ASL-Corp members, Bureaucrats, Check users, Structured Discussions bots, oversight, Suppressors, Administrators, Upload Wizard campaign editors
1,714
edits
Changes
Jump to navigation
Jump to search
Line 63:
Line 63: + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Added strongSwan to Cisco IPSEC config for IKEv1 and IKEv2
/ip ipsec profile
/ip ipsec profile
add name="ike2" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des,des dh-group=modp2048,modp1024 lifetime=8h proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5
add name="ike2" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des,des dh-group=modp2048,modp1024 lifetime=8h proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5
=== strongSwan to Cisco - IKEv1 ===
==== Cisco IOS Config ====
crypto isakmp policy 10
encr aes
authentication pre-share
group 5
crypto isakmp key cisco address 172.16.10.2
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
crypto map cmap 10 ipsec-isakmp
set peer 172.16.10.2
set transform-set TS
match address cryptoacl
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/0
ip address 172.16.10.1 255.255.255.0
crypto map cmap
ip access-list extended cryptoacl
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
==== strongSwan Config ====
=====ipsec.conf=====
/etc/ipsec.conf:
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn ciscoios
left=172.16.10.2 #strongswan outside address
leftsubnet=192.168.2.0/24 #network behind strongswan
leftid=172.16.10.2 #IKEID sent by strongswan
leftfirewall=yes
right=172.16.10.1 #IOS outside address
rightsubnet=192.168.1.0/24 #network behind IOS
rightid=172.16.10.1 #IKEID sent by IOS
auto=add
ike=aes128-md5-modp1536 #P1: modp1536 = DH group 5
esp=aes128-sha1 #P2
=====ipsec.secrets=====
/etc/ipsec.secrets:
172.16.10.2 172.16.10.1 : PSK cisco
=== strongSwan to Cisco - IKEv2 ===
Source: [[https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html#anc10]]
==== Cisco IOS Config ====
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-128
integrity sha1
group 5
crypto ikev2 policy ikev2policy
match fvrf any
proposal ikev2proposal
crypto ikev2 keyring keys
peer strongswan
address 172.16.10.2
pre-shared-key local cisco
pre-shared-key remote cisco
crypto ikev2 profile ikev2profile
match identity remote address 172.16.10.2 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keys
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
crypto map cmap 10 ipsec-isakmp
set peer 172.16.10.2
set transform-set TS
set ikev2-profile ikev2profile
match address cryptoacl
interface Ethernet0/1
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/0
ip address 172.16.10.1 255.255.255.0
crypto map cmap
ip access-list extended cryptoacl
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
==== strongSwan Config ====
=====ipsec.conf=====
/etc/ipsec.conf:
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn ciscoios
left=172.16.10.2
leftsubnet=192.168.2.0/24
leftid=172.16.10.2
leftfirewall=yes
right=172.16.10.1
rightsubnet=192.168.1.0/24
rightid=172.16.10.1
auto=add
ike=aes128-sha1-modp1536
esp=aes128-sha1
keyexchange=ikev2
=====ipsec.secrets=====
/etc/ipsec.secrets:
172.16.10.2 : PSK "cisco"
172.16.10.1 : PSK "cisco"
== OpenVPN ==
== OpenVPN ==