Configuring IPSec tunnel (openswan) + Gre + BGP (Quagga) between Cisco and Linux
Answer to the following questions: How to create GRE tunnel and incapsulate into IPSec tunnel. How to configure BGP session over GRE tunnel.1. Goal:
1.1. Connect private subnets of Linux machine and cisco between each other over IPSec + GRE. And dynamically exchange private subnet information.
2. What we have (need):
2.1. Ubuntu 12.04 LTS Server;
2.2. Cisco router.
2.3. Login and password from root account of Linux and Cisco;
2.4. Linux private subnet is 172.16.11.1/32; 10.217.40.0/24
2.5. Cisco private subnet is 172.16.11.2/32
2.6. Linux public IP is 192.168.0.44.
2.7. Cisco public IP is 192.168.0.144.
3. Resolving steps:
3.1. Install OpenSwan by adding following lines to the file /etc/apt/sources.list.d/lzu.list :
deb http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse deb http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse deb http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse deb http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse deb http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse deb-src http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse
3.2. Update repository by using following command:
sudo apt-get update
3.3. Install OpenSwan by using following command:
sudo apt-get install xl2tpd openswan ppp
3.4. Turn on router functionality on linux machine by using following commands:
echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.all.accept_redirects = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.default.rp_filter = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.default.accept_source_route = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.conf.default.send_redirects = 0" | tee -a /etc/sysctl.conf echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" | tee -a /etc/sysctl.conf sysctl -p
3.5. Configure Loopback and GRE tunnel by adding following lines to the file /etc/network/interfaces:
# This file describes the network interfaces available on your# system and how to activate them. For more information, see # interfaces(5). # The loopback network interface auto lo iface lo inet loopback #Loopback 112 interface #lo112 auto lo:112 iface lo:112 inet static address 172.16.11.1 netmask 255.255.255.255 #Tunnel interface 112, tunnel source 172.16.11.1, tunnel destination 172.16.11.2, ip address 10.0.0.1/30 auto tun112 iface tun112 inet static address 10.0.0.1 netmask 255.255.255.252 pre-up iptunnel add tun112 mode gre local 172.16.11.1 remote 172.16.11.2 ttl 255 up ifconfig tun112 multicast pointopoint 10.0.0.2 post-down iptunnel del tun112
3.6. Configure openswan configuration file /etc/ipsec.conf by adding following lines
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=no # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=netkey #protostack=auto # Use this to log to a file, or disable logging on embedded systems (like openwrt) #plutostderrlog=/dev/null uniqueids = no strictcrlpolicy=yes # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=add #config setup # strictcrlpolicy=yes # uniqueids = no # nat_traversal=yes conn %default ikelifetime = 86400s salifetime = 3600s #keylife=60m keylife=30m rekeymargin=3m keyingtries=1 keyexchange=ike authby=secret conn Linux-Cisco-IPSecVPN authby=secret left=192.168.0.44 leftsubnet=172.16.11.1/32 right=192.168.0.144 rightsubnet=172.16.11.2/32 ike=aes256-sha1-modp1536 esp=aes256-sha1 pfs = no auto=start
3.7. To configure pre-shared password please add following lines to file /etc/ipsec.secrets:
# This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # RSA private key for this host, authenticating it to any other host # which knows the public part. Suitable public keys, for ipsec.conf, DNS, # or configuration of other implementations, can be extracted conveniently # with "ipsec showhostkey". # this file is managed with debconf and will contain the automatically created RSA keys include /var/lib/openswan/ipsec.secrets.inc #tun17181 is a GRE Tunnel beween Linux and Cisco 172.16.11.1 172.16.11.2 : PSK "test"
3.8. Install Quagga by using following command:
#apt-get install quagga.
3.9. Configure Quagga by adding following lines to file /etc/quagga/zebra.conf :
hostname ubuntu password 926 enable password 926 log file /var/log/quagga/zebra.log ! debug zebra events debug zebra packet ! interface eth0 ip address 192.168.0.44/24 ipv6 nd suppress-ra ! interface tun112 ip address 10.0.0.1/30 ipv6 nd suppress-ra ! ip route 0.0.0.0/0 eth0 254 ! ip forwarding ! ! line vty exec-timeout 0 0
3.10. Configure BGP by adding following lines to file /etc/quagga/bgpd.conf :
hostname AS64550 password 926 enable password 926 log file /var/log/quagga/bgpd.log log stdout ! router bgp 64550 bgp router-id 192.168.11.61 bgp log-neighbor-changes network 10.217.40.0/24 neighbor 10.0.0.2 remote-as 64524 Cisco configs: crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 5 crypto isakmp policy 10 encr aes 256 authentication pre-share group 5 crypto isakmp key test address 192.168.0.44 crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac mode tunnel crypto map VPN-Linux-Cisco 112 ipsec-isakmp set peer 192.168.0.44 set transform-set AES256-SHA match address VPN_to_10.217.40.0/16_112 interface Loopback112 ip address 172.16.11.2 255.255.255.0 ip nat inside ip virtual-reassembly in interface Tunnel112 ip address 10.0.0.2 255.255.255.252 ip nat inside ip virtual-reassembly in tunnel source 172.16.11.2 tunnel destination 172.16.11.1 interface vlan 1 ip address 192.168.0.144 255.255.255.0 ip nat outside crypto map VPN-Linux-Cisco router bgp 64524 bgp log-neighbor-changes network 10.130.0.0 mask 255.255.0.0 timers bgp 5 30 neighbor 10.0.0.1 remote-as 64550 maximum-paths ibgp 2 ip nat inside source list NONAT interface Vlan1 overload ip route 0.0.0.0 0.0.0.0 Vlan1 ip access-list extended NONAT deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255 deny ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255 deny ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255 deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255 deny tcp any eq 22 any permit ip any any
ip access-list extended VPN_to_10.217.40.0/16_112 permit ip host 172.16.11.2 host 172.16.11.1