It is perfectly possible to configure a linux server (or workstation if you wish) to talk IPsec. The Linux Advanced Routing & Traffic Control site has a page describing it. Since IPsec is a standard protocol, I wanted to get a tunnel up and running between a linux host and a Cisco router: with success! Here are the config files that I used in this test:


path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

remote anonymous {
	exchange_mode main;
	my_identifier address;
	verify_identifier on;
	proposal_check strict;
	proposal {
		encryption_algorithm aes;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group modp1536;
		lifetime time 24 hours;
remote inherit anonymous {
	peers_identifier address;
sainfo anonymous {
	pfs_group modp1536;
	lifetime time 1 hour;
	encryption_algorithm aes 128;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;

psk.txt:   presharedkey

setkey commands:


spdadd -P out ipsec esp/transport//require;
spdadd -P in ipsec esp/transport//require;

Cisco config (relevant parts):

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 5
crypto isakmp key presharedkey address
crypto ipsec transform-set TS_ESP_AES_SHA esp-aes esp-sha-hmac
 mode transport
crypto map CM_TEST 1 ipsec-isakmp
 set peer
 set transform-set TS_ESP_AES_SHA
 set pfs group5
 match address ACL_IPSEC
interface FastEthernet0/0
 ip address
 duplex auto
 speed auto
 crypto map CM_TEST
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
ip access-list extended ACL_IPSEC
 permit ip host host

Leave a Reply

Anti-Spam Quiz: