[Users] VPN between Cisco IOS and FreeS/WAN

From: Andras Horvai (andras.horvai_at_nextra.hu)
Date: Mon Aug 05 2002 - 17:24:41 CEST

Hi Guys !

I completely lost !

I would like to create VPN tunnel between a Cisco router IOS version: c1700-k2sy7-mz.121-5.YB5.bin
(Version 12.1(5)YB5, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2) ) and FreeS/WAN 1.98b but it doesn't
work. I have read already tonns of guides, faqs, HOWTOs, case studies but didn't help. I think
I'm very close to solve the problem but I tried everything what I can try but still doesn't work.

The situation is the following:

192.168.1.0/24 internal network
---------------
      |
      |
      | 192.168.1.1/24
---------------
|cisco router |
---------------
      | 172.188.5.66/30
      |
      |
      |
      | 172.188.5.65/30
---------------
|internet |
---------------
      |172.188.5.21/30
      |
      |172.188.5.22/30
---------------
|FreeS/WAN box|
---------------
      |192.168.2.1/24
      |
      |
---------------
192.168.2.0/24

-----------------------------------------------------------------

The Cisco router config is the following:
(ip addresses are fake everywhere the outside (internet)
 wan addresses start 172.188. )

c1720-vpn#sh run
Building configuration...

Current configuration : 1962 bytes
!
! Last configuration change at 16:42:00 UTC Wed Jul 31 2002
! NVRAM config last updated at 16:42:00 UTC Wed Jul 31 2002
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service compress-config
!
hostname c1720-vpn
!
logging buffered 12000 debugging
logging rate-limit console 10 except errors
no logging console
enable secret 5 $1$6quo$lf4nJBf7WSFDSD32432fdsFSD234dssf2fdgR7nGqxLhSAs1
!
memory-size iomem 25
ip subnet-zero
!
!
no ip finger
ip domain-name nextra.hu
ip name-server 172.188.0.9
ip name-server 172.188.0.10
!
no ip dhcp-client network-discovery
ip ssh time-out 120
ip ssh authentication-retries 3
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key VERY-SECRET-KEY address 172.188.5.22
!
!
crypto ipsec transform-set TEST3 esp-3des esp-md5-hmac
!
crypto map HEADOFFICE 120 ipsec-isakmp
 set peer 172.188.5.22
 set transform-set TEST3
 match address 120
!
!
!
!
interface Ethernet0
 ip address 172.188.5.66 255.255.255.252
 ip nat outside
 full-duplex
 crypto map HEADOFFICE
!
interface FastEthernet0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 speed auto
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 192.168.2.0 255.255.255.0 Ethernet0
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 120 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log
access-list 120 deny ip any any log
access-list 130 permit ip 172.188.1.0 0.0.0.255 any
access-list 130 deny ip any any log
!
!
!
line con 0
 exec-timeout 35791 0
 transport input none
line aux 0
line vty 0 4
 access-class 130 in
 exec-timeout 35791 0
 password 7 0DdfgSFSDBXCVB$#@#@13fdgWT234B4B584B56
 login
!
no scheduler allocate
ntp clock-period 17179944
ntp server 148.63.0.1 source Ethernet0
end

-----------------------------------------

And now the FreeS/WAN config

----------ipsec.conf---starts----------

config setup
        interfaces="ipsec0=eth0"
        klipsdebug=none
        plutodebug=none
        plutoload=%search
        plutostart=%search
        plutowait=no
        uniqueids=yes

conn %default
        keyingtries=0

conn ciscoios
        type=tunnel
        left=172.188.5.22
        leftsubnet=192.168.2.0/24
        leftnexthop=172.188.5.21
        right=172.188.5.66
        rightsubnet=192.168.1.0/24
        rightnexthop=172.188.5.55
        auto=start
        pfs=no
        authby=secret
        auth=esp
        esp=3des-md5-96

----------ipsec.conf---ends---------------

----------ipsec.secrets---starts----------

213.134.5.66 213.134.5.22: PSK "VERY-SECRET-KEY"

----------ipsec.secrets---ends----------

the results of ipsec look:

