Below as an configuration example of configuring IPSec between Softlayer Vyatta and Cisco Router.
Topology as the below:
Note: The cisco router is behind of a WAN device and there is no public IP on the Cisco router.
The configuration on Vyatta end:
set vpn ipsec esp-group ESP-1W compression ‘disable’
set vpn ipsec esp-group ESP-1W lifetime ‘3600’
set vpn ipsec esp-group ESP-1W mode ‘tunnel’
set vpn ipsec esp-group ESP-1W pfs ‘enable’
set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-1W proposal 1 hash ‘md5’
set vpn ipsec ike-group IKE-1W lifetime ‘14400’
set vpn ipsec ike-group IKE-1W proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘3des’
set vpn ipsec ike-group IKE-1W proposal 1 hash ‘md5’
set vpn ipsec ipsec-interfaces interface ‘eth1’
set vpn ipsec nat-networks allowed-network ‘10.1.1.0/24’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret ‘sharedsecret’
set vpn ipsec site-to-site peer 0.0.0.0 connection-type ‘initiate’
set vpn ipsec site-to-site peer 0.0.0.0 default-esp-group ‘ESP-1W’
set vpn ipsec site-to-site peer 0.0.0.0 ike-group ‘IKE-1W’
set vpn ipsec site-to-site peer 0.0.0.0 local-address ‘119.81.xx.x’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix ‘10.66.24.0/26’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix ‘10.1.1.0/24’
On Cisco Router
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 14400
crypto isakmp key sharedsecret address 119.81.xx.x
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP local-address FastEthernet0/0
crypto map CMAP 10 ipsec-isakmp
set peer 119.81.xx.x
set transform-set TS
set pfs group2
match address VPN
!
!
interface FastEthernet0/0
ip address 10.1.1.8 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!
ip access-list extended VPN
permit ip 10.1.1.0 0.0.0.255 10.66.24.0 0.0.0.63
Note: Cisco IPSec Tunnel ineterface is not really compatible with Vyattas IPSec
InsidePacket 