IPsec between Strongswan on AWS and Cisco IOS behind a NAT
My Strongswan :
Local IP: 172.30.0.37
Elastic IP: 19.215.188.2
OS: Ubuntu
My WAN:
– Customer grade broadband Internet
– Public IP:28.77.250.17 – connect to my fiber optics
– Local gateway IP: 192.168.1.100
– we need to setup porftforwarding : UDP port 4500,500, to our router interface 192.16.1.108
My Cisco:
– Cisco 1841
– fa0/1 : 192.168.1.108 – connect to My WAN router local interface
– fa0/0: 172.16.8.254 – connect to my local switch / pc
My Strongswan config:
/etc/ipsec.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
config setup # strictcrlpolicy=yes # uniqueids = no conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn myremoteoffice left=172.30.0.37 #strongswan outside address leftsubnet=172.30.0.0/24,0.0.0.0/0 #network behind strongswan leftid=19.215.188.2 #IKEID sent by strongswan leftfirewall=yes right=28.77.250.17 #IOS outside address rightsubnet=172.16.8.0/24 #network behind IOS rightid=192.168.1.108 #IKEID sent by IOS auto=start ike=aes128-sha1-modp1536 #P1: modp1536 = DH group 5 esp=aes128-sha1 #P2 |
/etc/ipsec.secrets
|
1 2 3 4 5 6 7 8 9 10 |
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. 19.215.188.2 28.77.250.17 : PSK "cisco" 192.168.1.108 28.77.250.17 : PSK "cisco" #this is the magic we need to add 192.168.1.108 here |
This is my Cisco configuration:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 |
#our router will serve as dhcp server ip dhcp pool dhcp_pool network 172.16.8.0 255.255.255.0 default-router 172.16.8.254 dns-server 1.1.1.1 ip domain name thao.com #this configuration is for our ipsect #ipsec policy - how ipsec authenticate / encryption method crypto isakmp policy 10 encr aes #we use aes authentication pre-share #use pre-shared key - the key is defined below group 5 #define the pre-shared key (cisco) , when ipsec setup a tunnel , it will check the remote ip if matching, it will use the corresponding key #in this case when we connect to 192.215.188.2 it will use the key cisco crypto isakmp key cisco address 19.215.188.2 ! ! #ipsec transformation - "TS" is our name now crypto ipsec transform-set TS esp-aes esp-sha-hmac #define our remote peer crypto map cmap 10 ipsec-isakmp set peer 19.215.188.2 set transform-set TS #transform info define above match address cryptoacl # the traffic will be into ipsec when it match this ACL (cryptoacl) - this ACL will be defined below #our local interface statement interface FastEthernet0/0 description LAN ip address 172.16.8.254 255.255.255.0 ip nat inside #we want to use NAT ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet0/1 description WAN ip address dhcp ip nat outside #nat outside - this is our internet ip virtual-reassembly in duplex auto speed auto crypto map cmap #this is for the IPsec , we define the relevant ipsec information - "cmap" is the info we define above #our nat info "natacl" is our access list for nat - it will define what traffic to nat ip nat inside source list natacl interface FastEthernet0/1 overload #cryptoacl is to determine what traffic to go through ip sect ip access-list extended cryptoacl permit ip 172.16.8.0 0.0.0.255 172.30.0.0 0.0.255.255 # all traffic from our local interface to our remote subnet (strongswan) will be in ipsec permit ip 172.16.8.0 0.0.0.255 any #note100: this is optional , this means we want everything will be in ipsec , meaning all internet traffic from our local client will go to our strongswan to have internet, internet will not be locally #define what to nat ip access-list extended natacl deny ip 172.16.8.0 0.0.0.255 172.30.0.0 0.0.0.255 #we don't want the traffic to our remote subnet be in NAT deny ip 172.16.8.0 0.0.0.255 host 19.215.188.22 #traffic to our remote strongswan public IP permit ip 172.16.8.0 0.0.0.255 any #note101: this means all internet will go locally , it's optional - remove this if we want all traffic go through ipsec ! |
Note:
In this setup, we can decide where is internet break out for our client ,
– via our remote site (strongswan) -> you must have the line in #note100 and remove line #note101
– via our local internet provide -> keep the line #note101
Leave a Reply