Hi
Two days ago I have configured a VPN beetween Cisco & Linux, it works
fine, I heard that sometimes happen problems incompatibilities with
some distros linux with respect Diffie-Hellman algorithm. I have
implemented it beetween PC running Centos 4.2 and Cisco 831. Here a
miniguide.
IPSEC VPN entre Cisco y Linux
LINUX
[root@mail ~]# cat /etc/racoon/psk.txt
200.18.25.58          cizc0linux
[root@mail ~]# cat /etc/ipsec.conf
flush;
spdflush;
spdadd  10.0.0.0/24 192.168.111.0/27 any -P out ipsec
esp/tunnel/200.58.25.58-200.18.25.58/require;
spdadd  192.168.111.0/27 10.0.0.0/24 any -P in ipsec
esp/tunnel/200.18.25.58-200.58.25.58/require;
[root@mail racoon]# cat racoon.conf
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
listen
{
    isakmp 200.58.25.58 [500];
    strict_address;
}
remote 200.18.25.58 {
     exchange_mode main;
      proposal {
       encryption_algorithm  3des;
       hash_algorithm sha1;
       authentication_method pre_shared_key;
       dh_group 2;
      }
}
sainfo address 10.0.0.0/24 any address 192.168.111.0/27 any
{
        pfs_group 2;
        lifetime time 80000 sec;
        encryption_algorithm  3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}
iptables -A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth0 !
192.168.111.0/27 -j SNAT --to-source 200.58.25.58
setkey -f /etc/ipsec.conf
racoon -f /etc/racoon/racoon.conf -F -ddd
CISCO
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 80000
crypto isakmp key cizc0linux address 200.58.25.58
!
!
crypto ipsec transform-set policy01 esp-3des esp-sha-hmac
!
crypto map vpn-tunnel 10 ipsec-isakmp
 set peer 200.58.25.58
 set security-association lifetime seconds 80000
 set transform-set policy01
 set pfs group2
 match address 100
!
interface Ethernet1
 description INTERFACE WAN
 ip address 200.18.25.58 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 load-interval 30
 duplex full
 no cdp enable
 crypto map vpn-tunnel
end
!
interface Ethernet0
 description INTERFACE LAN
  ip address 192.168.111.1 255.255.255.224
 ip nat inside
 no cdp enable
end
!
access-list 100 permit ip 192.168.111.0 0.0.0.31 10.0.0.0 0.0.0.255
!
ip nat inside source list 101 interface Ethernet1 overload
!
access-list 101 deny   ip 192.168.111.0 0.0.0.31 10.0.0.0 0.0.0.255
access-list 101 permit ip 192.168.111.0 0.0.0.31 any
On 5/4/07, Fermín Galán Márquez <fermin.galan@cttc.es>
wrote:> Hi,
>
> When a IPSec tunnel is established between two peers, I understand that the
> "normal" situation is to have in a given moment two SAs, one for
each
> direction of the tunnel.
>
> However, in one of my tunnels (peer P1 running GNU/Linux with setkey and
> racoon; peer P2 is a Cisco router) there is a large number (around 19) of
> SAs established (this has been observed in P1 with ''setkey
-D'').
>
> I''ve glooged around and the "multiplicy of SAs" seems to
be a pathological
> situation (as a matter of fact, connectivity trough that tunnel use to
> fail). Although I''m not an expert in the internals of IKE
protocol, I''ve
> read that using ''initial_contact on'' in the tunnel could
help. However,
> using that parameter in racoon.conf and restarting hasn''t solved
the problem
> :(
>
> I would like to remark that P1 is running 6 tunnels and this only happens
in
> one of them (the other 5 seems to work fine with just a pair of SAs). Maybe
> some Cisco-Linux interoperability issue?
>
> Any idea or suggestion about what can be happening? Please, tell me about
if
> you need to know any extra information (logs, etc.)
>
> Any help is very welcome. Thanks in advance!
>
> Best regards,
>
> --------------------
> Fermín Galán Márquez
> CTTC - Centre Tecnològic de Telecomunicacions de Catalunya
> Parc Mediterrani de la Tecnologia, Av. del Canal Olímpic s/n, 08860
> Castelldefels, Spain
> Room 1.02
> Tel : +34 93 645 29 12
> Fax : +34 93 645 29 01
> Email address: fermin dot galan at cttc dot es
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>
-- 
"The network is the computer"