Line 63: |
Line 63: |
| /ip ipsec profile | | /ip ipsec profile |
| add name="ike2" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des,des dh-group=modp2048,modp1024 lifetime=8h proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5 | | add name="ike2" hash-algorithm=sha1 enc-algorithm=aes-256,aes-192,aes-128,3des,des dh-group=modp2048,modp1024 lifetime=8h proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5 |
| + | |
| + | === strongSwan to Cisco - IKEv1 === |
| + | ==== Cisco IOS Config ==== |
| + | |
| + | crypto isakmp policy 10 |
| + | encr aes |
| + | authentication pre-share |
| + | group 5 |
| + | crypto isakmp key cisco address 172.16.10.2 |
| + | |
| + | crypto ipsec transform-set TS esp-aes esp-sha-hmac |
| + | mode tunnel |
| + | |
| + | crypto map cmap 10 ipsec-isakmp |
| + | set peer 172.16.10.2 |
| + | set transform-set TS |
| + | match address cryptoacl |
| + | |
| + | interface Ethernet0/1 |
| + | ip address 192.168.1.1 255.255.255.0 |
| + | |
| + | interface Ethernet0/0 |
| + | ip address 172.16.10.1 255.255.255.0 |
| + | crypto map cmap |
| + | |
| + | ip access-list extended cryptoacl |
| + | permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 |
| + | |
| + | ==== strongSwan Config ==== |
| + | =====ipsec.conf===== |
| + | /etc/ipsec.conf: |
| + | |
| + | config setup |
| + | # strictcrlpolicy=yes |
| + | # uniqueids = no |
| + | |
| + | conn %default |
| + | ikelifetime=1440m |
| + | keylife=60m |
| + | rekeymargin=3m |
| + | keyingtries=1 |
| + | keyexchange=ikev1 |
| + | authby=secret |
| + | |
| + | conn ciscoios |
| + | left=172.16.10.2 #strongswan outside address |
| + | leftsubnet=192.168.2.0/24 #network behind strongswan |
| + | leftid=172.16.10.2 #IKEID sent by strongswan |
| + | leftfirewall=yes |
| + | right=172.16.10.1 #IOS outside address |
| + | rightsubnet=192.168.1.0/24 #network behind IOS |
| + | rightid=172.16.10.1 #IKEID sent by IOS |
| + | auto=add |
| + | ike=aes128-md5-modp1536 #P1: modp1536 = DH group 5 |
| + | esp=aes128-sha1 #P2 |
| + | |
| + | =====ipsec.secrets===== |
| + | /etc/ipsec.secrets: |
| + | |
| + | 172.16.10.2 172.16.10.1 : PSK cisco |
| + | |
| + | === strongSwan to Cisco - IKEv2 === |
| + | Source: [[https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html#anc10]] |
| + | |
| + | ==== Cisco IOS Config ==== |
| + | |
| + | crypto ikev2 proposal ikev2proposal |
| + | encryption aes-cbc-128 |
| + | integrity sha1 |
| + | group 5 |
| + | |
| + | crypto ikev2 policy ikev2policy |
| + | match fvrf any |
| + | proposal ikev2proposal |
| + | |
| + | crypto ikev2 keyring keys |
| + | peer strongswan |
| + | address 172.16.10.2 |
| + | pre-shared-key local cisco |
| + | pre-shared-key remote cisco |
| + | |
| + | crypto ikev2 profile ikev2profile |
| + | match identity remote address 172.16.10.2 255.255.255.255 |
| + | authentication remote pre-share |
| + | authentication local pre-share |
| + | keyring local keys |
| + | |
| + | crypto ipsec transform-set TS esp-aes esp-sha-hmac |
| + | mode tunnel |
| + | |
| + | crypto map cmap 10 ipsec-isakmp |
| + | set peer 172.16.10.2 |
| + | set transform-set TS |
| + | set ikev2-profile ikev2profile |
| + | match address cryptoacl |
| + | |
| + | interface Ethernet0/1 |
| + | ip address 192.168.1.1 255.255.255.0 |
| + | |
| + | interface Ethernet0/0 |
| + | ip address 172.16.10.1 255.255.255.0 |
| + | crypto map cmap |
| + | |
| + | ip access-list extended cryptoacl |
| + | permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 |
| + | |
| + | ==== strongSwan Config ==== |
| + | =====ipsec.conf===== |
| + | /etc/ipsec.conf: |
| + | |
| + | config setup |
| + | # strictcrlpolicy=yes |
| + | # uniqueids = no |
| + | |
| + | conn %default |
| + | ikelifetime=1440m |
| + | keylife=60m |
| + | rekeymargin=3m |
| + | keyingtries=1 |
| + | keyexchange=ikev1 |
| + | authby=secret |
| + | |
| + | conn ciscoios |
| + | left=172.16.10.2 |
| + | leftsubnet=192.168.2.0/24 |
| + | leftid=172.16.10.2 |
| + | leftfirewall=yes |
| + | right=172.16.10.1 |
| + | rightsubnet=192.168.1.0/24 |
| + | rightid=172.16.10.1 |
| + | auto=add |
| + | ike=aes128-sha1-modp1536 |
| + | esp=aes128-sha1 |
| + | keyexchange=ikev2 |
| + | |
| + | =====ipsec.secrets===== |
| + | /etc/ipsec.secrets: |
| + | |
| + | 172.16.10.2 : PSK "cisco" |
| + | 172.16.10.1 : PSK "cisco" |
| | | |
| == OpenVPN == | | == OpenVPN == |