My Strongswan :
Local IP: 172.30.0.37 Elastic IP: 19.215.188.2 OS: Ubuntu My WAN:
- Customer grade broadband Internet
- Public IP:28.77.250.17 – connect to my fiber optics
- Local gateway IP: 192.168.1.100
- we need to setup porftforwarding : UDP port 4500,500, to our router interface 192.16.1.108 My Cisco:
- Cisco 1841
- fa0/1 : 192.168.1.108 – connect to My WAN router local interface
- fa0/0: 172.16.8.254 – connect to my local switch / pc
My Strongswan config:
/etc/ipsec.conf
config setup
# strictcrlpolicy=yes
# uniqueids = no
conn %default
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn myremoteoffice
left=172.30.0.37 #strongswan outside address
leftsubnet=172.30.0.0/24,0.0.0.0/0 #network behind strongswan
leftid=19.215.188.2 #IKEID sent by strongswan
leftfirewall=yes
right=28.77.250.17 #IOS outside address
rightsubnet=172.16.8.0/24 #network behind IOS
rightid=192.168.1.108 #IKEID sent by IOS
auto=start
ike=aes128-sha1-modp1536 #P1: modp1536 = DH group 5
esp=aes128-sha1 #P2
/etc/ipsec.secrets
# This file holds shared secrets or RSA private keys for authentication. # RSA private key for this host, authenticating it to any other host # which knows the public part. 19.215.188.2 28.77.250.17 : PSK "cisco" 192.168.1.108 28.77.250.17 : PSK "cisco" #this is the magic we need to add 192.168.1.108 here
This is my Cisco configuration:
#our router will serve as dhcp server ip dhcp pool dhcp_pool network 172.16.8.0 255.255.255.0 default-router 172.16.8.254 dns-server 1.1.1.1 ip domain name thao.com #this configuration is for our ipsect #ipsec policy - how ipsec authenticate / encryption method crypto isakmp policy 10 encr aes #we use aes authentication pre-share #use pre-shared key - the key is defined below group 5 #define the pre-shared key (cisco) , when ipsec setup a tunnel , it will check the remote ip if matching, it will use the corresponding key #in this case when we connect to 192.215.188.2 it will use the key cisco crypto isakmp key cisco address 19.215.188.2 ! ! #ipsec transformation - "TS" is our name now crypto ipsec transform-set TS esp-aes esp-sha-hmac #define our remote peer crypto map cmap 10 ipsec-isakmp set peer 19.215.188.2 set transform-set TS #transform info define above match address cryptoacl # the traffic will be into ipsec when it match this ACL (cryptoacl) - this ACL will be defined below #our local interface statement interface FastEthernet0/0 description LAN ip address 172.16.8.254 255.255.255.0 ip nat inside #we want to use NAT ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet0/1 description WAN ip address dhcp ip nat outside #nat outside - this is our internet ip virtual-reassembly in duplex auto speed auto crypto map cmap #this is for the IPsec , we define the relevant ipsec information - "cmap" is the info we define above #our nat info "natacl" is our access list for nat - it will define what traffic to nat ip nat inside source list natacl interface FastEthernet0/1 overload #cryptoacl is to determine what traffic to go through ip sect ip access-list extended cryptoacl permit ip 172.16.8.0 0.0.0.255 172.30.0.0 0.0.255.255 # all traffic from our local interface to our remote subnet (strongswan) will be in ipsec permit ip 172.16.8.0 0.0.0.255 any #note100: this is optional , this means we want everything will be in ipsec , meaning all internet traffic from our local client will go to our strongswan to have internet, internet will not be locally #define what to nat ip access-list extended natacl deny ip 172.16.8.0 0.0.0.255 172.30.0.0 0.0.0.255 #we don't want the traffic to our remote subnet be in NAT deny ip 172.16.8.0 0.0.0.255 host 19.215.188.22 #traffic to our remote strongswan public IP permit ip 172.16.8.0 0.0.0.255 any #note101: this means all internet will go locally , it's optional - remove this if we want all traffic go through ipsec !
Note:
In this setup, we can decide where is internet break out for our client ,
- via our remote site (strongswan) -> you must have the line in #note100 and remove line #note101
- via our local internet provide -> keep the line #note101