Cisco Router to OpenSwan VPN Config
- How to configure openswan to cisco vpn
- Below is a config example.

Cisco Router to OpenSwan VPN Config

How to configure openswan to cisco vpn

I used a base install of archlinux with iptables, iproute, and openswan installed from the package repos. The cisco device was a 2621 running 12.3.22 , with ipfw crypto. You can verify crypto on the cisco side by doing a „show crypto isakmp sa“ and „show crypto ipsec sa“. On openswan do a „ipsec barf | more“.

Below is a config example.

#/etc/ipsec.conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg:
        #plutodebug="control parsing"
        #plutodebug="all"
        plutodebug="none"
        #klipsdebug="all"
        klipsdebug="none"
        #
        # Only enable klipsdebug=all if you are a developer
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0
        #
        #interfaces=%defaultroute

# Add connections here

conn tunnelipsec
       type=tunnel                      #tunnel mode ipsec
       left=83.137.98.48                #the IP address of your OpenSWAN endpoint
       #leftnexthop=127.0.0.1           #default gateway
       leftsourceip=192.168.14.1        #local tunnel ip
       leftsubnet=192.168.14.1/24       #network behind your endpoint
       right=%any                       #Your IP, or %any for a road-warrior setup
       rightnexthop=%defaultroute       #defaultroute for road warrior unknown
       rightsubnet=192.168.15.0/24      #network behind the PIX
       esp=3des-sha1                    #esp: 3des, hmac: sha1
       keyexchange=ike                  #use regular ike
       authby=secret                    #pre-shared secret,  you can also use rsa nounces
       pfs=yes                          #use perfect forward secrecy
       #pfs=no                          #don't use perfect forward secrecy
       auto=add                         #don't initiate tunnel, but allow incoming
       spi=0x0                          #use base spi of 0x0 for PIX

#/etc/ipsec.secrets
"OPENSWAN PUBLIC IP ADDRESS" "CISCO PUBLIC IP" : PSK ""PRESHARED KEY"" <- key musy be in double quotes

#the cisco router config
crypto isakmp key "PRESHARED KEY" address "OPENSWAN PUBLIC IP ADDRESS" no-xauth
ip access-list extended OPENSWAN
permit ip 172.16.1.0 0.0.0.255 172.16.2.0 0.0.0.255
crypto ipsec transform-set AES esp-aes 256 esp-sha-hmac
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 2
crypto map net 10 ipsec-isakmp
set peer "OPENSWAN PUBLIC IP ADDRESS"
set transform-set AES
match address OPENSWAN
interface FastEthernet0/1
ip address "CISCO PUBLIC IP" "CISCO PUBLIC IP MASK"
crypto map net

cisco/config/vpn/ipsec/generic-cisco-to-openswan.txt · Zuletzt geändert: 12.09.2009 12:46 (Externe Bearbeitung)