[fw-wiz] Advice sought: IPSEC 3DES VPN config on Fedora Core 3

From: Mike Tubby (mike_at_tubby.org)
Date: 04/21/05

  • Next message: Mark Sargent: "[fw-wiz] IP130 Password Recovery"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 20 Apr 2005 23:08:53 +0100

    I've been building IPSEC 3DES VPNs for some time with Cisco gear at
    both ends - typically 5-50 remote branch locatations on broadband back
    in to the central site on a leased line.
    Hardware has been Cisco 837-K9 routers at the remote sites and depending
    on the number of sites a PIX506E or PIX515E at the center - this works
    For some of the stuff that I'm implementing I now want to keep the 837-K9s
    at remote locations running both local internet access and 3DES tunnels
    but want to land the VPN/tunnel on a Linux box running Fedora Core 3.
    Assuming that the FC3 box is up-to-date what is the best way to configure
    the Linux box to act as a peer with my remote sites? Where "best" means
    straight forward to configure/understand/maintain with minimum of effort...
    Googling for "IPSEC Linux HOWTO" results in conflicting and confusing
    advice regarding OpenSWAN, FreeSWAN, Racoon, ikakmpd, kernel based
    support versus userland, etc. etc... there look to be so many choices...
    and its not clear what has become defaco/best practice... in particular
    where Fedora FC3 is involved...
    Consider an 837-K9 on a broadband conenction with single, fixed, IP address
    on the outside ( and internal LAN subnet with the
    router being
    The corresponding peer (FC3 box) might have the public IP address
    and have an internal network but also have other routed/reachable
    subnets such as and, so the FC3 box has:
        eth0: outside (public internet)
        eth1: inside (private network)
    We need to use 3DES, MD5, Group1, pre-shared keys, with an SA lifetime
    of 68400 seconds (18 hours) -- why? because that bit's been mandated by
    the thought police for the project ;o)
    Here's some snippets of config from a typical 837 at a remote site:
    crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
     lifetime 64800
    crypto isakmp key 0 let_me_in address no-xauth
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    crypto map mymap 10 ipsec-isakmp
     set peer
     set transform-set myset
     match address 150
    and the ACLs mon the 837-K9 would include:
    access-list 101 remark *** Allow IPSEC traffic from center ***
    access-list 101 permit ahp host host
    access-list 101 permit esp host host
    access-list 101 permit udp host host eq isakmp

    as part of the input ACL on the Dialler-1 interface (PPP connected broadband).
    The ACL below should catch the three subnets causing them to be

    access-list 150 remark *** Match address for IPSEC VPN to center ***
    access-list 150 permit ip
    access-list 150 permit ip
    ... so, the question is what's the best way to configure the FC3 box
    to act as a peer for this?
    Does the FC3 box end up with a logical interface as the end-point of
    the tunnel, like "ipsec0" or something? If so, does it get an IP address?
    Crucially -- if I am at a remote site can I access services on the FC3
    box where the tunnel terminates, ie. on which is the address
    of eth1 where a webserver or smb share may be found...
    Anyone care to put together a worked example of the setup for the FC3
    box? ... I'll send you beer via the IPSEC tunnel :o)


    firewall-wizards mailing list

  • Next message: Mark Sargent: "[fw-wiz] IP130 Password Recovery"