Reply to comment
IPSEC VPN Tunnel Between Racoon+Linux and Cisco IOS
Racoon on Linux CentOS 5.5 ipsec-tools-0.6.5-14.el5_5.5
Cisco Router is 3745 running 12.3 IOS
Racoon peer is w.x.y.z; 10.0.0.0/16 network is behind this ipsec gateway.
Cisco Router is a.b.c.d; 192.168.0.0/24 network is behind this ipsec gateway.
Racoon cfg:
remote a.b.c.d
{
exchange_mode main;
my_identifier address "w.x.y.z";
peers_identifier address "a.b.c.d";
initial_contact on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
authentication_method pre_shared_key;
hash_algorithm md5;
dh_group 2;
}
}
sainfo address 10.0.0.0/16 any address 192.168.0.0/24 any {
lifetime time 8 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
pfs_group 2;
}
! support both sha and md5 hashes for phase 1 negotiation:
crypto isakmp policy 11
encr 3des
hash sha
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 12
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key xxx address w.x.y.z
! support md5 and sha hash for phase 2:
crypto ipsec transform-set racoon_phase2 esp-3des esp-sha-hmac
crypto ipsec transform-set racoon_phase2_md5 esp-3des esp-md5-hmac
! remote racoon peer:
crypto map vpn_map 11 ipsec-isakmp
set peer w.x.y.z
set transform-set racoon_phase2 racoon_phase2_md5
set pfs group2
match address racoon_hq
! bind the crypto map to the outbound intf:
interface FastEthernet0/0
description uplink to ISP
ip address a.b.c.d 255.255.255.252
ip access-group inet_in in
ip nat outside
load-interval 30
speed 10
full-duplex
crypto map vpn_map
! acl to match networks to send across specific tunnel to austin hq:
ip access-list extended racoon_hq
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.255.255
Note: we do not nat these src+dst pairs; a dmz interface that exists is not shown below was also present, and we added that to the no nat acl as well.
ip access-list extended nonatacl
deny ip host a.b.c.d any
deny ip 192.168.0.0.0 0.0.0.255 10.0.0.0 0.255.255.255
! nat everything else that egresses:
permit ip any any
! bind the nat acl to the nat routemap
route-map natmap permit 10
match ip address nonatacl
! nat outbound flows that dont have a static 1:1 nat to the
! egress interface, provided the conditions in the natmap routemap
! are met. This routemap will in turn implement the nonat conditions.
! ipsec tunnel traffic should not be natted in our case:
ip nat inside source route-map natmap interface FastEthernet0/0 overload
It should be noted that this version of IOS had a bug in that the acl was applied to the external (ISP) facing interface; the same interface that the crypto map was applied to. We had to allow the internal (10.x to 192.168.0.x) traffic on this ACL for tcp sessions across the ipsec tunnel to work. Normally this would not be the case, since the internal ipsec lan to lan traffic would flow through the external cisco interface (Fast Eth0/0) and be permitted as esp traffic (there was an acl line for esp of course). The observed behavior was the the default deny any at the end of the cisco ACL was blocking the lan to lan traffic until we added permits at the top.
The esp and udp permits specific to the racoon host src and cisco router dest are NOT needed, since the default permits for esp and udp isakmp will match too. We added them so we could capture the exact number of hits that the specific racoon gateway was creating separate from any other ipsec traffic. This is a generally useful acl technique you can use with ciscos:
(ACL Excerpt):
ip access-list extended inet_in
permit tcp any any established
permit esp host w.x.y.z host a.b.c.d
permit udp host w.x.y.z host a.b.c.d eq isakmp
permit udp host 64.20.241.76 host a.b.c.d eq non500-isakmp
! below line was needed due to IOS bug mentioned above:
permit ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.0.255
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
--- other management and dmz nats left out ---
deny ip any any log