Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5520
Views
5
Helpful
3
Replies

StrongSwan route-based IPSec to Cisco

from88
Level 4
Level 4

‎02-20-2018 12:04 PM - edited ‎03-05-2019 09:57 AM

Hello,

Do anyone tried to connect StrongSwan tunnel (route-based) IPSEC mode to Cisco router (ISR) or maybe someone have an instruction how to do it ?

 

I need to connect an linux instance from cloud to Cisco ISR router.

2 people had this problem
Labels:
0 Helpful
3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

‎02-20-2018 12:50 PM

Here is a guide I wrote for building VPNs from Meraki to StrongSwan in AWS.

http://www.ifm.net.nz/cookbooks/meraki-vpn-to-amazon-aws.html

 

Here is a tool I wrote that can build site to site VPNs for Cisco 890 series routers, but you'll be able to lift the config and put it on other IOS routers.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

 

 

from88
Level 4
Level 4
In response to Philip D'Ath

‎02-21-2018 12:03 AM

thank you, seems it's very valuable info. but still - the configurations is suited to policy based IPSEC. Maybe you know what should be modified if i want to change the type from policy based to route-based (vti).

 

One thing im sure about is creation of tunnel interface in strongswan. Maybe some more caveats are hiding ? Thank you

0 Helpful

from88
Level 4
Level 4
In response to Philip D'Ath

‎02-21-2018 09:15 AM

email

Hello,

I'm trying to connect route-based IPSec VPN to Cisco device (ISR) and i'm getting some errors. Configured everything as written in ROUTE-BASED-VPN page. But i'm especially not sure about ipsec.conf configuration as it's not included in that page.

From cisco side i see these errors:

Feb 21 16:15:09.292: %CRYPTO-6-IKMP_MODE_FAILURE: Processing of Informational mode failed with peer at 39.107.111.111

the strongSwan (centos) box says this:

Feb 22 00:59:17 localhost charon: 14[NET] received packet: from 37.157.222.222[500] to 10.67.0.24[500] (164 bytes)
Feb 22 00:59:17 localhost charon: 14[ENC] parsed ID_PROT request 0 [ SA V V V V ]
Feb 22 00:59:17 localhost charon: 14[IKE] received NAT-T (RFC 3947) vendor ID
Feb 22 00:59:17 localhost charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 22 00:59:17 localhost charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 22 00:59:17 localhost charon: 14[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 22 00:59:17 localhost charon: 14[IKE] 37.157.222.222 is initiating a Main Mode IKE_SA
Feb 22 00:59:17 localhost charon: 14[ENC] generating ID_PROT response 0 [ SA V V V ]
Feb 22 00:59:17 localhost charon: 14[NET] sending packet: from 10.67.0.24[500] to 37.157.222.222[500] (136 bytes)
Feb 22 00:59:17 localhost charon: 09[NET] received packet: from 37.157.222.222[500] to 10.67.0.24[500] (284 bytes)
Feb 22 00:59:17 localhost charon: 09[ENC] parsed ID_PROT request 0 [ KE No V V V NAT-D NAT-D ]
Feb 22 00:59:17 localhost charon: 09[IKE] received DPD vendor ID
Feb 22 00:59:17 localhost charon: 09[ENC] received unknown vendor ID: 2a:76:9d:f8:39:bf:5d:8a:06:25:60:0f:25:2c:99:36
Feb 22 00:59:17 localhost charon: 09[IKE] received XAuth vendor ID
Feb 22 00:59:17 localhost charon: 09[IKE] local host is behind NAT, sending keep alives
Feb 22 00:59:17 localhost charon: 09[IKE] no shared key found for '39.107.111.111'[10.67.0.24] - '37.157.222.222'[37.157.222.222]
Feb 22 00:59:17 localhost charon: 09[IKE] no shared key found for 10.67.0.24 - 37.157.222.222
Feb 22 00:59:17 localhost charon: 09[ENC] generating INFORMATIONAL_V1 request 3620154422 [ N(INVAL_KE) ]
Feb 22 00:59:17 localhost charon: 09[NET] sending packet: from 10.67.0.24[500] to 37.157.222.222[500] (56 bytes)

the configuration is as follows:

route based part:

1) ip tunnel add vti266 local 10.130.11.218 remote 10.130.11.217 mode vti key 66
2) ip link set vti266 up
3) sysctl -w net.ipv4.conf.vti266.disable_policy=1
4) ip route add 10.0.0.0/8 dev vti266
5) /etc/strongswan/strongswan.d/charon.conf <> install_routes = no
6) /etc/strongswan/swanctl/swanctl.conf <> local_ts = 0.0.0.0/0 remote_ts = 0.0.0.0/0
7) /etc/strongswan/swanctl/swanctl.conf <> mark_in = 66 mark_out = 66

ipsec part:

ipsec.conf:

conn %default
ikelifetime=1800m
rekeymargin=3m
keyingtries=%forever
keyexchange=ikev1
authby=psk
dpdaction=restart
dpddelay=30

conn remote-site
left=%defaultroute
leftsubnet=10.0.0.0/8
leftid=39.107.111.111
leftfirewall=yes
right=%any
rightsubnet=0.0.0.0/0
rightid=37.157.222.222
auto=start
ike=aes128-sha1-modp1536
esp=aes128-sha1


[root@iZ2zegipf37wcfbz6wafz0Z ~]# cat /etc/strongswan/ipsec.secrets

# ipsec.secrets - strongSwan IPsec secrets file
39.107.111.111 37.157.222.222 : PSK "key_to_alibaba66!@"

Cisco part is here:


crypto isakmp policy 10
encr aes
authentication pre-share
group 2
lifetime 1800
crypto isakmp key key_to_alibaba66!@ address 39.107.111.111
crypto isakmp keepalive 10 10

crypto ipsec security-association replay window-size 128


crypto ipsec transform-set ALIBABA_AES_SHA_TRANSFORM_SET esp-aes esp-sha-hmac
mode tunnel


$ crypto ipsec df-bit clear
!
crypto ipsec profile ALIBABA_AES_SHA_IPSEC_PROFILE
set transform-set ALIBABA_AES_SHA_TRANSFORM_SET
set pfs group2


interface Tunnel266
description ITXRTRO1-Alibaba_test
ip address 10.130.11.217 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source ip 37.157.222.222
tunnel destination 39.107.111.111
tunnel path-mtu-discovery
tunnel protection ipsec profile ALIBABA_AES_SHA_IPSEC_PROFILE


what could be wrong ? thank you for any input

 

0 Helpful
Customers Also Viewed These Support Documents