Friday, October 21, 2016

configure ipsec between cisco router and strongswan

*** setup information

- strongswan : wan ip : 192.168.202.242
                        lan ip: 172.16.0.0/24

- cisco             wan ip: 10.0.0.2
                       lan ip: 10.0.0.0/24



*** cisco side

1- running-configuration of cisco router

!
crypto isakmp policy 20
 encr aes
 authentication pre-share
 group 2
crypto isakmp key topsecret address 192.168.202.242
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto map mymap 21 ipsec-isakmp
 set peer 192.168.202.242
 set transform-set myset
 match address 101
!
interface FastEthernet0/0
 ip address 10.0.0.2 255.255.255.0
 duplex auto
 speed auto
 crypto map mymap
!
interface FastEthernet0/1
 ip address 10.0.1.1 255.255.255.0
 duplex auto
 speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.0.1
!
access-list 101 permit ip 10.0.1.0 0.0.0.255 172.16.0.0 0.0.0.255




*** strongswan side
1- strong strongswan configuration setup
- /etc/ipsec.conf
config setup
    charondebug="all"
    uniqueids=yes
    strictcrlpolicy=no
conn %default
    keyexchange=ikev1
conn tunnel
    rightsendcert=never
    ikelifetime=1440m
    keylife=60m
    rekeymargin=3m
    keyingtries=1
    left=192.168.202.242
    leftsubnet=172.16.0.0/24
    right=10.0.0.2
    rightsubnet=10.0.1.0/24
    ike=aes128-sha1-modp1024!
    esp=aes128-sha1!
    dpddelay=30
    dpdtimeout=120
    dpdaction=clear
    authby=secret
    auto=start
    keyexchange=ikev1
    type=tunnel



- ./etc/ipsec.secrets
192.168.202.242 10.0.0.2 : PSK 'topsecret'

2- restart ipsec and bring up tunnel connection
$ sudo ipsec restart
$ sudo ipsec up tunnel
generating QUICK_MODE request 2433750819 [ HASH SA No ID ID ]
sending packet: from 192.168.202.242[500] to 10.0.0.2[500] (188 bytes)
received packet: from 10.0.0.2[500] to 192.168.202.242[500] (204 bytes)
parsed QUICK_MODE response 2433750819 [ HASH SA No ID ID N((24576)) ]
CHILD_SA tunnel{3} established with SPIs caccd9ac_i 0c90381e_o and TS 172.16.0.0/24 === 10.0.1.0/24
generating QUICK_MODE request 2433750819 [ HASH ]
sending packet: from 192.168.202.242[500] to 10.0.0.2[500] (60 bytes)
connection 'tunnel' established successfully




*** use show command to verify ipsec status
- strongswan
$ sduo ipsec status tunnel
Security Associations (1 up, 0 connecting):
      tunnel[1]: ESTABLISHED 9 minutes ago, 192.168.202.242[192.168.202.242]...10.0.0.2[10.0.0.2]
      tunnel{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: caccd9ac_i 0c90381e_o
      tunnel{3}:   172.16.0.0/24 === 10.0.1.0/24





- cisco router
Router#show  crypto session
Crypto session current status

Interface: FastEthernet0/0
Session status: UP-ACTIVE    
Peer: 192.168.202.242 port 500
  IKE SA: local 10.0.0.2/500 remote 192.168.202.242/500 Active
  IPSEC FLOW: permit ip 10.0.1.0/255.255.255.0 172.16.0.0/255.255.255.0
        Active SAs: 2, origin: crypto map




No comments:

Post a Comment