This information is provided as is with no warranty. If you burn your kitchen sink don't blame me. Copyright (c) 2002 vt100.at
This is a small howto set up a vpn with a cisco 1600 / IOS 11.3 IPSEC 56 and Freeswan 1.99.
Static IP on both sides
IOS >= 11.3 with IPSEC 56
Freeswan 1.99 with Single DES patch
The patch also works together with the x.509 modifications. The hunks are succeeding with a small offset. Get it from the freeswan homepage.
Cisco Freeswan 192.168.14.0/24 === 192.168.14.1/126.96.36.199 ---- 188.8.131.52/10.1.1.1 === 10.0.0.0/8
boring things cutted out...
ip nat inside source list 104 interface Ethernet1 overload ! crypto isakmp policy 1 authentication pre-share group 2 ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 crypto isakmp key our_shared_key address 184.108.40.206 ! ! crypto ipsec transform-set t1 esp-des esp-md5-hmac crypto ipsec transform-set t2 esp-des crypto ipsec transform-set t3 esp-des esp-sha-hmac ! ! crypto map peer 1 ipsec-isakmp set peer 220.127.116.11 set transform-set t1 t2 t3 set pfs group2 match address 102 ! interface Ethernet1 ip nat outside crypto map peer ! access-list 102 permit ip 192.168.14.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 104 deny ip 192.168.14.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 104 permit ip 192.168.14.0 0.0.0.255 any
# basic configuration config setup interfaces=%defaultroute plutodebug=all klipsdebug=none plutoload="rw" conn rw right=18.104.22.168 rightsubnet=192.168.14.0/24 type=tunnel left=22.214.171.124 leftsubnet=10.0.0.0/8 auth=esp esp=des-sha1-96 keyexchange=ike keylife=8h pfs=yes auto=add
These links were helpful:
Make sure you don't NAT packets to the other private network. See the cisco access-list 104, the deny does the magic.
With iptables you can use the RETURN target in the nat POSTROUTING chain (we insert on first position to make sure it goes before the SNAT rule):
linux# iptables -I POSTROUTING 1 -s 192.168.14.0/24 -d 10.0.0.0/8 -j RETURN
Single DES is not secure. But it should keep away kiddies, it's better than null esp and the 1600 series is not capable of 3DES encryption.
Copyright © 2013 vt100.at. All rights reserved.