Tunnelconfiguration Cisco IOS / Strongswan (FreeBSD) Alexander "ripp" Kinscher Sat Mar 28 22:17:38 CEST 2020 Cryptomap IOS: # crypto map foo 1 ipsec-isakmp # set peer $IPSEC_ENDPOINT$ # set transform-set tester # match address 120 # ! # # interface FastEthernet0/0 # crypto map foo # ! # access-list 120 permit ip host 192.0.2.9 any Strongswan (FreeBSD): /usr/local/etc/ipsec.conf # conn cisco-policy # reqid=1 # --snip-- # type=tunnel # --snip-- # leftsubnet=0.0.0.0/0 # installpolicy=yes # --snip-- # rightsubnet=192.0.2.9/32 # --snip-- # auto=add IPSec SVTI IPv4 or IPv6 over IPv4 (Routebased, ProxyID 0.0.0.0/0 0.0.0.0/0) IOS: # crypto ipsec profile tunnel0 # set transform-set tester # ! # # interface Tunnel0 # ip address 192.0.2.9 255.255.255.252 # ip mtu 1400 # tunnel source XYZ # tunnel mode ipsec ipv4 # tunnel destination $IPSEC_ENDPOINT$ # tunnel protection ipsec profile tunnel0 # end HINT: For IPv6 o/IPv4 transport do (IPv4 over IPv6 transport works aswell) Dualstack is NOT supported on SVTI by IOS, see GRE! # ipv6 address 2001:DB8:1::10/127 # ipv6 enable # ipv6 mtu 1400 # tunnel mode ipsec ipv4 v6-overlay Strongwan (FreeBSD): /usr/local/etc/ipsec.conf # conn cisco-svti4 # reqid=1 # --snip-- # type=tunnel # --snip-- # leftsubnet=0.0.0.0/0 # installpolicy=no # leftupdown="/usr/local/etc/ipsec.vti.sh ipsec0 1400 192.0.2.10 192.0.2.9 255.255.255.252" # --snip-- # rightsubnet=0.0.0.0/0 # --snip-- # auto=add HINT: For IPv6 over IPv4 transport do # conn cisco-svti6 # reqid=1 # --snip-- # type=tunnel # --snip-- # leftsubnet=::/0 # installpolicy=no # leftupdown="/usr/local/etc/ipsec.vti.sh ipsec0 1400 2001:DB8:1::11 2001:DB8:1::10" # --snip-- # rightsubnet=::/0 # --snip-- # auto=add /usr/local/etc/ipsec.vti.sh # #!/bin/sh # set -o nounset # set -o errexit # # VTI_IF="$1" # VTI_IF_MTU="$2" # # case "${PLUTO_VERB}" in # up-client|up-client-v6) # /sbin/ifconfig "${VTI_IF}" create reqid "${PLUTO_REQID%%/*}" # /sbin/ifconfig "${VTI_IF}" inet tunnel "${PLUTO_ME}" "${PLUTO_PEER}" mtu "${VTI_IF_MTU}" up # if [ "${PLUTO_VERB}" == up-client ]; then # /sbin/ifconfig "${VTI_IF}" inet "$3" "$4" netmask "$5" # fi # if [ "${PLUTO_VERB}" == up-client-v6 ]; then # /sbin/ifconfig "${VTI_IF}" inet6 add "$3" "$4" prefixlen 128 # fi # ;; # down-client|down-client-v6) # /sbin/ifconfig "${VTI_IF}" down # /sbin/ifconfig "${VTI_IF}" destroy # ;; # esac IPSec GRE/IPSEC (GRE over IPSEC Transport) IOS: # crypto ipsec profile tunnel0 # set transform-set tester-transport # ! # # interface Tunnel0 # ip address 192.0.2.9 255.255.255.252 # ip mtu 1400 # ipv6 address 2001:DB8:1::10/127 # ipv6 enable # ipv6 mtu 1400 # tunnel source XYZ # tunnel mode gre ip # tunnel destination $IPSEC_ENDPOINT$ # tunnel protection ipsec profile tunnel0 # end Strongswan (FreeBSD): /usr/local/etc/ipsec.conf # conn cisco-gre # reqid=1 # --snip-- # type=transport # --snip-- # leftprotoport=gre # installpolicy=yes # leftupdown="/usr/local/etc/ipsec.gre.sh gre0 1400 192.0.2.10 192.0.2.9 255.255.255.252 2001:db8:1::11 2001:db8:1::10" # --snip-- # rightprotoport=gre # --snip-- # auto=add /usr/local/etc/ipsec.gre.sh # #!/bin/sh # set -o nounset # set -o errexit # # GRE_IF="$1" # GRE_IF_MTU="$2" # # case "${PLUTO_VERB}" in # up-host) # /sbin/ifconfig "${GRE_IF}" create # /sbin/ifconfig "${GRE_IF}" inet tunnel "${PLUTO_ME}" "${PLUTO_PEER}" mtu "${GRE_IF_MTU}" up # /sbin/ifconfig "${GRE_IF}" inet "$3" "$4" netmask "$5" # /sbin/ifconfig "${GRE_IF}" inet6 add "$6" "$7" prefixlen 128 # ;; # down-host) # /sbin/ifconfig "${GRE_IF}" down # /sbin/ifconfig "${GRE_IF}" destroy # ;; # esac IPSec GIF/IPSEC (IP over IPSEC Transport) IOS: # crypto ipsec profile tunnel0 # set transform-set tester-transport # ! # # interface Tunnel0 # ip address 192.0.2.9 255.255.255.252 # ip mtu 1400 # tunnel source XYZ # tunnel mode ipip # tunnel destination $IPSEC_ENDPOINT$ # tunnel protection ipsec profile tunnel0 # end Strongswan (FreeBSD): /usr/local/etc/ipsec.conf # conn cisco-gif # reqid=1 # --snip-- # type=transport # --snip-- # leftprotoport=ipencap # installpolicy=yes # leftupdown="/usr/local/etc/ipsec.gif.sh gif0 1400 192.0.2.10 192.0.2.9 255.255.255.252" # --snip-- # rightprotoport=ipencap # --snip-- # auto=add /usr/local/etc/ipsec.gif.sh # #!/bin/sh # set -o nounset # set -o errexit # # GIF_IF="$1" # GIF_IF_MTU="$2" # # case "${PLUTO_VERB}" in # up-host) # /sbin/ifconfig "${GIF_IF}" create # /sbin/ifconfig "${GIF_IF}" inet tunnel "${PLUTO_ME}" "${PLUTO_PEER}" mtu "${GIF_IF_MTU}" up # /sbin/ifconfig "${GIF_IF}" inet "$3" "$4" netmask "$5" # ;; # down-host) # /sbin/ifconfig "${GIF_IF}" down # /sbin/ifconfig "${GIF_IF}" destroy # ;; # esac