[LARTC] IPSec tunnel mode with IKE daemon

All of lore.kernel.org
 help / color / mirror / Atom feed

* [LARTC] IPSec tunnel mode with IKE daemon
@ 2004-10-22  2:51 Zach Bagnall
  0 siblings, 0 replies; only message in thread
From: Zach Bagnall @ 2004-10-22  2:51 UTC (permalink / raw)
  To: lartc

[-- Attachment #1: Type: text/plain, Size: 2474 bytes --]

Hi all.

The IPSec part of the LARTC howto is great, but I've hit a problem in 
7.3. IPSEC tunnels. The example given is for manual keying:

add 10.0.0.216 10.0.0.11 esp 34501
	-m tunnel
	-E 3des-cbc "123456789012123456789012";

How does one setup "tunnel mode" using racoon?



Trying to setup an ipsec tunnel between two subnets: 10.10.42.0/24 and 
10.1.1.0/24 using a cisco router "ned" and a linux box "phaedrus".

ned has external IP 192.168.1.250
phaedrus has external IP 192.168.1.42

10.10.42.0/24[ned]192.168.1.250 <==> 192.168.1.42[phaedrus]10.1.1.0/24


setkey on phaedrus:

flush;
spdflush;

spdadd 10.10.42.0/24 10.1.1.0/24 any -P in ipsec
         esp/tunnel/192.168.1.250-192.168.1.42/require
         ah/tunnel/192.168.1.250-192.168.1.42/require;

spdadd 10.1.1.0/24 10.10.42.0/24 any -P out ipsec
         esp/tunnel/192.168.1.42-192.168.1.250/require
         ah/tunnel/192.168.1.42-192.168.1.250/require;

racoon.conf on phaedrus:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote 192.168.1.250
{
         exchange_mode aggressive,main;
         doi ipsec_doi;
         situation identity_only;

         my_identifier address;

         lifetime time 2 min;   # sec,min,hour
         initial_contact on;
         proposal_check obey;    # obey, strict or claim

         proposal {
                 encryption_algorithm 3des;
                 hash_algorithm sha1;
                 authentication_method pre_shared_key;
                 dh_group 2;
         }
}

sainfo anonymous
{
         pfs_group 2;
         lifetime time 2 min;
         encryption_algorithm 3des;
         authentication_algorithm hmac_sha1;
         compression_algorithm deflate;
}


relevant ios config on ned:

hostname ned
!
crypto isakmp policy 10
  encryption 3des
  hash sha
  authentication pre-share
  group 2
!
crypto isakmp key 123456asdf address 192.168.1.42 no-xauth
!
crypto ipsec transform-set phaedrus_transform ah-sha-hmac esp-3des 
esp-sha-hmac
  mode tunnel
!
crypto map vpnmap 10 ipsec-isakmp
  set peer 192.168.1.42
  set transform-set phaedrus_transform
  match address 110
!
access-list 110 permit ip 10.10.42.0 0.0.0.255 10.1.1.0 0.0.0.255
!
interface ethernet 1
  ip address 192.168.1.250 255.255.255.0
  crypto map vpnmap
!

When I try to ping between the two subnets, from either direction, the 
packets go out via the routers' respective default routes instead of via 
the VPN.

Zach.

[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2004-10-22  2:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-10-22  2:51 [LARTC] IPSec tunnel mode with IKE daemon Zach Bagnall

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.