[fw-wiz] Advice sought: IPSEC 3DES VPN config on Fedora Core 3

From: Mike Tubby (mike_at_tubby.org)
Date: 04/21/05

  • Next message: Mark Sargent: "[fw-wiz] IP130 Password Recovery"
    To: <firewall-wizards@honor.icsalabs.com>
    Date: Wed, 20 Apr 2005 23:08:53 +0100
    
    

    Gents,
     
    I've been building IPSEC 3DES VPNs for some time with Cisco gear at
    both ends - typically 5-50 remote branch locatations on broadband back
    in to the central site on a leased line.
     
    Hardware has been Cisco 837-K9 routers at the remote sites and depending
    on the number of sites a PIX506E or PIX515E at the center - this works
    well.
     
    For some of the stuff that I'm implementing I now want to keep the 837-K9s
    at remote locations running both local internet access and 3DES tunnels
    but want to land the VPN/tunnel on a Linux box running Fedora Core 3.
     
    Assuming that the FC3 box is up-to-date what is the best way to configure
    the Linux box to act as a peer with my remote sites? Where "best" means
    straight forward to configure/understand/maintain with minimum of effort...
     
    Googling for "IPSEC Linux HOWTO" results in conflicting and confusing
    advice regarding OpenSWAN, FreeSWAN, Racoon, ikakmpd, kernel based
    support versus userland, etc. etc... there look to be so many choices...
    and its not clear what has become defaco/best practice... in particular
    where Fedora FC3 is involved...
     
    Consider an 837-K9 on a broadband conenction with single, fixed, IP address
    on the outside (82.1.2.3) and internal LAN subnet 192.168.100.0/24 with the
    router being 192.168.100.254.
     
    The corresponding peer (FC3 box) might have the public IP address 193.82.1.2
    and have an internal network 192.168.1.0/24 but also have other routed/reachable
    subnets such as 192.168.0.0/24 and 10.144.0.0/16, so the FC3 box has:
     
        eth0: 193.82.1.2/255.255.255.0 outside (public internet)
        eth1: 192.168.1.1/255.255.255.0 inside (private network)
     
    We need to use 3DES, MD5, Group1, pre-shared keys, with an SA lifetime
    of 68400 seconds (18 hours) -- why? because that bit's been mandated by
    the thought police for the project ;o)
     
     
    Here's some snippets of config from a typical 837 at a remote site:
     
    !
    crypto isakmp policy 10
     encr 3des
     hash md5
     authentication pre-share
     lifetime 64800
    crypto isakmp key 0 let_me_in address 193.82.1.2 no-xauth
    !
    !
    crypto ipsec transform-set myset esp-3des esp-md5-hmac
    !
    crypto map mymap 10 ipsec-isakmp
     set peer 193.82.1.2
     set transform-set myset
     match address 150
    !
     
    and the ACLs mon the 837-K9 would include:
     
    access-list 101 remark *** Allow IPSEC traffic from center ***
    access-list 101 permit ahp host 193.82.1.2 host 82.1.2.3
    access-list 101 permit esp host 193.82.1.2 host 82.1.2.3
    access-list 101 permit udp host 193.82.1.2 host 82.1.2.3 eq isakmp

    as part of the input ACL on the Dialler-1 interface (PPP connected broadband).
     
     
    The ACL below should catch the three subnets causing them to be
    tunnelled:

    access-list 150 remark *** Match address for IPSEC VPN to center ***
    access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.254
    access-list 150 permit ip 192.168.100.0 0.0.0.255 10.144.0.0 0.0.255.255
     
      
    ... so, the question is what's the best way to configure the FC3 box
    to act as a peer for this?
     
    Does the FC3 box end up with a logical interface as the end-point of
    the tunnel, like "ipsec0" or something? If so, does it get an IP address?
     
    Crucially -- if I am at a remote site can I access services on the FC3
    box where the tunnel terminates, ie. on 192.168.1.1 which is the address
    of eth1 where a webserver or smb share may be found...
     
    Anyone care to put together a worked example of the setup for the FC3
    box? ... I'll send you beer via the IPSEC tunnel :o)
     

    Regards
     
     
    Mike

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Mark Sargent: "[fw-wiz] IP130 Password Recovery"

    Relevant Pages

    • RE: UDP port 500 traffic from two clients
      ... > and agree with Greg's concerns about trusting everything on the remote ... > network, but you're thinking of IPSec only in terms of tunelling, where you ... where the remote user is connecting his host to a network via a gateway. ... system managers should probably be using SSH (or maybe if they want and ...
      (Incidents)
    • Re: Cache coherency issues using AllocateCommonBuffer(..)
      ... we did put a scope on the remote system looked at the TLPs coming ... and so it seems like we are stuck with AllocateCommonBuffer. ... standard non-common buffer based DMA APIs. ... How soon do you read from the host memory after you believe the DMA ...
      (microsoft.public.development.device.drivers)
    • Re: Error messages for remote desktop connection attempt
      ... Did you enable Remote Desktop connections on the XP Pro host? ... have you checked the EventLog on the host? ... "The net logon service on the local computer started and then ...
      (microsoft.public.windows.terminal_services)
    • Question about RSA1 vs DSA fingerprint
      ... I'm connecting to a solaris 8 box on a university LAN, ... This is the "remote" host. ... cygwin, via Sympatico ADSL, ssh version ...
      (comp.security.ssh)
    • Re: Okay, what now?? Cannot publish -- now this is really strange
      ... Microsoft MVP - FrontPage ... If this fails to help then ask your host to run a Server Health Check ... But -- I could see the remote site in FP. ...
      (microsoft.public.frontpage.programming)