[clug] IPSEC VPN - Linux Host to Cisco 7206 with Pre-shared Key

Neil Symons neil.symons at gmail.com
Sat Nov 26 21:59:07 MST 2011


Would anyone like to take up the challenge in helping me solve this issue.

I have gone round the bend trying to solve what I thought would be simple a
simple VPN from a Debian System to couple of hosts on another network via a
Cisco VPN Router (of which the other end I have no control over)

The equipment I am connecting though is the following

 Cisco 7206 VXR (IP AA.AA.AA.AA)

Phase 1
 Encryption Scheme: IKE
 Diffie-Hellman Group: Group2
 Encryption Algorithm: 3DES/DES
 Main or Agressive Mode: Main Mode
 Lifetime: 1hr

Phase 2
 Encapsulation: ESP
 Encryption Algorithm: 3DES
 Authentication Algorithm: SHA-1
 PFS: No


The Linux Server end I have set up using racoon with ipsec-tools
I can successfully get Phase 1 to work between this Linux server and
AA.AA.AA.AA
Lets call the linux Server IP Address (BB.BB.BB.BB)

There is 2 IPs
XX.XX.XX.XX and XX.XX.XX.YY on the Cisco side with a Ip access rule in place

*ip access-list extended [NAME]*

*permit ip host XX.XX.XX.XX host BB.BB.BB.BB*

*permit ip host XX.XX.XX.YY host BB.BB.BB.BB*
*
*
I have a pre shared key and in that file is something like
AA.AA.AA.AA <KEY>

The Linux Racoon.conf file has
-- BEGIN --
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log debug2;
listen { isakmp BB.BB.BB.BB; }

remote AA.AA.AA.AA {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}

# May not work - trying out options here
sainfo address XX.XX.XX.XX any address BB.BB.BB.BB any {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}

# May not work - trying out options here
sainfo address XX.XX.XX.YY any address BB.BB.BB.BB any {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
-- END --

The ipsec-tools.conf file has

#!/usr/sbin/setkey -f
flush;
spdflush;

# May not work - trying out options here
spdadd XX.XX.XX.XX/32 0.0.0.0/0 any -P out ipsec
esp/transport//require;

# May not work - trying out options here
spdadd XX.XX.XX.YY/32 0.0.0.0/0 any -P out ipsec
esp/transport//require;

# documented on various wiki's
spdadd BB.BB.BB.BB AA.AA.AA.AA any -P out ipsec
esp/tunnel/BB.BB.BB.BB-AA.AA.AA.AA/require;

spdadd BB.BB.BB.BB AA.AA.AA.AA any -P fwd ipsec
esp/tunnel/BB.BB.BB.BB-AA.AA.AA.AA/require;

spdadd AA.AA.AA.AA BB.BB.BB.BB any -P in ipsec
esp/tunnel/AA.AA.AA.AA-BB.BB.BB.BB/require;


As I mentioned earlier, Phase 1 appears to work.
I do not get any device created such as tun0 or anything like that to
create routing table entries
I cannot seem to create a route to the XX.XX.XX.XX and XX.XX.XX.YY hosts.

What could I be doing wrong?

I am open to try out open VPN, but I am stuck with a supplied Pre-Shared
key of about 15 characters

The challenge is declared open.

Regards,

Neil Symons


More information about the linux mailing list