[clug] IPSEC VPN - Linux Host to Cisco 7206 with Pre-shared Key
Neil Symons
neil.symons at gmail.com
Sat Nov 26 21:59:07 MST 2011
Would anyone like to take up the challenge in helping me solve this issue.
I have gone round the bend trying to solve what I thought would be simple a
simple VPN from a Debian System to couple of hosts on another network via a
Cisco VPN Router (of which the other end I have no control over)
The equipment I am connecting though is the following
Cisco 7206 VXR (IP AA.AA.AA.AA)
Phase 1
Encryption Scheme: IKE
Diffie-Hellman Group: Group2
Encryption Algorithm: 3DES/DES
Main or Agressive Mode: Main Mode
Lifetime: 1hr
Phase 2
Encapsulation: ESP
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
PFS: No
The Linux Server end I have set up using racoon with ipsec-tools
I can successfully get Phase 1 to work between this Linux server and
AA.AA.AA.AA
Lets call the linux Server IP Address (BB.BB.BB.BB)
There is 2 IPs
XX.XX.XX.XX and XX.XX.XX.YY on the Cisco side with a Ip access rule in place
*ip access-list extended [NAME]*
*permit ip host XX.XX.XX.XX host BB.BB.BB.BB*
*permit ip host XX.XX.XX.YY host BB.BB.BB.BB*
*
*
I have a pre shared key and in that file is something like
AA.AA.AA.AA <KEY>
The Linux Racoon.conf file has
-- BEGIN --
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug2;
listen { isakmp BB.BB.BB.BB; }
remote AA.AA.AA.AA {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
# May not work - trying out options here
sainfo address XX.XX.XX.XX any address BB.BB.BB.BB any {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
# May not work - trying out options here
sainfo address XX.XX.XX.YY any address BB.BB.BB.BB any {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
-- END --
The ipsec-tools.conf file has
#!/usr/sbin/setkey -f
flush;
spdflush;
# May not work - trying out options here
spdadd XX.XX.XX.XX/32 0.0.0.0/0 any -P out ipsec
esp/transport//require;
# May not work - trying out options here
spdadd XX.XX.XX.YY/32 0.0.0.0/0 any -P out ipsec
esp/transport//require;
# documented on various wiki's
spdadd BB.BB.BB.BB AA.AA.AA.AA any -P out ipsec
esp/tunnel/BB.BB.BB.BB-AA.AA.AA.AA/require;
spdadd BB.BB.BB.BB AA.AA.AA.AA any -P fwd ipsec
esp/tunnel/BB.BB.BB.BB-AA.AA.AA.AA/require;
spdadd AA.AA.AA.AA BB.BB.BB.BB any -P in ipsec
esp/tunnel/AA.AA.AA.AA-BB.BB.BB.BB/require;
As I mentioned earlier, Phase 1 appears to work.
I do not get any device created such as tun0 or anything like that to
create routing table entries
I cannot seem to create a route to the XX.XX.XX.XX and XX.XX.XX.YY hosts.
What could I be doing wrong?
I am open to try out open VPN, but I am stuck with a supplied Pre-Shared
key of about 15 characters
The challenge is declared open.
Regards,
Neil Symons
More information about the linux
mailing list