[Openswan Users] Cisco IOS VTI (Virtual Tunnel Interface)

Johannes Herlitz Johannes.Herlitz at satlynx.com
Fri Jun 6 05:18:12 EDT 2008 

Hello,

 

I have spent two days finding a working example for this in forums and
mailing list without success. Maybe one of you has already done this.

 

Is it possible to terminate a Cisco IOS VTI (Virtual Tunnel Interface)
with openswan? If yes, how would the openswan configuration look like?

 

 

Cisco configuration:

---

crypto isakmp policy 10

 encr 3des

 hash md5

 authentication pre-share

 group 5

 lifetime 28800

 

crypto isakmp key linux address x.x.x.x

 

crypto ipsec transform-set MySet esp-3des esp-md5-hmac 

 

crypto ipsec profile VTI

 set security-association lifetime seconds 28800

 set transform-set MySet 

 set pfs group5

 

interface Tunnel0

 ip address 192.168.10.1 255.255.255.252

 tunnel source FastEthernet0/0

 tunnel destination x.x.x.x

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile VTI

---

 

 

Openswan configuration on Linux with kernel 2.6.22:

---

version 2.0

 

config setup

        interfaces=%defaultroute

        klipsdebug=none

        plutodebug=none

 

conn tunnelipsec

        type=           tunnel

        authby=         secret

        left=           x.x.x.x

        leftnexthop=    %defaultroute

        leftsubnet=     192.168.10.2/30

        right=          y.y.y.y

        rightnexthop=   %defaultroute

        rightsubnet=    192.168.10.1/30

        ike=            3des-md5-modp1536

        esp=            3des-md5

        keyexchange=    ike

        pfs=            yes

        pfsgroup=       modp1536

        auto=           start

        ikelifetime=    8h

        keylife=        8h

 

include /etc/ipsec.d/examples/no_oe.conf

---

 

(The "leftsubnet" and "rightsubent" settings do not make sense.)

 

Phase 1 completes, and even the ESP packets sent by the Cisco are
decrypted correctly. So this means phase 2 also works, somehow.

 

However, I have no clue about how to create an interface in the Linux
box that I can assign the IP 192.168.10.2/30.

 

I read something about "KLIPS" being able to create an "ipsec0"
interface, but I also read that one shall not use KLIPS with kernel 2.6
any more. How am I supposed to do this?

 

--

Cheers,

Johannes

 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080606/81020d15/attachment-0001.html

More information about the Users mailing list