[c-nsp] IPSEC - CISCO (GRE and NAT too!)

Tuc at T-B-O-H.NET ml at t-b-o-h.net
Fri Oct 27 14:10:03 EDT 2006 

Hi,

        I'm trying to set up Racoon to talk over a GRE to a
Cisco. I'm trying to follow these 2 documents :

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094bff.shtml

        I've tried to look in the archives, but it seems people have
asked and I don't see a thread response.

        I first set up the GRE to get that working. It seems according
to the man page I should be able to not have to use a private network,
but I couldn't get it working properly until I did. So it looks like :

FBSD:

ifconfig gre0 create
ifconfig gre0 192.168.4.1 192.168.4.2 netmask 0xffffffff link1 up
ifconfig gre0 tunnel 192.136.64.116 69.28.185.2

CISCO:

interface Tunnel0
 ip address 192.168.4.2 255.255.255.0
 tunnel source Ethernet0
 tunnel destination 192.136.64.116
!
interface Ethernet0
 ip address 69.28.185.2 255.255.255.240

        (Yea, I know I shouldn't put a /24 on a tunnel, but it
originally wanted the IP endpoints for the tunnel and it didn't
seem to work at all. Once I get it all working I can keep tweaking.)

        I tried to follow part of each document to get the 
"security association" going, but I can't get that far.

        I'm using the "sample" config with the right paths and
debug on on the FreeBSD side, I've put into psk.txt :

69.28.185.2     TBOHIPSECGRE
192.168.4.2     TBOHIPSECGRE


        and on the Cisco :

crypto isakmp policy 10
 hash md5
 authentication pre-share
crypto isakmp key TBOHIPSECGRE address 192.136.64.116
crypto isakmp key TBOHIPSECGRE address 192.168.4.1
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac 
!
crypto map mymap local-address Ethernet0
crypto map mymap 10 ipsec-isakmp   
 set peer 192.136.64.116
 set transform-set myset 
 match address 101

interface Tunnel0
 ip address 192.168.4.2 255.255.255.0
 tunnel source Ethernet0
 tunnel destination 192.136.64.116
 crypto map mymap
!
interface Ethernet0
 ip address 69.28.185.2 255.255.255.240

access-list 101 permit gre any host 192.168.4.2

        But it never seems to associate. 

        Has anyone done this before?

                        Thanks, Tuc

More information about the cisco-nsp mailing list