From: Zach Bagnall <zach.bagnall@bulletinwireless.com>
To: lartc@vger.kernel.org
Subject: [LARTC] IPSec tunnel mode with IKE daemon
Date: Fri, 22 Oct 2004 02:51:55 +0000 [thread overview]
Message-ID: <417875CB.9000603@bulletinwireless.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2474 bytes --]
Hi all.
The IPSec part of the LARTC howto is great, but I've hit a problem in
7.3. IPSEC tunnels. The example given is for manual keying:
add 10.0.0.216 10.0.0.11 esp 34501
-m tunnel
-E 3des-cbc "123456789012123456789012";
How does one setup "tunnel mode" using racoon?
Trying to setup an ipsec tunnel between two subnets: 10.10.42.0/24 and
10.1.1.0/24 using a cisco router "ned" and a linux box "phaedrus".
ned has external IP 192.168.1.250
phaedrus has external IP 192.168.1.42
10.10.42.0/24[ned]192.168.1.250 <==> 192.168.1.42[phaedrus]10.1.1.0/24
setkey on phaedrus:
flush;
spdflush;
spdadd 10.10.42.0/24 10.1.1.0/24 any -P in ipsec
esp/tunnel/192.168.1.250-192.168.1.42/require
ah/tunnel/192.168.1.250-192.168.1.42/require;
spdadd 10.1.1.0/24 10.10.42.0/24 any -P out ipsec
esp/tunnel/192.168.1.42-192.168.1.250/require
ah/tunnel/192.168.1.42-192.168.1.250/require;
racoon.conf on phaedrus:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 192.168.1.250
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
my_identifier address;
lifetime time 2 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 2 min;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
relevant ios config on ned:
hostname ned
!
crypto isakmp policy 10
encryption 3des
hash sha
authentication pre-share
group 2
!
crypto isakmp key 123456asdf address 192.168.1.42 no-xauth
!
crypto ipsec transform-set phaedrus_transform ah-sha-hmac esp-3des
esp-sha-hmac
mode tunnel
!
crypto map vpnmap 10 ipsec-isakmp
set peer 192.168.1.42
set transform-set phaedrus_transform
match address 110
!
access-list 110 permit ip 10.10.42.0 0.0.0.255 10.1.1.0 0.0.0.255
!
interface ethernet 1
ip address 192.168.1.250 255.255.255.0
crypto map vpnmap
!
When I try to ping between the two subnets, from either direction, the
packets go out via the routers' respective default routes instead of via
the VPN.
Zach.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 256 bytes --]
reply other threads:[~2004-10-22 2:51 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=417875CB.9000603@bulletinwireless.com \
--to=zach.bagnall@bulletinwireless.com \
--cc=lartc@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox