Hi
Two days ago I have configured a VPN beetween Cisco & Linux, it works
fine, I heard that sometimes happen problems incompatibilities with
some distros linux with respect Diffie-Hellman algorithm. I have
implemented it beetween PC running Centos 4.2 and Cisco 831. Here a
miniguide.
IPSEC VPN entre Cisco y Linux
LINUX
[root@mail ~]# cat /etc/racoon/psk.txt
200.18.25.58 cizc0linux
[root@mail ~]# cat /etc/ipsec.conf
flush;
spdflush;
spdadd 10.0.0.0/24 192.168.111.0/27 any -P out ipsec
esp/tunnel/200.58.25.58-200.18.25.58/require;
spdadd 192.168.111.0/27 10.0.0.0/24 any -P in ipsec
esp/tunnel/200.18.25.58-200.58.25.58/require;
[root@mail racoon]# cat racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
listen
{
isakmp 200.58.25.58 [500];
strict_address;
}
remote 200.18.25.58 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo address 10.0.0.0/24 any address 192.168.111.0/27 any
{
pfs_group 2;
lifetime time 80000 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
iptables -A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth0 !
192.168.111.0/27 -j SNAT --to-source 200.58.25.58
setkey -f /etc/ipsec.conf
racoon -f /etc/racoon/racoon.conf -F -ddd
CISCO
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 80000
crypto isakmp key cizc0linux address 200.58.25.58
!
!
crypto ipsec transform-set policy01 esp-3des esp-sha-hmac
!
crypto map vpn-tunnel 10 ipsec-isakmp
set peer 200.58.25.58
set security-association lifetime seconds 80000
set transform-set policy01
set pfs group2
match address 100
!
interface Ethernet1
description INTERFACE WAN
ip address 200.18.25.58 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
load-interval 30
duplex full
no cdp enable
crypto map vpn-tunnel
end
!
interface Ethernet0
description INTERFACE LAN
ip address 192.168.111.1 255.255.255.224
ip nat inside
no cdp enable
end
!
access-list 100 permit ip 192.168.111.0 0.0.0.31 10.0.0.0 0.0.0.255
!
ip nat inside source list 101 interface Ethernet1 overload
!
access-list 101 deny ip 192.168.111.0 0.0.0.31 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.111.0 0.0.0.31 any
On 5/4/07, Fermín Galán Márquez <fermin.galan@xxxxxxx> wrote:
Hi,
When a IPSec tunnel is established between two peers, I understand that the
"normal" situation is to have in a given moment two SAs, one for each
direction of the tunnel.
However, in one of my tunnels (peer P1 running GNU/Linux with setkey and
racoon; peer P2 is a Cisco router) there is a large number (around 19) of
SAs established (this has been observed in P1 with 'setkey -D').
I've glooged around and the "multiplicy of SAs" seems to be a pathological
situation (as a matter of fact, connectivity trough that tunnel use to
fail). Although I'm not an expert in the internals of IKE protocol, I've
read that using 'initial_contact on' in the tunnel could help. However,
using that parameter in racoon.conf and restarting hasn't solved the problem
:(
I would like to remark that P1 is running 6 tunnels and this only happens in
one of them (the other 5 seems to work fine with just a pair of SAs). Maybe
some Cisco-Linux interoperability issue?
Any idea or suggestion about what can be happening? Please, tell me about if
you need to know any extra information (logs, etc.)
Any help is very welcome. Thanks in advance!
Best regards,
--------------------
Fermín Galán Márquez
CTTC - Centre Tecnològic de Telecomunicacions de Catalunya
Parc Mediterrani de la Tecnologia, Av. del Canal Olímpic s/n, 08860
Castelldefels, Spain
Room 1.02
Tel : +34 93 645 29 12
Fax : +34 93 645 29 01
Email address: fermin dot galan at cttc dot es
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
--
"The network is the computer"
_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
