proto static  src 192.168.223.101
[root@strongswan-achyarnurandidotnet-s1 ~]#

Snip packet Information
Figure 5 - ISAKMP Packet Capture

Figure 6 - ESP Packet Capture
Below, the documentation video about this lab.

3. Reference

  1. Nokia. 2016. 7450 ESS and 7750 SR Multiservice Integrated Service Adapter Guide
  2. Linux foundation. iproute2. http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2  (Accessed: 21 March 2016)
  3. Strongswan. About Strongswan. https://www.strongswan.org/about.html (Accessed: 2 January 2016)S
  4. Strongswan. Strongswan IKEv1 Cipher Suites. https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites . (Accessed: 2 January 2016)