RE: [LARTC] Help plead, Cisco to Linux ipsec syntax

[Yuval Lifshitz]

I did that once for Transport mode with pre shared keys.
Attached there is a short how-to with some explanations.
Please let me know if you find errors.

Yuval.

> I have the task to make an IPsec tunnel between a Cisco router and a Linux
router. The people that have set the Cisco router have sent me this (Cisco)

> config file, but that doesn't help me a lot since I don't understand 
> nor
ipsec nor Cisco syntax that well.
>
> So, can anyone help me to make the ipsec configuration?
> Second, what's better to use ipsec-tools or isakmpd on Linux-2.6.10.
>
> Is the configuration under "Tunnel mode" on
http://www.ipsec-howto.org/x282.html the only thing needed to make it work?
>
> Any help is appreciated.
>
>
> --
> damjan | P4P0P<QP0P=
> This is my jabber ID --> [EMAIL PROTECTED] <-- not my mail address!!!

Fedora Core 2 and Cisco 7200 Series Router IPSec Configuration HOWTO
====================================================================

[EMAIL PROTECTED]

Notes
* There is a Linux machine with kernel 2.6 and up and IP address 10.10.0.61 .
* There is a Cisco 7200 series router with IP address 10.10.0.15 .
* The two are connected via LAN, the routers interface is Fast Ethernet 0/0 .
* Only IP addresses and <names> are free text, other words are reserved.
* The selection of protocols and algorithms (authentication encryption and hash 
functions) is quite arbitrary. It can be changed, but note you change it the 
same way in both ends.
* In all configuration files # starts a comment.
* Use: "show�" command in the router and "setkey -D�" to see what happened with 
you configuration.
* Since the security is IP level, pinging seems like a sufficient test for the 
configuration.
* This is in a peanutshell, please look at the links.


Fedora Core 2 Side
==================

Create ipsec.conf file. No security associations should be defined in that 
file, they are created automatically by the "raccoon".

#!/usr/sbin/setkey -f

# Configuration for 10.10.0.61

# Flush the SAD and SPD
flush;
spdflush;

# Security policies
spdadd 10.10.0.15 10.10.0.61 any -P in ipsec
esp/transport//require
ah/transport//require;
spdadd 10.10.0.61 10.10.0.15 any -P out ipsec
esp/transport//require
ah/transport//require;

Add the policies to the machine:

[EMAIL PROTECTED] -f ipsec.conf

Create psk.txt (pre-shared key) file:

# file for pre-shared keys used for IKE authentication
# format is:  'identifier' 'key'

10.10.0.15   <shared_secret>

Create racoon configuration file for IKE with a specific remote host, 
10.10.0.15.conf :

remote 10.10.0.15
{
        exchange_mode main;
        my_identifier address;
        proposal {
                encryption_algorithm des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group 2;
        }
}

Create racoon.conf file. This file includes the remote file.

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";

sainfo address 10.10.0.61 any address 10.10.0.15 any
{
        pfs_group 2;
        lifetime time 10000 seconds;
        encryption_algorithm des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

include "10.10.0.15.conf";

Start racoon in foreground mode (-F) for debugging in the directory where the 
racoon.conf file is defined.

[EMAIL PROTECTED] -F


Cisco 7200 Series Router Side
=============================

Enter configuration mode:

router>enable
Password:
router#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.

Configure a security access list. Note that "permit" here mean that encryption 
is permitted, "deny" means encryption is not permitted.

router(config)#ip access-list extended <list_name>
router(config-ext-nacl)#permit ip host 10.10.0.15 host 10.10.0.61
router(config-ext-nacl)#exit

A transform set is a combination of security protocols and algorithms. This is 
what the sides negotiate during key exchange.

router(config)#crypto ipsec transform-set <set_name> ah-md5-hmac esp-des 
esp-md5-hmac
router(cfg-crypto-trans)#mode transport
router(cfg-crypto-trans)#exit

A crypto map is the association between the security algorithm and access list. 
The number '1' is just a sequential index.

router(config)#crypto map <map_name> 1 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
        and a valid access list have been configured.
router(config-crypto-map)#set transform-set <set_name>
router(config-crypto-map)#set pfs group2
router(config-crypto-map)#set peer 10.10.0.61
router(config-crypto-map)#match address <list_name>
router(config-crypto-map)#exit

Assign the crypto mat to the interface.

router(config)#interface FastEthernet 0/0
router(config-if)#crypto map <map_name>
router(config-if)#exit

Define the pre-shared key.

router(config)#crypto isakmp key <shared_secret> address 10.10.0.61

Define the peer computer.

router(config)#crypto isakmp peer address 10.10.0.61
router(config-isakmp-peer)#exit

Define policy with priority.

router(config)#crypto isakmp policy 20
router(config-isakmp)#authentication pre-share
router(config-isakmp)#encryption des
router(config-isakmp)#hash md5
router(config-isakmp)#group 2
router(config-isakmp)#exit

Links
=====

http://www.ipsec-howto.org/
http://lartc.org/howto/index.html - look at chapter 7.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_configuration_guide_book09186a00800ca5ad.html
 - Cisco configuration guide.

_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc