0

I'm not so familiar with installing and configuring VPN connections, but I need to link up our web server (CentOS 6) to a Cisco 3945. Here is the information I have from the Cisco device:

VPN Device Tunnel Endpoint IP Address: 91.151.a.b
Host(s):  IP address(es) to be accessed (Public IP address required): 91.151.c.d
Phase 1 & 2 Encryption Type: 3DES/SHA1
VPN scheme: IKE
Phase 1 encryptin algorithm: 3DES
Phase 1 hash algorithm: Secure Hash Standard
Phase 1 authentication method: Pre-Shared Key
Phase 1 algorithm: Diffie-Hellman Group 2 (1024 bit)
Phase 1 lifetime: 86400 seconds
Phase 2 perfect forward secrecy (yes/no): No
Phase 2 encryption algorithm: 3DES
Phase 2 hash algorithm: Secure Hash Standard
Phase 2 lifetime: 3600 seconds

I'm trying to find some tutorials but most of them seem to be old and out dated. Could anyone gives me a straightforward help on what applications I can use and if it's possible some helps or hints on commands?

Mahdi
  • 287
  • 2
  • 5
  • 11

1 Answers1

2

SF isn't really a substitute for google, but one possible way you could go is openswan.

1) Get openswan, the userspace toolchain's in the standard repository, with sudo yum install openswan.

2) Configure your tunnel, perhaps by putting something like this in /etc/ipsec.conf:

conn MYNAME
        # Left endpoint, subnet behind it, next hop toward right
        keyingtries=0
        left=MY-ADDRESS
        leftsubnet=MY-ADDRESS/32
        leftnexthop=MY-NEXT-HOP-ROUTE
        # Right endpoint, subnet behind it, next hop toward left
        right=CISCO-ADDRESS
        rightsubnet=CISCO-ADDRESS/32
        type=tunnel
        authby=secret
        #auth=esp
        keylife=1h
        ikelifetime=1h
        #esp=3des-md5-96
        #pfs=no
        #compress=no
        #keyexchange=ike
        auto=start

This configuration is taken from another CentOS 6 box, linked via IPSec to a CISCO router of some kind, so hopefully it can be fairly easily adapted for your use. You will need to change all the values in CAPITALS. MYNAME is a simple text string that names your tunnel; it's only used locally, for disambiguation; the other values are hopefully self-evident.

3) Put the pre-shared key in /etc/ipsec.secrets, as

MY-ADDRESS CISCO-ADDRESS: PSK "ALongAndVeryRandomString"

Here you need to set all values except "PSK", which is a configuration marker that should remain unchanged. The LongString is a pre-shared random key that the CISCO will need to know as well.

You don't say if you have to configure the CISCO end as well; I'm really hoping you've got someone with network clue to do that bit for you.

Once it's done, bring the tunnel up on the CentOS box with sudo service ipsec start. Find out if it's working with sudo ipsec auto --status|grep MYNAME; you're looking for a non-zero IPSec SA (IPSec SA non-zero is identically equivalent to "tunnel is up").

MadHatter
  • 78,442
  • 20
  • 178
  • 229
  • Thanks, that's a great help indeed. Fortunately I'm not supposed to configure the Cisco device, all I need is to link up our CentOS to it. One more question; I don't have the _Subnet Mask_ for the Cisco device, should I use a default value for that? – Mahdi Feb 01 '13 at 09:57
  • If you're referring to the mask in `rightsubnet`, it isn't a subnet mask, it's an address mask showing the **range** of destination addresses that are to be routed via this tunnel. If you're only talking to the CISCO itself via this tunnel, that's `/32`. If instead you're doing some kind of VPN thing, and routing to an RFC1918 destination network via this CISCO, say, you might use `rightsubnet=172.18.4.0/24`, if that were the remote network. – MadHatter Feb 03 '13 at 09:36
  • with openswan clients behind same nat cannot connect to the server can you suggest a way around @MadHatter – john Nov 26 '14 at 18:41