It is perfectly possible to configure a linux server (or workstation if you wish) to talk IPsec. The Linux Advanced Routing & Traffic Control site has a page describing it. Since IPsec is a standard protocol, I wanted to get a tunnel up and running between a linux host and a Cisco router: with success! Here are the config files that I used in this test:

racoon.conf:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote anonymous {
	exchange_mode main;
	my_identifier address 172.31.8.102;
	verify_identifier on;
	proposal_check strict;
	proposal {
		encryption_algorithm aes;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group modp1536;
		lifetime time 24 hours;
	}
}
remote 172.31.8.10 inherit anonymous {
	peers_identifier address 172.31.8.10;
}
sainfo anonymous {
	pfs_group modp1536;
	lifetime time 1 hour;
	encryption_algorithm aes 128;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}

psk.txt:

172.31.8.10   presharedkey

setkey commands:

sdpflush;
flush;

spdadd 172.31.8.102 172.31.8.10 -P out ipsec esp/transport//require;
spdadd 172.31.8.10 172.31.8.102 -P in ipsec esp/transport//require;

Cisco config (relevant parts):

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
crypto isakmp key presharedkey address 172.31.8.102
!
crypto ipsec transform-set TS_ESP_AES_SHA esp-aes esp-sha-hmac
 mode transport
!
crypto map CM_TEST 1 ipsec-isakmp
 set peer 172.31.8.102
 set transform-set TS_ESP_AES_SHA
 set pfs group5
 match address ACL_IPSEC
!
interface FastEthernet0/0
 ip address 172.31.8.10 255.255.255.0
 duplex auto
 speed auto
 crypto map CM_TEST
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip access-list extended ACL_IPSEC
 permit ip host 172.31.8.10 host 172.31.8.102

Leave a Reply

Anti-Spam Quiz: