Come configurare una VPN ipsec tra un router cisco e Linux 2.6.xx con ipsectools / Howto setup an ipsec VPN beetween a cisco router and a linux box  2.6.xx with ipsectools

Author : Andrea Pierini ([email protected])
Version: 0.1 May, 4th 2005


This document describes how to setup an ipsec VPN tunnel with pre-shared keys authentication beetween a Linux box with 2.6.xx kernel, ipsectools  and a Cisco router with crypto IOS enabled software.
I will describe the configuration of both systems, using a real working example.

You will need a Linux 2.6.xx kernel (I tested it on a 2.6.10 kernel), with all the kernel ipsec stuff.
Basically you should enable the following options before compiling the new kernel:

Networking support (NET) [Y/n/?] y
* Networking options
PF_KEY sockets (NET_KEY) [Y/n/m/?] y
IP: AH transformation (INET_AH) [Y/n/m/?] y
IP: ESP transformation (INET_ESP) [Y/n/m/?] y
IP: IPsec user configuration interface (XFRM_USER) [Y/n/m/?] y
Cryptographic API (CRYPTO) [Y/n/?] y
HMAC support (CRYPTO_HMAC) [Y/n/?] y
Null algorithms (CRYPTO_NULL) [Y/n/m/?] y
MD5 digest algorithm (CRYPTO_MD5) [Y/n/m/?] y
SHA1 digest algorithm (CRYPTO_SHA1) [Y/n/m/?] y
DES and Triple DES EDE cipher algorithms (CRYPTO_DES) [Y/n/m/?] y
AES cipher algorithms (CRYPTO_AES) [Y/n/m/?] y

For more informations about the kernel setup, take a look at the various guides and how-to's. You will also need the ipsectools (wich includes the racoon isakmp server). The latest tools can be downloaded from I used the ipsec-tools-0.5.2 version.

You will also need a Cisco router with ipsec/3des IOS Software release.
I used a Cisco 837 ADSL router.
I want to connect a remote office LAN to the main office LAN using an internet ADSL line through a VPN tunnel. Internet access from the remote office should be redirected to the main office for security and  internal policies reasons.

In order to keep things simple, all references to network devices and configuration in this document will be with respect to the following network configuration:

Remote Office LAN
         Ethernet0 Loopback0
|Remote Office cisco router |
|         ROR               |
            |                --------------------------
            -->Internet <--> |Main Office cisco router|
                             | Linux Router& VPN  |
                                  |     LRV            |
                                Main Office LAN

The Main Office has a public Class C Network, variably subnetted. The Remote Office ha a private Class C network.  More in depth, this is the ip adressing scheme:

Office Lan:
Remote Office Router (ROR) Ethernet0 =
Remote Office Router Loopback0 = 82.Y.Y.1 mask 248
Remote Office Router ATM0.1 = 83.Z.Z.2 mask 252

Main Office Lan: 196.X.X.128/25
Linux Router & VPN (LRV) eth0 = 196.X.X.2 mask 248
Linux Router & VPN (LRV) eth1 196.X.X.129 mask 128

As mentioned earlier, all traffic including internet, generated from the remote office should go through the VPN which two endpoints are  ROR and LRV.


The eth0 interface of LRV represents the endpoint of the tunnel.
All traffic coming from the remote subnet exits the tunnel at this level and should be processed. There are 2 possibilities:

1.    The packets are destined for the Main Office Lan
2.    The packets are destined for the internet

The first one does not need any special treating, the second one needs further processing in terms of NAT.
These are the steps for the implementation:

a)    configure VPN
b)    configure iptables

I will not discuss about the ipsec protocol, ah, esp, isakmp and so on, but assume that you are already familiar with it. If not look at the related links. We will use the triple-des (3DES) encryption algorithm, the SHA1 hash algorithm, the Diffie-Hellman exponentiations group 2 (1024) and pre-shared keys authentication.
We need to edit 3 file: /etc/ipsec.conf,  /etc/racoon.conf, /etc/psk.txt

The ipsec.conf file will look like this:

#!/usr/sbin/setkey -f
# Flush SAD and SPD
# Remote Office - Main Office VPN
spdadd  any -P out ipsec
spdadd any -P in ipsec

This file contains the policies for the racoon daemon, i.e. under which conditions racoon should start the tunnel. Please note that we are using the tunnel mode and the esp protocol.

The raccon.conf contains the following entries:

path include "/etc";
path pre_shared_key "/etc/psk.txt";
    maximum_length 20;    # maximum padding length.
    randomize off;        # enable randomize length.
    strict_check off;    # enable strict check.
    exclusive_tail off;    # extract last one octet.
    #isakmp ::1 [7000];
    isakmp 196.X.X.2 [500];
    #admin [7002];        # administrative's port by kmpstat.
    #strict_address;     # required all addresses must be bound.
# Specification of default various timer.
    # These value can be changed per remote node.
    counter 5;        # maximum trying count to send.
    interval 20 sec;    # maximum interval to resend.
    persend 1;        # the number of packets per a send.

