In this blog post we will cover IPSEC tunnel between Linux StrongSWAN and Cisco IOS.
The strongSWAN config file can copied exactly as is to another server with the IP of Cisco Router and the tunnel will be connected between two linux routers. That is you do not need to change right and left in config files. It will be automatically detected from interface IP address (if available of course)
Cisco IOS configuration is very similar to previous post.
Here are the configuration files:
IOS Configuration
1
2
3
4
5
6
7
8
| crypto isakmp policy 1
encr aes
hash sha256
authentication pre-share
group 14
lifetime 14400
crypto isakmp key cisco address 20.0.0.2
crypto ipsec transform-set ts1 esp-aes esp-sha256-hmac
|
1
2
| mode tunnel
crypto map cm1 10 ipsec-isakmp
|
1
2
3
| set peer 20.0.0.2
set transform-set ts1
match address 105
|
1
2
3
4
| interface FastEthernet0/0
ip address 20.0.0.1 255.0.0.0
duplex full
crypto map cm1
|
1
2
3
| interface FastEthernet2/0
ip address 192.168.5.1 255.255.255.0
duplex full
|
1
| ip route 192.168.6.0 255.255.255.0 20.0.0.2
|
1
| route outside 192.168.6.0 255.255.255.0 20.0.0.2
|
1
| access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255
|
StrongSWAN configuration
/etc/ipsec.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| conn site2site
authby=secret
esp=aes128-sha256
ike = aes128-sha256-modp2048
ikelifetime = 4h
leftid=20.0.0.2
rightid=20.0.0.1
left=20.0.0.2
leftsubnet=192.168.6.0/24
right=20.0.0.1
rightsubnet=192.168.5.0/24
keyexchange=ikev1
pfs=no
auto=start
remote_peer_type=cisco
|
/etc/ipsec.secret
1
| 20.0.0.2 20.0.0.1 : PSK cisco
|
/etc/sysctl.conf
1
2
3
| ip_forward=1 (uncomment)
# sysctl -p (run command)
|
Comments powered by Disqus.