Configuring IPSec between Softlayer Vyatta and Cisco Router

Below as an configuration example of configuring IPSec between Softlayer Vyatta and Cisco Router.

Topology as the below:

vyatta

Note: The cisco router is behind of a WAN device and there is no public IP on the Cisco router. 

The configuration on Vyatta end:

set vpn ipsec esp-group ESP-1W compression ‘disable’
set vpn ipsec esp-group ESP-1W lifetime ‘3600’
set vpn ipsec esp-group ESP-1W mode ‘tunnel’
set vpn ipsec esp-group ESP-1W pfs ‘enable’
set vpn ipsec esp-group ESP-1W proposal 1 encryption ‘3des’
set vpn ipsec esp-group ESP-1W proposal 1 hash ‘md5’
set vpn ipsec ike-group IKE-1W lifetime ‘14400’
set vpn ipsec ike-group IKE-1W proposal 1 dh-group ‘2’
set vpn ipsec ike-group IKE-1W proposal 1 encryption ‘3des’
set vpn ipsec ike-group IKE-1W proposal 1 hash ‘md5’
set vpn ipsec ipsec-interfaces interface ‘eth1’
set vpn ipsec nat-networks allowed-network ‘10.1.1.0/24’
set vpn ipsec nat-traversal ‘enable’
set vpn ipsec site-to-site peer 0.0.0.0 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 0.0.0.0 authentication pre-shared-secret ‘sharedsecret’
set vpn ipsec site-to-site peer 0.0.0.0 connection-type ‘initiate’
set vpn ipsec site-to-site peer 0.0.0.0 default-esp-group ‘ESP-1W’
set vpn ipsec site-to-site peer 0.0.0.0 ike-group ‘IKE-1W’
set vpn ipsec site-to-site peer 0.0.0.0 local-address ‘119.81.xx.x’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-nat-networks ‘disable’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 allow-public-networks ‘disable’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 local prefix ‘10.66.24.0/26’
set vpn ipsec site-to-site peer 0.0.0.0 tunnel 1 remote prefix ‘10.1.1.0/24’

On Cisco Router

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 14400
crypto isakmp key sharedsecret address 119.81.xx.x
!
!
crypto ipsec transform-set TS esp-3des esp-md5-hmac
!
crypto map CMAP local-address FastEthernet0/0
crypto map CMAP 10 ipsec-isakmp
set peer 119.81.xx.x
set transform-set TS
set pfs group2
match address VPN
!
!
interface FastEthernet0/0
ip address 10.1.1.8 255.255.255.0
duplex auto
speed auto
crypto map CMAP
!
ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.1.1.1
!

ip access-list extended VPN
permit ip 10.1.1.0 0.0.0.255 10.66.24.0 0.0.0.63

Note: Cisco IPSec Tunnel ineterface is not really compatible with Vyattas IPSec

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s