Configuring IPSec tunnel (openswan) + Gre + BGP (Quagga) between Cisco and Linux

Configuring IPSec tunnel (openswan) + Gre + BGP (Quagga) between Cisco and Linux

Answer to the following questions: How to create GRE tunnel and incapsulate into IPSec tunnel. How to configure BGP session over GRE tunnel.

1. Goal:

1.1. Connect private subnets of Linux machine and cisco between each other over IPSec + GRE. And dynamically exchange private subnet information.


2. What we have (need):

2.1. Ubuntu 12.04 LTS Server;

2.2. Cisco router.

2.3. Login and password from root account of Linux and Cisco;

2.4. Linux private subnet is 172.16.11.1/32; 10.217.40.0/24

2.5. Cisco private subnet is 172.16.11.2/32

2.6. Linux public IP is 192.168.0.44.

2.7. Cisco public IP is 192.168.0.144.

3. Resolving steps:


3.1. Install OpenSwan by adding following lines to the file /etc/apt/sources.list.d/lzu.list :

deb http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse
deb http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-security main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-updates main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-proposed main restricted universe multiverse
deb-src http://mirror.lzu.edu.cn/ubuntu/ precise-backports main restricted universe multiverse

3.2. Update repository by using following command:

sudo apt-get update

3.3. Install OpenSwan by using following command:

sudo apt-get install xl2tpd openswan ppp

3.4. Turn on router functionality on linux machine by using following commands:

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.rp_filter = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.accept_source_route = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses = 1" |  tee -a /etc/sysctl.conf
sysctl -p

3.5. Configure Loopback and GRE tunnel by adding following lines to the file /etc/network/interfaces:

# This file describes the network interfaces available on your# system and how to activate them. For more information, see
# interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
#Loopback 112 interface
#lo112
auto lo:112
iface lo:112 inet static
        address 172.16.11.1
        netmask 255.255.255.255
#Tunnel interface 112, tunnel source 172.16.11.1, tunnel destination 172.16.11.2, ip address 10.0.0.1/30
auto tun112
iface tun112 inet static
    address 10.0.0.1
    netmask 255.255.255.252
    pre-up iptunnel add tun112 mode gre local 172.16.11.1 remote 172.16.11.2 ttl 255
    up ifconfig tun112 multicast
    pointopoint 10.0.0.2
    post-down iptunnel del tun112

3.6. Configure openswan configuration file /etc/ipsec.conf by adding following lines

# /etc/ipsec.conf - Openswan IPsec configuration file
# This file:  /usr/share/doc/openswan/ipsec.conf-sample
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=no
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        #protostack=auto
        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null
        uniqueids = no
        strictcrlpolicy=yes
# Add connections here
# sample VPN connection
# for more examples, see /etc/ipsec.d/examples/
#conn sample
#               # Left security gateway, subnet behind it, nexthop toward right.
#               left=10.0.0.1
#               leftsubnet=172.16.0.0/24
#               leftnexthop=10.22.33.44
#               # Right security gateway, subnet behind it, nexthop toward left.
#               right=10.12.12.1
#               rightsubnet=192.168.0.0/24
#               rightnexthop=10.101.102.103
#               # To authorize this connection, but not actually start it,
#               # at startup, uncomment this.
#               #auto=add
#config setup
        # strictcrlpolicy=yes
        # uniqueids = no
        # nat_traversal=yes

conn %default
        ikelifetime = 86400s
        salifetime = 3600s
        #keylife=60m
        keylife=30m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ike
        authby=secret

conn Linux-Cisco-IPSecVPN
        authby=secret
        left=192.168.0.44
        leftsubnet=172.16.11.1/32
        right=192.168.0.144
        rightsubnet=172.16.11.2/32
        ike=aes256-sha1-modp1536
        esp=aes256-sha1
        pfs = no
        auto=start

3.7. To configure pre-shared password please add following lines to file /etc/ipsec.secrets:

# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc

#tun17181 is a GRE Tunnel beween Linux and Cisco
172.16.11.1 172.16.11.2 : PSK "test"

3.8. Install Quagga by using following command:

#apt-get install quagga.

3.9. Configure Quagga by adding following lines to file /etc/quagga/zebra.conf :

hostname ubuntu
password 926
enable password 926
log file /var/log/quagga/zebra.log
!
debug zebra events
debug zebra packet
!
interface eth0
ip address 192.168.0.44/24
ipv6 nd suppress-ra
!
interface tun112
ip address 10.0.0.1/30
ipv6 nd suppress-ra
!
ip route 0.0.0.0/0 eth0 254
!
ip forwarding
!
!
line vty
exec-timeout 0 0

3.10. Configure BGP by adding following lines to file /etc/quagga/bgpd.conf :

hostname AS64550
password 926
enable password 926
log file /var/log/quagga/bgpd.log­
log stdout
!
router bgp 64550
bgp router-id 192.168.11.61
bgp log-neighbor-changes
network 10.217.40.0/24
neighbor 10.0.0.2 remote-as 64524

Cisco configs:
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 5
crypto isakmp policy 10
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key test address 192.168.0.44
crypto ipsec transform-set AES256-SHA esp-aes 256 esp-sha-hmac
 mode tunnel
crypto map VPN-Linux-Cisco 112 ipsec-isakmp
set peer 192.168.0.44
 set transform-set AES256-SHA
 match address VPN_to_10.217.40.0/16_112
interface Loopback112
 ip address 172.16.11.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
interface Tunnel112
ip address 10.0.0.2 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
 tunnel source 172.16.11.2
 tunnel destination 172.16.11.1
interface vlan 1
ip address 192.168.0.144 255.255.255.0
ip nat outside
crypto map VPN-Linux-Cisco
router bgp 64524
 bgp log-neighbor-changes
 network 10.130.0.0 mask 255.255.0.0
 timers bgp 5 30
 neighbor 10.0.0.1 remote-as 64550
 maximum-paths ibgp 2
ip nat inside source list NONAT interface Vlan1 overload
ip route 0.0.0.0 0.0.0.0 Vlan1
ip access-list extended NONAT
 deny   ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
 deny   ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
 deny   ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
 deny   ip 10.0.0.0 0.255.255.255 172.16.0.0 0.15.255.255
 deny   ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
 deny   ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255
 deny   ip 172.16.0.0 0.15.255.255 10.0.0.0 0.255.255.255
 deny   ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
 deny   tcp any eq 22 any
 permit ip any any
ip access-list extended VPN_to_10.217.40.0/16_112
permit ip host 172.16.11.2 host 172.16.11.1