4.8 C
New York
Tuesday, December 3, 2024

Issues establishing IPsec Cisco IOS Debian 12


I believe I am lacking some config line
Cisco IOS is on GNS3, Debian is a distant VM in an organization

Cisco config:

CISCO

crypto ikev2 proposal TEST
 encryption aes-cbc-256
 integrity sha256
 group 14

crypto ikev2 coverage TEST
 proposal TEST

crypto ikev2 keyring TEST
 peer TEST
  deal with #white deal with debian#
  pre-shared-key #key#

crypto ikev2 profile TEST
 match id distant deal with #white deal with debian# 255.255.255.255
 authentication native pre-share
 authentication distant pre-share
 keyring native TEST

crypto ipsec transform-set TEST esp-aes esp-sha-hmac
 mode tunnel

crypto ipsec profile TEST
 set transform-set TEST
 set ikev2-profile TEST

ip access-list prolonged TEST
allow ip 192.168.0.0 0.0.0.255 10.0.0.0 0.0.0.255

interface Tunnel0
 ip deal with 192.168.1.1 255.255.255.0
 tunnel supply #my house white deal with cisco#
 tunnel vacation spot #white deal with debian#
 tunnel safety ipsec profile TEST

router bgp 65000
 bgp router-id 192.168.1.1
 neighbor #white deal with debian# remote-as WHITE_ASN
 community 192.168.1.0 masks 255.255.255.0


int e0/1
no shut
ip deal with dhcp
ip domain-lookup

LINUX VM

sudo apt replace -y
sudo apt set up strongswan -y
sudo apt set up strongswan strongswan-pki libcharon-extra-plugins libcharon-extauth-plugins libstrongswan-extra-plugins libtss2-tcti-tabrmd0 -y
sudo apt set up strongswan frr frr-pythontools

sudo systemctl allow strongswan-starter
sudo systemctl is-enabled strongswan-starter

systemctl standing strongswan-starter

sudo apt set up frr
sudo systemctl allow frr
sudo systemctl is-enabled frr

systemctl standing frr


sudo nano /and so on/sysctl.conf 

internet.ipv4.ip_forward = 1 
internet.ipv6.conf.all.forwarding = 1 
internet.ipv4.conf.all.accept_redirects = 0 
internet.ipv4.conf.all.send_redirects = 0 

sudo sysctl -p


sudo nano /and so on/ipsec.conf

config setup
    charondebug="all"
    uniqueids=sure
conn TESTpc
    kind=tunnel
    auto=begin
    keyexchange=ikev2
    authby=secret
    left=%any
    leftsubnet=10.0.0.0/24 
    proper=#my house white deal with cisco#
    rightsubnet=192.168.1.0/24
    ike=aes256-sha256-modp1024
    esp=aes256-sha256
    aggressive=no
    keyingtries=%without end
    ikelifetime=28800s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart
    nat-keepalive=30
    remote_peer_type=cisco


sudo nano /and so on/ipsec.secrets and techniques
#white deal with debian# #my house white deal with cisco# :  PSK "#key#"


sudo nano /and so on/frr/frr.conf
router bgp WHITE ASN
 bgp router-id 10.0.0.9
 neighbor #my house white deal with cisco# remote-as 65000
 community 10.0.0.0/24


sudo nano /and so on/strongswan.conf
charon {
        nat_traversal = sure
 

sudo ipsec restart
sudo systemctl restart frr

After this I get subsequent logs on Debian:

Aug 23 16:20:21 ip-10-0-0-9 charon[4430]: 07[IKE] initiating IKE_SA crocpc[1] to MY_WHITE_ADDRESS_CISCO
Aug 23 16:20:21 ip-10-0-0-9 charon[4430]: 07[IKE] initiating IKE_SA crocpc[1] to MY_WHITE_ADDRESS_CISCO
Aug 23 16:20:21 ip-10-0-0-9 charon[4430]: 07[ENC] producing IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Aug 23 16:20:21 ip-10-0-0-9 charon[4430]: 07[NET] sending packet: from 10.0.0.9[500] to MY_WHITE_ADDRESS_CISCO[500] (336 bytes)
Aug 23 16:20:25 ip-10-0-0-9 charon[4430]: 09[IKE] retransmit 1 of request with message ID 0
Aug 23 16:20:25 ip-10-0-0-9 charon[4430]: 09[NET] sending packet: from 10.0.0.9[500] to MY_WHITE_ADDRESS_CISCO[500] (336 bytes)

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles