IPSec tunnel mode with IKE daemon

[Zach Bagnall <zach.bagnall@xxxxxxxxxxxxxxxxxxxx>]

Hi all.

The IPSec part of the LARTC howto is great, but I've hit a problem in 
7.3. IPSEC tunnels. The example given is for manual keying:

add 10.0.0.216 10.0.0.11 esp 34501
	-m tunnel
	-E 3des-cbc "123456789012123456789012";

How does one setup "tunnel mode" using racoon?



Trying to setup an ipsec tunnel between two subnets: 10.10.42.0/24 and 
10.1.1.0/24 using a cisco router "ned" and a linux box "phaedrus".

ned has external IP 192.168.1.250
phaedrus has external IP 192.168.1.42

10.10.42.0/24[ned]192.168.1.250 <==> 192.168.1.42[phaedrus]10.1.1.0/24


setkey on phaedrus:

flush;
spdflush;

spdadd 10.10.42.0/24 10.1.1.0/24 any -P in ipsec
        esp/tunnel/192.168.1.250-192.168.1.42/require
        ah/tunnel/192.168.1.250-192.168.1.42/require;

spdadd 10.1.1.0/24 10.10.42.0/24 any -P out ipsec
        esp/tunnel/192.168.1.42-192.168.1.250/require
        ah/tunnel/192.168.1.42-192.168.1.250/require;

racoon.conf on phaedrus:

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote 192.168.1.250
{
        exchange_mode aggressive,main;
        doi ipsec_doi;
        situation identity_only;

        my_identifier address;

        lifetime time 2 min;   # sec,min,hour
        initial_contact on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

sainfo anonymous
{
        pfs_group 2;
        lifetime time 2 min;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}


relevant ios config on ned:

hostname ned
!
crypto isakmp policy 10
 encryption 3des
 hash sha
 authentication pre-share
 group 2
!
crypto isakmp key 123456asdf address 192.168.1.42 no-xauth
!
crypto ipsec transform-set phaedrus_transform ah-sha-hmac esp-3des 
esp-sha-hmac
 mode tunnel
!
crypto map vpnmap 10 ipsec-isakmp
 set peer 192.168.1.42
 set transform-set phaedrus_transform
 match address 110
!
access-list 110 permit ip 10.10.42.0 0.0.0.255 10.1.1.0 0.0.0.255
!
interface ethernet 1
 ip address 192.168.1.250 255.255.255.0
 crypto map vpnmap
!

When I try to ping between the two subnets, from either direction, the 
packets go out via the routers' respective default routes instead of via 
the VPN.

Zach.

Attachment: signature.asc
Description: OpenPGP digital signature