[fw-wiz] Advice sought: IPSEC 3DES VPN config on Fedora Core 3
From: Mike Tubby (mike_at_tubby.org)
To: <email@example.com> Date: Wed, 20 Apr 2005 23:08:53 +0100
I've been building IPSEC 3DES VPNs for some time with Cisco gear at
both ends - typically 5-50 remote branch locatations on broadband back
in to the central site on a leased line.
Hardware has been Cisco 837-K9 routers at the remote sites and depending
on the number of sites a PIX506E or PIX515E at the center - this works
For some of the stuff that I'm implementing I now want to keep the 837-K9s
at remote locations running both local internet access and 3DES tunnels
but want to land the VPN/tunnel on a Linux box running Fedora Core 3.
Assuming that the FC3 box is up-to-date what is the best way to configure
the Linux box to act as a peer with my remote sites? Where "best" means
straight forward to configure/understand/maintain with minimum of effort...
Googling for "IPSEC Linux HOWTO" results in conflicting and confusing
advice regarding OpenSWAN, FreeSWAN, Racoon, ikakmpd, kernel based
support versus userland, etc. etc... there look to be so many choices...
and its not clear what has become defaco/best practice... in particular
where Fedora FC3 is involved...
Consider an 837-K9 on a broadband conenction with single, fixed, IP address
on the outside (184.108.40.206) and internal LAN subnet 192.168.100.0/24 with the
router being 192.168.100.254.
The corresponding peer (FC3 box) might have the public IP address 220.127.116.11
and have an internal network 192.168.1.0/24 but also have other routed/reachable
subnets such as 192.168.0.0/24 and 10.144.0.0/16, so the FC3 box has:
eth0: 18.104.22.168/255.255.255.0 outside (public internet)
eth1: 192.168.1.1/255.255.255.0 inside (private network)
We need to use 3DES, MD5, Group1, pre-shared keys, with an SA lifetime
of 68400 seconds (18 hours) -- why? because that bit's been mandated by
the thought police for the project ;o)
Here's some snippets of config from a typical 837 at a remote site:
crypto isakmp policy 10
crypto isakmp key 0 let_me_in address 22.214.171.124 no-xauth
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer 126.96.36.199
set transform-set myset
match address 150
and the ACLs mon the 837-K9 would include:
access-list 101 remark *** Allow IPSEC traffic from center ***
access-list 101 permit ahp host 188.8.131.52 host 184.108.40.206
access-list 101 permit esp host 220.127.116.11 host 18.104.22.168
access-list 101 permit udp host 22.214.171.124 host 126.96.36.199 eq isakmp
as part of the input ACL on the Dialler-1 interface (PPP connected broadband).
The ACL below should catch the three subnets causing them to be
access-list 150 remark *** Match address for IPSEC VPN to center ***
access-list 150 permit ip 192.168.100.0 0.0.0.255 192.168.1.0 0.0.0.254
access-list 150 permit ip 192.168.100.0 0.0.0.255 10.144.0.0 0.0.255.255
... so, the question is what's the best way to configure the FC3 box
to act as a peer for this?
Does the FC3 box end up with a logical interface as the end-point of
the tunnel, like "ipsec0" or something? If so, does it get an IP address?
Crucially -- if I am at a remote site can I access services on the FC3
box where the tunnel terminates, ie. on 192.168.1.1 which is the address
of eth1 where a webserver or smb share may be found...
Anyone care to put together a worked example of the setup for the FC3
box? ... I'll send you beer via the IPSEC tunnel :o)
firewall-wizards mailing list