[root_at_mentha-vpn root]# ipsec look
mentha-vpn Fri Aug 2 17:33:17 CEST 2002
192.168.2.0/24 -> 192.168.1.0/24 => tun0x1002_at_172.188.5.66 esp0xa73fba63_at_172.188.5.66 (0)
ipsec0->eth0 mtu=16260(1500)->1500
esp0x73505925_at_172.188.5.22 ESP_3DES_HMAC_MD5: dir=in src=172.188.5.66 iv_bits=64bits iv=0x01ad43f7860fffac ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1832,0,0)
esp0xa73fba63_at_172.188.5.66 ESP_3DES_HMAC_MD5: dir=out src=172.188.5.22 iv_bits=64bits iv=0x6ffa99f6a8d6fdc6 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1832,0,0)
tun0x1001_at_172.188.5.22 IPIP: dir=in src=172.188.5.66 life(c,s,h)=addtime(1832,0,0)
tun0x1002_at_172.188.5.66 IPIP: dir=out src=172.188.5.22 life(c,s,h)=addtime(1832,0,0)
0.0.0.0 172.188.5.21 0.0.0.0 UG 40 0 0 eth0
192.168.1.0 172.188.5.21 255.255.255.0 UG 40 0 0 ipsec0
172.188.5.20 0.0.0.0 255.255.255.252 U 40 0 0 eth0
172.188.5.20 0.0.0.0 255.255.255.252 U 40 0 0 ipsec0
Destination Gateway Genmask Flags MSS Window irtt Iface

---------------------------------------------------------------------------------------------------------------

the results of the simple route command:

[root_at_mentha-vpn root]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.188.5.20 0.0.0.0 255.255.255.252 U 0 0 0 eth0
172.188.5.20 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.1.0 172.188.5.21 255.255.255.0 UG 0 0 0 ipsec0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
default 172.188.5.21 0.0.0.0 UG 0 0 0 eth0

---------------------------------------------------------------------------------------------------------------

the entries in the /var/log/messages:

[root_at_mentha-vpn root]# tail -f /var/log/messages
Aug 2 17:34:58 mentha-vpn ipsec_setup: Starting FreeS/WAN IPsec 1.98b...
Aug 2 17:34:58 mentha-vpn ipsec_setup: Using /lib/modules/2.4.18/kernel/net/ipsec/ipsec.o
Aug 2 17:34:58 mentha-vpn kernel: klips_info:ipsec_init: KLIPS startup, FreeS/WAN IPSec version: 1.98b
Aug 2 17:34:58 mentha-vpn ipsec_setup: KLIPS debug `none'
Aug 2 17:34:58 mentha-vpn ipsec_setup: KLIPS ipsec0 on eth0 172.188.5.22/255.255.255.252 broadcast 172.188.5.23
Aug 2 17:34:59 mentha-vpn /etc/hotplug/net.agent: invoke ifup ipsec2
Aug 2 17:34:59 mentha-vpn /etc/hotplug/net.agent: invoke ifup ipsec1
Aug 2 17:34:59 mentha-vpn /etc/hotplug/net.agent: invoke ifup ipsec0
Aug 2 17:34:59 mentha-vpn /etc/hotplug/net.agent: invoke ifup ipsec3
Aug 2 17:34:59 mentha-vpn ipsec_setup: ...FreeS/WAN IPsec started
Aug 2 17:35:00 mentha-vpn ipsec__plutorun: 104 "ciscoios" #1: STATE_MAIN_I1: initiate
Aug 2 17:35:00 mentha-vpn ipsec__plutorun: ...could not start conn "ciscoios"

---------------------------------------------------------------------------------------------------------------

the results of the ipsec --whack status command:

[root_at_mentha-vpn root]# ipsec whack --status
000 interface ipsec0/eth0 172.188.5.22
000
000 "ciscoios": 192.168.2.0/24===172.188.5.22---172.188.5.21...172.188.5.55---172.188.5.66===192.168.1.0/24
000 "ciscoios": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ciscoios": policy: PSK+ENCRYPT+TUNNEL+DISABLEARRIVALCHECK; interface: eth0; erouted
000 "ciscoios": newest ISAKMP SA: #109; newest IPsec SA: #110; eroute owner: #110
000
000 #110: "ciscoios" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 26180s; newest IPSEC; eroute owner
000 #110: "ciscoios" esp.a73fba63_at_172.188.5.66 esp.73505925_at_172.188.5.22 tun.1002_at_172.188.5.66 tun.1001_at_172.188.5.22
000 #109: "ciscoios" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in
956s; newest ISAKMP
000

---------------------------------------------------------------------------------------------------------------

Linux side:

It is a Mandrake 8.2 with 2.4.18 kernel and FreeS/WAN 1.98b

Cisco side:

Cisco 1720 + IOS:
C1700 Software (C1700-K2SY7-M), Version 12.1(5)YB5, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2)

---------------------------------------------------------------------------------------------------------------

It seems that the tunnel was established in everytime but I can ping the computers in the
private lans.

c1720-vpn#sh crypto isakmp sa
    dst src state conn-id slot
213.134.5.66 213.134.5.22 QM_IDLE 1 0

So I think I'm very close but I mess something eventually.

Thanks in advance,

Andras

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

This archive was generated by hypermail 2.1.4 : Mon Aug 05 2002 - 21:01:36 CEST