Firewall Wizards mailing list archives
Advice sought: IPSEC 3DES VPN config on Fedora Core 3
From: "Mike Tubby" <mike () tubby org>
Date: Wed, 20 Apr 2005 23:08:53 +0100
Gents, I've been building IPSEC 3DES VPNs for some time with Cisco gear at both ends - typically 5-50 remote branch locatations on broadband back in to the central site on a leased line. Hardware has been Cisco 837-K9 routers at the remote sites and depending on the number of sites a PIX506E or PIX515E at the center - this works well. For some of the stuff that I'm implementing I now want to keep the 837-K9s at remote locations running both local internet access and 3DES tunnels but want to land the VPN/tunnel on a Linux box running Fedora Core 3. Assuming that the FC3 box is up-to-date what is the best way to configure the Linux box to act as a peer with my remote sites? Where "best" means straight forward to configure/understand/maintain with minimum of effort... Googling for "IPSEC Linux HOWTO" results in conflicting and confusing advice regarding OpenSWAN, FreeSWAN, Racoon, ikakmpd, kernel based support versus userland, etc. etc... there look to be so many choices... and its not clear what has become defaco/best practice... in particular where Fedora FC3 is involved... Consider an 837-K9 on a broadband conenction with single, fixed, IP address on the outside (82.1.2.3) and internal LAN subnet 192.168.100.0/24 with the router being 192.168.100.254. The corresponding peer (FC3 box) might have the public IP address 193.82.1.2 and have an internal network 192.168.1.0/24 but also have other routed/reachable subnets such as 192.168.0.0/24 and 10.144.0.0/16, so the FC3 box has: eth0: 193.82.1.2/255.255.255.0 outside (public internet) eth1: 192.168.1.1/255.255.255.0 inside (private network) We need to use 3DES, MD5, Group1, pre-shared keys, with an SA lifetime of 68400 seconds (18 hours) -- why? because that bit's been mandated by the thought police for the project ;o) Here's some snippets of config from a typical 837 at a remote site: ! crypto isakmp policy 10 encr 3des hash md5 authentication pre-share lifetime 64800 crypto isakmp key 0 let_me_in address 193.82.1.2 no-xauth ! ! crypto ipsec transform-set myset esp-3des esp-md5-hmac ! crypto map mymap 10 ipsec-isakmp set peer 193.82.1.2 set transform-set myset match address 150 ! and the ACLs mon the 837-K9 would include: access-list 101 remark *** Allow IPSEC traffic from center *** access-list 101 permit ahp host 193.82.1.2 host 82.1.2.3 access-list 101 permit esp host 193.82.1.2 host 82.1.2.3 access-list 101 permit udp host 193.82.1.2 host 82.1.2.3 eq isakmp as part of the input ACL on the Dialler-1 interface (PPP connected broadband). The ACL below should catch the three subnets causing them to be tunnelled: access-list 150 remark *** Match address for IPSEC VPN to center *** access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.254 access-list 150 permit ip 192.168.100.0 0.0.0.255 10.144.0.0 0.0.255.255... so, the question is what's the best way to configure the FC3 box
to act as a peer for this? Does the FC3 box end up with a logical interface as the end-point of the tunnel, like "ipsec0" or something? If so, does it get an IP address? Crucially -- if I am at a remote site can I access services on the FC3 box where the tunnel terminates, ie. on 192.168.1.1 which is the address of eth1 where a webserver or smb share may be found... Anyone care to put together a worked example of the setup for the FC3 box? ... I'll send you beer via the IPSEC tunnel :o) Regards Mike _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Advice sought: IPSEC 3DES VPN config on Fedora Core 3 Mike Tubby (Apr 21)
- Re: Advice sought: IPSEC 3DES VPN config on Fedora Core 3 Bruce B. Platt (Apr 21)