From: Zach Bagnall <zach.bagnall@bulletinwireless.com>
To: lartc@vger.kernel.org
Subject: [LARTC] IPSec tunnel mode with IKE daemon
Date: Fri, 22 Oct 2004 02:51:55 +0000 [thread overview]
Message-ID: <417875CB.9000603@bulletinwireless.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2474 bytes --]
Hi all.
The IPSec part of the LARTC howto is great, but I've hit a problem in
7.3. IPSEC tunnels. The example given is for manual keying:
add 10.0.0.216 10.0.0.11 esp 34501
-m tunnel
-E 3des-cbc "123456789012123456789012";
How does one setup "tunnel mode" using racoon?
Trying to setup an ipsec tunnel between two subnets: 10.10.42.0/24 and
10.1.1.0/24 using a cisco router "ned" and a linux box "phaedrus".
ned has external IP 192.168.1.250
phaedrus has external IP 192.168.1.42
10.10.42.0/24[ned]192.168.1.250 <==> 192.168.1.42[phaedrus]10.1.1.0/24
setkey on phaedrus:
flush;
spdflush;
spdadd 10.10.42.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/192.168.1.250-192.168.1.42/require
ah/tunnel/192.168.1.250-192.168.1.42/require;
spdadd 10.1.1.0/24 10.10.42.0/24 any -P out ipsec
esp/tunnel/192.168.1.42-192.168.1.250/require
ah/tunnel/192.168.1.42-192.168.1.250/require;
racoon.conf on phaedrus:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 192.168.1.250
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
lifetime time 2 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 2 min;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
relevant ios config on ned:
hostname ned
!
crypto isakmp policy 10
encryption 3des
hash sha
authentication pre-share
group 2
!
crypto isakmp key 123456asdf address 192.168.1.42 no-xauth
!
crypto ipsec transform-set phaedrus_transform ah-sha-hmac esp-3des
esp-sha-hmac
mode tunnel
!
crypto map vpnmap 10 ipsec-isakmp
set peer 192.168.1.42
set transform-set phaedrus_transform
match address 110
!
access-list 110 permit ip 10.10.42.0 0.0.0.255 10.1.1.0 0.0.0.255
!
interface ethernet 1
ip address 192.168.1.250 255.255.255.0
crypto map vpnmap
!
When I try to ping between the two subnets, from either direction, the
packets go out via the routers' respective default routes instead of via
the VPN.
Zach.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]
reply other threads:[~2004-10-22 2:51 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=417875CB.9000603@bulletinwireless.com \
--to=zach.bagnall@bulletinwireless.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.