    # timer for waiting to complete each phase.
    phase1 90 sec;
    phase2 90 sec;

# here begins the configuration of the Remote Office - Main Office VPN
remote 82.Y.Y.1  {
        my_identifier address 196.X.X.2;
        exchange_mode aggressive,main;
        initial_contact off;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
sainfo anonymous
        pfs_group 2;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
        lifetime time 3600 sec;


Basically, we define the remote peer 82.X.X.1 and the parameters to use for the phase1 IKE negotiation. Next we specify the parameters that may be used for the setup of the security associations. The definitions are not specific for an IP address (anonymous)
The psk.txt contains the shared secret key:

    82.Y.Y.1    VerYsEcretKey

We are certainly already using iptables, given that our Linux box is exposed to the internet ;-)
Our firewall script must contain additional entries in order to allow the ipsec traffic and the NAT settings.
The ipsec protocol uses the following ports:

·    Udp Port 500 for ISAKMP
·    Ip port 50 for ESP (51 for AH)

Here are our rules:

#this is for isakmp
/sbin/iptables -A INPUT -i eth0 -p udp --sport 500 -s 82.Y.Y.1 -d 196.X.X.2  --dport 500 -j ACCEPT
/sbin/iptables -A OUTPUT -o external -p udp -s 196.X.X.2 --sport 500 -d 82.Y.Y.1 --dport 500 -j ACCEPT
#and this is for esp
/sbin/iptables -A INPUT -i eth0 -p 50 -s -s 82.Y.Y.1  -d 196.X.X.2  -j ACCEPT
/sbin/iptables -A OUTPUT -i eth0 -p 50 -s -d 82.Y.Y.1  -s 196.X.X.2  -j ACCEPT

Last but not least the NAT rules: we only want web and telnet access for the clients of the Remote Office:

/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -s -d ! 196.X.X.0/24 --dport 23  -j SNAT --to 196.X.X.129
/sbin/iptables -t nat -A POSTROUTING -o eth0 -p tcp -s -d ! 196.X.X.0/24 --dport 80  -j SNAT --to 196.X.X.129

Ok, we are all familiar with Linux, but Cisco is a little bit different. In order to proceed, you should know the basic configuration commands of the IOS.

These are the configuration steps:

1.    Configure interfaces
2.    Configure the crypto policies
3.    Configure access lists
4.    Apply crypto maps and access lists to the interfaces

This is the easiest step. We will configure 3 interfaces: ethernet0, ATM0.1 and Loopback0.
Our Telco provider has supplied to us an ADSL line with 8 public ip's (82.X.X.1/28). The external public IP is 83.Y.Y.2
interface Loopback0
ip address 82.Y.Y.1
no ip route-cache
no ip mroute-cache

interface Ethernet0
ip address
no ip mroute-cache
hold-queue 100 out
interface ATM0.1 point-to-point
ip address 83.Y.Y.2
no ip route-cache
no ip mroute-cache
pvc 8/35
encapsulation aal5snap
ip route ATM0.1
Why should we create the Loopback0? Very simple: My telco provider does not permit any traffic generated from the ATM interface (83.Y.Y.2), so we will use one of the 8 ip's as the VPN endpoint.

First, we'll need to configure the phase1 ike negotiations:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 0 VerYsEcretKey address 196.X.X.2
crypto isakmp keepalive 3600
What are we doing? We define a policy number 1, in which we setup the security configurations.
Next we define the secret key and the lifetime parameters that should match the counterpart.
After that, we will setup the crypto map that is used during the phase2 negotiation in order to apply the encryption tunnel.

crypto ipsec transform-set MyTransformSet esp-3des esp-sha-hmac
crypto map MyMap local-address Loopback0  -> here we tell that the originating ip is 82.Y.Y.1 !!
crypto map MyMap 10 ipsec-isakmp
set peer 196.X.X.2
set transform-set MyTransformSet
set pfs group2
match address 100 -> this is the access list 100!

There are 2 main reasons to define the access list: protect our network and define which traffic should be encrypted through the VPN.
A very simple access list, which only permits the ipsec protocols is the following:

Access list 110 permit esp 82.Y.Y.0 196.X.X.0
Access list 110 permit udp 82.Y.Y.0 196.X.X.0 eq isakmp
Access list 111 permit esp 196.X.X.0 82.Y.Y.0
Access list 111 permit udp 196.X.X.0 82.Y.Y.0  eq isakmp

Now we will define a special access list for the VPN:
access-list 100 permit ip any
Here we say that the traffic originated from network and directed to any destination should be encrypted, i.e. should use the vpn tunnel. The access list 100 is applied to the crypto map MyMap.

Finally we should apply the access lists and crypto map to the specific interfaces:
Interface ATM0.1
ip access-group 111 in
ip access-group 110 out
crypto map MyMap


Now we are ready to test the system. Start racoon in foreground mode with debugging enabled:
/usr/local/sbin/setkey -f /etc/ipsec.conf
/usr/local/sbin/racoon -f /etc/racoon/racoon.conf -F -ddd

Try to ping a host on the Remote Office Network, you should get a lot of messages telling you what racoon is doing.
If everything is ok you should receive an answer to your pings. Try to do same thing on the remote network, then try to access the internet, the main office lan and so on.
In case of problems look at the debug output, use tcpdump, the firewall rules, etc...
On the cisco router enable debugging: debug crypto isakmp, debug ip packets.

The main drawback is that we also crypt unnecessary traffic. Web browsing originated from Remote Office Lan does not need to be encrypted but should go through our Linux box. A good solution and possible improvement would be the use of GRE tunnel combined with ipsec but could lead to MTU problems.

- Ralf Spenneberg for the ipsec-howto.pdf which helped me a lot!
- Renzo Rossi for all the "cool" things he told me about Cisco's ipsec implementation
- All the Linux folk

That's all!


Privacy Policy