BIP KB:
How To Build A IPSEC VPN between A Debian Server And A Cisco Router
Article By tapish01 Ranjan
![]() |
This tutorial will show you how to connect more then one VPS server and also one or more physical servers to a IPSEC VPN (Virtual Private Network). There is a lot of instructions available on the web showing you how to build your own VPN on OpenSWAN, but it's marked as deprecated so the new recommended method is to use StrongSWAN instead. Using StrongSWAN has a slightly different configuration as describer below. |
Let's assume, that you have a Cisco router at your office with a LAN (local area network) that has a rang of 192.168.1.0/24 and with a IP address of 5.5.5.5 on a external interface and a remote VPS with a IP address on interface 6.6.6.6. You would also like to have secure access from 6.6.6.6 to your local LAN and vice versa.
We can use shared key authentication, but you can also use authentication with certificates.
Debian Jessy strongswan configuration
apt-get install strongswan
Make configuration file /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file# basic configuration version 2 config setup strictcrlpolicy=no charonstart=yes plutostart=yes # Add connections here. conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn JOB left=6.6.6.6 #strongswan outside address leftid=6.6.6.6 #IKEID sent by strongswan leftsubnet=6.6.6.6/32 #network behind strongswan leftfirewall=yes right=5.5.5.5 #CISCO outside address rightsubnet=192.168.1.0/24 #network behind CISCO rightid=5.5.5.5 #IKEID sent by IOS ike=aes256-sha1-modp1024 #P1: modp1024 = DH group 2 esp=aes256-sha1 #P2 auto=start
Next add to the configuration file /etc/ipsec.secrets your shared secret string.
6.6.6.6 5.5.5.5 : PSK "some-text-like-long-long-password"
After changing the configuration we need to restart strongswan ipsec:
service ipsec restart
Cisco Router configuration for IPSEC
In this how to we will assume that you have already configured a worked Cisco router with IP address 5.5.5.5 on external interface Gigabit Ethernet and 192.168.1.1 on internal interface.
! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key some-text-like-long-long-password address 6.6.6.6 no-xauth ! crypto ipsec transform-set ESP-AES-256 esp-aes 256 esp-sha-hmac crypto ipsec df-bit clear ! crypto map SDM_CMAP_1 local-address GigabitEthernet0/0 crypto map SDM_CMAP_1 1 ipsec-isakmp description IPSEC_to_VPS_server set peer 6.6.6.6 set transform-set ESP-AES-256 match address 101 ! interface GigabitEthernet0/0 description WAN External Interface ip address 5.5.5.5 255.255.255.0 no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly in ip verify unicast reverse-path ! interface GigabitEthernet0/1 description LAN internal interface ip address 192.168.1.1 255.255.255.0 no ip unreachables ip nat inside ip virtual-reassembly in ! ip access-list extended NAT deny ip 192.168.1.0 0.0.0.255 host 6.6.6.6 permit ip 192.168.1.0 0.0.0.255 any ! access-list 101 permit ip 192.168.1.0 0.0.0.255 host 6.6.6.6 ! route-map SDM_RMAP_1 permit 1 match ip address NAT !
Check If Everything Is Working Properly
root@vps:~# ipsec status Security Associations (1 up, 0 connecting): JOB[53]: ESTABLISHED 6 hours ago, 6.6.6.6[6.6.6.6]...5.5.5.5[5.5.5.5] JOB{8}: INSTALLED, TUNNEL, ESP SPIs: c977846e_i c87d8822_o JOB{8}: 6.6.6.6/32 === 192.168.1.0/24 root@vps:~# ping 192.168.1.1 PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=255 time=51.9 ms 64 bytes from 192.168.1.1: icmp_seq=2 ttl=255 time=52.2 ms 64 bytes from 192.168.1.1: icmp_seq=3 ttl=255 time=51.7 ms ^C --- 192.168.1.1 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 51.773/51.968/52.209/0.259 ms
As you can see, It's all working and you how have a secured connection between your local lan and remote VPS.
If you have any questions simply add your comments below and I will be happy to answer them.
Tags: debian, Cisco, Configuring Site to Site IPSec VPN Tunnel Between Cisco Routers, How To Build A IPSEC VPN, How to create your own private VPN, IPSEC, openswan ipsec configuration, Router, VPN
Spin Up A VPS Server In No Time Flat
Simple Setup
Full Root Access
Straightforward Pricing
DEPLOY A SECURE VPS SERVER TODAY!Leave a Reply
Feedbacks
![]() This work is licensed under a Creative Commons Attribution- NonCommercial-ShareAlike 4.0 International License. |