IPsec between Strongswan on AWS and Cisco IOS behind a NAT

My Strongswan :

Local IP: 172.30.0.37
Elastic IP: 19.215.188.2
OS: Ubuntu
My WAN:
– Customer grade broadband Internet
– Public IP:28.77.250.17 – connect to my fiber optics
– Local gateway IP: 192.168.1.100
– we need to setup porftforwarding : UDP port 4500,500, to our router interface 192.16.1.108
My Cisco:
– Cisco 1841
– fa0/1 : 192.168.1.108  – connect to My WAN router local interface
– fa0/0: 172.16.8.254 – connect to my local switch / pc

My Strongswan config:

/etc/ipsec.conf

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default
        ikelifetime=1440m
        keylife=60m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret


conn myremoteoffice
        left=172.30.0.37                  #strongswan outside address
        leftsubnet=172.30.0.0/24,0.0.0.0/0         #network behind strongswan
        leftid=19.215.188.2                #IKEID sent by strongswan
        leftfirewall=yes
        right=28.77.250.17                 #IOS outside address
        rightsubnet=172.16.8.0/24        #network behind IOS
        rightid=192.168.1.108               #IKEID sent by IOS
        auto=start
        ike=aes128-sha1-modp1536           #P1: modp1536 = DH group 5
        esp=aes128-sha1                   #P2

/etc/ipsec.secrets

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.




19.215.188.2 28.77.250.17 : PSK "cisco"
192.168.1.108 28.77.250.17 : PSK "cisco" #this is the magic we need to add 192.168.1.108 here

 

This is my Cisco configuration:

#our router will serve as dhcp server
ip dhcp pool dhcp_pool
 network 172.16.8.0 255.255.255.0
 default-router 172.16.8.254 
 dns-server 1.1.1.1 

ip domain name thao.com

#this configuration is for our ipsect

#ipsec policy - how ipsec authenticate / encryption method
crypto isakmp policy 10
 encr aes                    #we use aes
 authentication pre-share    #use pre-shared key - the key is defined below
 group 5

#define the pre-shared key (cisco) , when ipsec setup a tunnel , it will check the remote ip if matching, it will use the corresponding key
#in this case when we connect to 192.215.188.2 it will use the key cisco

crypto isakmp key cisco address 19.215.188.2
!
!

#ipsec transformation  - "TS" is our name now
crypto ipsec transform-set TS esp-aes esp-sha-hmac 

#define our remote peer
crypto map cmap 10 ipsec-isakmp 
 set peer 19.215.188.2
 set transform-set TS   #transform info define above
 match address cryptoacl  # the traffic will be into ipsec when it match this ACL (cryptoacl) - this ACL will be defined below

#our local interface statement
interface FastEthernet0/0
 description LAN
 ip address 172.16.8.254 255.255.255.0
 ip nat inside   #we want to use NAT 
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description WAN
 ip address dhcp
 ip nat outside  #nat outside - this is our internet
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map cmap   #this is for the IPsec , we define the relevant ipsec information  - "cmap" is the info we define above

#our nat info  "natacl" is our access list for nat - it will define what traffic to nat
ip nat inside source list natacl interface FastEthernet0/1 overload

#cryptoacl is to determine what traffic to go through ip sect

ip access-list extended cryptoacl
 permit ip 172.16.8.0 0.0.0.255 172.30.0.0 0.0.255.255  # all traffic from our local interface to our remote subnet (strongswan) will be in ipsec
 permit ip 172.16.8.0 0.0.0.255 any  #note100: this is optional , this means we want everything will be in ipsec , meaning all internet traffic from our local client will go to our strongswan to have internet, internet will not be locally
#define what to nat 
ip access-list extended natacl
 deny   ip 172.16.8.0 0.0.0.255 172.30.0.0 0.0.0.255  #we don't want the traffic to our remote subnet be in NAT
 deny   ip 172.16.8.0 0.0.0.255 host 19.215.188.22 #traffic to our remote strongswan public IP
 permit ip 172.16.8.0 0.0.0.255 any  #note101: this means all internet will go locally , it's optional - remove this if we want all traffic go through ipsec 
!

Note:

In this setup, we can decide where is internet break out for our client ,
– via our remote site (strongswan)    ->  you must have the line in #note100       and remove line #note101
– via our local internet provide    -> keep the line #note101

 

Leave a Reply

Your email address will not be published. Required fields are marked *