Home Cisco IOS and StrongSWAN IPSEC VPN
Post
Cancel

Cisco IOS and StrongSWAN IPSEC VPN

In this blog post we will cover IPSEC tunnel between Linux StrongSWAN and Cisco IOS.

The strongSWAN config file can copied exactly as is to another server with the IP of Cisco Router and the tunnel will be connected between two linux routers. That is you do not need to change right and left in config files. It will be automatically detected from interface IP address (if available of course)

Cisco IOS configuration is very similar to previous post.

Here are the configuration files:

IOS Configuration

1
2
3
4
5
6
7
8
 crypto isakmp policy 1
     encr aes
     hash sha256
     authentication pre-share
     group 14
     lifetime 14400
     crypto isakmp key cisco address 20.0.0.2
     crypto ipsec transform-set ts1 esp-aes esp-sha256-hmac
1
2
mode tunnel
crypto map cm1 10 ipsec-isakmp
1
2
3
set peer 20.0.0.2
set transform-set ts1
match address 105
1
2
3
4
interface FastEthernet0/0
      ip address 20.0.0.1 255.0.0.0
      duplex full
      crypto map cm1
1
2
3
interface FastEthernet2/0
      ip address 192.168.5.1 255.255.255.0
      duplex full
1
ip route 192.168.6.0 255.255.255.0 20.0.0.2
1
route outside 192.168.6.0 255.255.255.0 20.0.0.2
1
access-list 105 permit ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

StrongSWAN configuration

/etc/ipsec.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
conn site2site
           authby=secret
           esp=aes128-sha256
           ike = aes128-sha256-modp2048
           ikelifetime = 4h
           leftid=20.0.0.2
           rightid=20.0.0.1
           left=20.0.0.2
           leftsubnet=192.168.6.0/24
           right=20.0.0.1
           rightsubnet=192.168.5.0/24
           keyexchange=ikev1
           pfs=no
           auto=start
           remote_peer_type=cisco

/etc/ipsec.secret

1
 20.0.0.2 20.0.0.1 : PSK cisco

/etc/sysctl.conf

1
2
3
ip_forward=1 (uncomment)

# sysctl -p (run command)
This post is licensed under CC BY 4.0 by the author.

Exploring from User-Mode to Kernel-Mode

GRE over IPSec in Cisco IOS

Comments powered by Disqus.