From: <ee...@fr...> - 2006-10-11 06:17:35
|
LoSpippolo a =E9crit : > Sorry for my english. > > Can anyone explain me if it'spossible and how to connect devil linux ma= chine to a cisco router with ipsec connection ? > > > Hi, Had a little experience with it as I was to establish a vpn between a Dev= il Box and a cisco hosted somewhere by a network manager for a big medical imagi= ng company to allow them to do some remote operations on their systems; So I clearly had to adapt ipsec config to their settings ... and can't he= lp at all for the ios part of the config. here's some tips : Encryption level ESP : 3 DES Hash Algorithm : AH,MD5 Security association lifetime (seconds) : 3600 Encryption Mode : Tunnel Default Parameter setting : Compression Off , Vendor ID Off Authentication Method : Shared key Shared Key name : YouRShaRedSeCReTWithCompl1CaTEDStrin6! and so FreeSWan config looks like : -- # /etc/ipsec.conf - Openswan IPsec configuration file # basic configuration config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; # %defaultroute is okay for most simple cases. interfaces=3D%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lo= ts. klipsdebug=3Dall plutodebug=3Dnone # Use auto=3D parameters in conn descriptions to control startup = actions. plutoload=3D%search plutostart=3D%search # Don't wait for pluto to complete every plutostart before contin= uing plutowait=3Dno # Close down old connection when new one using same ID shows up. uniqueids=3Dyes # Defaults for all connection descriptions conn %default keyingtries=3D0 # Tunnel definition conn MySite2RemoteAdmin # My Fixed Public IP on the Devil Box (from pppoe to my ISP) left=3D123.456.123.456 leftnexthop=3D%defaultroute # My internel lan address space leftsubnet=3D192.168.0.0/16 # The fixed Public IP of the first Routing device to remote netwo= rk right=3D456.789.456.789 rightnexthop=3D%defaultroute # Remote network address space rightsubnet=3D10.1.1.0/24 # To initiate this connection automatically at startup, # We had to use shared secret authentication, see /etc/ipsec.secr= ets authby=3Dsecret type=3Dtunnel keyexchange=3Dike keyingtries=3D0 # We use ESP, not AH so let IP protocol tcp port 500 pass the FW= rules, as well as IP protocol 50 auth=3Desp # seems The good cyphers to let freeswan talk with Cisco ios esp=3D3des-md5-96 ike=3D3des-md5-96 pfs=3Dno keylife=3D8h ikelifetime=3D86400 auto=3Dadd -- # /etc/ipsec.secrets - Openswan IPsec secrets configuration file # This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS= , # or configuration of other implementations, can be extracted convenientl= y # with "ipsec showhostkey". #: RSA { # # -- not filled in because ipsec.secrets existed at build time -- # } # do not change the indenting of that "}" 123.456.123.456 456.789.456.789 : PSK "YouRShaRedSeCReTWithCompl1CaTEDStr= in6!" -- You also had to define rules in the FW script to allow or not traffic bet= ween the two remote internal lan spaces (192.168.0.0/16 and 10.1.1.0/24 in my exemple) As I use Shorewall, had to create an interface vpn0, a zone , policy and = rules associated with that network as if it was physicaly plugged in an etherne= t device on my DL Box. the only specific thing is (with shorewall) to add a line like this in th= e /etc/shorewall/tunnels : -- # TYPE ZONE GATEWAY GATEWAY # ZONE ipsec net0 456.789.456.789 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE -- net0 is the zone I defined for the external DL Box interface ppp0 : the internet. In the policy and rules files, I use ipsec0 as interface and 10.1.1.0/24 = as interface / Lan addresses to qualify traffic allowed or not. For the ios part of the config, google is your Friend ;-) Hope You'll manage to do something with all this ... MaNU -- |