[c-nsp] IPSEC - CISCO (GRE and NAT too!)
Tuc at T-B-O-H.NET
ml at t-b-o-h.net
Tue Oct 31 17:30:16 EST 2006
>
> * Christian Zeng <christian at zengl.net> wrote:
> >
> >* Tuc at T-B-O-H.NET <ml at t-b-o-h.net> wrote:
> >>crypto isakmp key TBOHIPSECGRE address 192.136.64.116
> >>crypto isakmp key TBOHIPSECGRE address 192.168.4.1
> >
> >The first line seems not correct, you have to put the IP address of the
> >remote end in there (192.136.64.116). The second line is not needed then.
>
> Simply ignore my first recommendation :)
>
Thanks....
I've decided to take a bit of a step back first. I also tried
to get closer to this example that supposedly worked :
http://archives.neohapsis.com/archives/freebsd/2002-09/0006.html
ERDA/192.136.64.116/IPSEC-TOOLS:
erda# cd /usr/local/etc/racoon/
erda# cat psk.txt
69.28.185.2 donttell
erda# cat spdadd
setkey -F
setkey -FP
setkey -c <<EOF
spdadd 0.0.0.0/0 172.16.0.0/24 any -P out ipsec
esp/tunnel/192.136.64.116-69.28.185.2/unique ;
spdadd 172.16.0.0/24 0.0.0.0/0 any -P in ipsec
esp/tunnel/69.28.185.2-192.136.64.116/unique ;
erda# cat racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;
remote anonymous
{
exchange_mode main,base,aggressive;
doi ipsec_doi;
#situation identity_only;
my_identifier address 192.136.64.116;
nonce_size 16;
lifetime time 6000 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 6000 sec;
encryption_algorithm des,3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
Cisco/2509/c2500-ik8os-l.122-32
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 6000
crypto isakmp key donttell address 69.28.185.2
crypto isakmp key donttell address 192.136.64.116
!
crypto ipsec security-association lifetime seconds 6000
!
crypto ipsec transform-set MB esp-des esp-md5-hmac
!
crypto map FreeBSDIPSEC-MAP 1 ipsec-isakmp
set peer 192.136.64.116
set transform-set MB
set pfs group2
match address 109
!
interface Loopback0
ip address 172.16.0.1 255.255.255.0
no ip route-cache
no ip mroute-cache
!
interface Ethernet0
ip address 69.28.185.2 255.255.255.240
crypto map FreeBSDIPSEC-MAP
access-list 109 permit ip any 172.16.0.0 0.0.0.255
access-list 109 permit ip 172.16.0.0 0.0.0.255 any
Logs are big, so I've posted to :
http://www.tucs-beachin-obx-house.com/racoon.txt
http://www.tucs-beachin-obx-house.com/Cisco.txt
Thanks, Tuc
More information about the cisco-nsp
mailing list