BIP KB:
How To Build A IPSEC VPN between A Debian Server And A Cisco Router

This tutorial will show you how to connect more then one VPS server and also one or more physical servers to a IPSEC VPN (Virtual Private Network). There is a lot of instructions available on the web showing you how to build your own VPN on OpenSWAN, but it's marked as deprecated so the new recommended method is to use StrongSWAN instead. Using StrongSWAN has a slightly different configuration as describer below.

 

Let's assume, that you have a Cisco router at your office with a LAN (local area network) that has a rang of 192.168.1.0/24 and with a IP address of 5.5.5.5 on a external interface and a remote VPS with a IP address on interface 6.6.6.6. You would also like to have secure access from 6.6.6.6 to your local LAN and vice versa.

We can use shared key authentication, but you can also use authentication with certificates.

Debian Jessy strongswan configuration

apt-get install strongswan

Make configuration file /etc/ipsec.conf

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

version 2
config setup
	strictcrlpolicy=no
	charonstart=yes
	plutostart=yes

# Add connections here.
conn %default
	ikelifetime=1440m
	keylife=60m
	rekeymargin=3m
	keyingtries=1
	keyexchange=ikev1
	authby=secret

conn JOB
	left=6.6.6.6             #strongswan outside address
	leftid=6.6.6.6             #IKEID sent by strongswan
	leftsubnet=6.6.6.6/32      #network behind strongswan
	leftfirewall=yes
	right=5.5.5.5              #CISCO outside address
	rightsubnet=192.168.1.0/24 #network behind CISCO
	rightid=5.5.5.5            #IKEID sent by IOS
	ike=aes256-sha1-modp1024   #P1: modp1024 = DH group 2
	esp=aes256-sha1            #P2
	auto=start

Next add to the configuration file /etc/ipsec.secrets your shared secret string.

6.6.6.6 5.5.5.5 : PSK "some-text-like-long-long-password"

After changing the configuration we need to restart strongswan ipsec:

service ipsec restart

Cisco Router configuration for IPSEC

In this how to we will assume that you have already configured a worked Cisco router with IP address 5.5.5.5 on external interface Gigabit Ethernet and 192.168.1.1 on internal interface.

!
crypto isakmp policy 1
 encr aes 256
 authentication pre-share
 group 2
!
crypto isakmp key some-text-like-long-long-password address 6.6.6.6 no-xauth
!
crypto ipsec transform-set ESP-AES-256 esp-aes 256 esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map SDM_CMAP_1 local-address GigabitEthernet0/0
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description IPSEC_to_VPS_server
 set peer 6.6.6.6
 set transform-set ESP-AES-256
 match address 101
!
interface GigabitEthernet0/0
 description WAN External Interface
 ip address 5.5.5.5 255.255.255.0
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast reverse-path
!
interface GigabitEthernet0/1
 description LAN internal interface
 ip address 192.168.1.1 255.255.255.0
 no ip unreachables
 ip nat inside
 ip virtual-reassembly in
!
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 host 6.6.6.6
 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 6.6.6.6
!
route-map SDM_RMAP_1 permit 1
 match ip address NAT
!

Check If Everything Is Working Properly

root@vps:~# ipsec status
Security Associations (1 up, 0 connecting):
         JOB[53]: ESTABLISHED 6 hours ago, 6.6.6.6[6.6.6.6]...5.5.5.5[5.5.5.5]
         JOB{8}:  INSTALLED, TUNNEL, ESP SPIs: c977846e_i c87d8822_o
         JOB{8}:   6.6.6.6/32 === 192.168.1.0/24

root@vps:~# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=51.9 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=52.2 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=51.7 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 51.773/51.968/52.209/0.259 ms

As you can see, It's all working and you how have a secured connection between your local lan and remote VPS.

If you have any questions simply add your comments below and I will be happy to answer them.

Tags: debian, Cisco, Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers, How To Build A IPSEC VPN, How to create your own private VPN, IPSEC, openswan ipsec configuration, Router, VPN

Leave a Reply