hacktracking: # Site-to-site IPsec VPN configurations

# Site-to-site IPsec VPN configurations

Topology

[PC-1]----[VPN_DEVICE-1]----[VPN_DEVICE-2]----[PC-2]

[VPN_DEVICE-1] can be a Cisco ASA (ASA-1), a Cisco router (ROUTER-1) or an Openswan (LINUX-1).
[VPN_DEVICE-2] can be a Cisco ASA (ASA-2), a Cisco router (ROUTER-2) or an Openswan (LINUX-2).

[PC-1] eth0: 192.168.1.1/24

[VPN_DEVICE-1]
(ASA-1) e0/1, (ROUTER-1) fa0/1, (LINUX-1) fa0/1: 192.168.1.254/24
(ASA-1) e0/0, (ROUTER-1) fa0/0, (LINUX-1) fa0/0: 12.12.12.1/24

[VPN_DEVICE-2]
(ASA-2) e0/0, (ROUTER-2) fa0/0, (LINUX-2) fa0/0: 12.12.12.2/24
(ASA-2) e0/1, (ROUTER-2) fa0/1, (LINUX-2) fa0/1: 192.168.2.254/24

[PC-2] eth0: 192.168.2.1/24

Between two ASAs

ASA-1(config)# crypto ikev1 policy 1 ! crypto isakmp
ASA-1(config-ikev1-policy)# authentication pre-share
ASA-1(config-ikev1-policy)# encryption aes
ASA-1(config-ikev1-policy)# hash sha
ASA-1(config-ikev1-policy)# group 2
ASA-1(config-ikev1-policy)# lifetime 86400
ASA-1(config)# crypto ikev1 am-disable
ASA-1(config)# crypto ikev1 enable outside ! crypto isakmp
ASA-1(config)# tunnel-group 12.12.12.2 type ipsec-l2l
ASA-1(config)# tunnel-group 12.12.12.2 ipsec-attributes
ASA-1(config-tunnel-ipsec)# pre-shared-key SECRET_KEY
ASA-1(config)# access-list CRYPTO_ACL permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ASA-1(config)# crypto map CRYPTO_MAP 1 set peer 12.12.12.2
ASA-1(config)# crypto map CRYPTO_MAP 1 match address CRYPTO_ACL
ASA-1(config)# crypto map CRYPTO_MAP 1 set transform-set TRANSFORM_SET
ASA-1(config)# crypto map CRYPTO_MAP 1 set pfs group2
ASA-1(config)# crypto map CRYPTO_MAP interface outside
ASA-1(config)# route outside 192.168.2.0 255.255.255.0 12.12.12.2
ASA-1(config)# object network INSIDE_NET
ASA-1(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA-1(config)# object network OUTSIDE_NET
ASA-1(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA-1(config)# nat (inside,outside) source static INSIDE_NET INSIDE_NET
destination static OUTSIDE_NET OUTSIDE_NET
ASA-1(config)# sysopt connection permit-vpn ! permit-ipsec or use an outside ACL

ASA-2(config)# crypto ikev1 policy 1 ! crypto isakmp
ASA-2(config-ikev1-policy)# authentication pre-share
ASA-2(config-ikev1-policy)# encryption aes
ASA-2(config-ikev1-policy)# hash sha
ASA-2(config-ikev1-policy)# group 2
ASA-2(config-ikev1-policy)# lifetime 86400
ASA-2(config)# crypto ikev1 am-disable
ASA-2(config)# crypto ikev1 enable outside ! crypto isakmp
ASA-2(config)# tunnel-group 12.12.12.1 type ipsec-l2l
ASA-2(config)# tunnel-group 12.12.12.1 ipsec-attributes
ASA-2(config-tunnel-ipsec)# pre-shared-key SECRET_KEY
ASA-2(config)# access-list CRYPTO_ACL permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ASA-2(config)# crypto map CRYPTO_MAP 1 set peer 12.12.12.1
ASA-2(config)# crypto map CRYPTO_MAP 1 match address CRYPTO_ACL
ASA-2(config)# crypto map CRYPTO_MAP 1 set transform-set TRANSFORM_SET
ASA-2(config)# crypto map CRYPTO_MAP 1 set pfs group2
ASA-2(config)# crypto map CRYPTO_MAP interface outside
ASA-2(config)# route outside 192.168.1.0 255.255.255.0 12.12.12.1
ASA-2(config)# object network INSIDE_NET
ASA-2(config-network-object)# subnet 192.168.2.0 255.255.255.0
ASA-2(config)# object network OUTSIDE_NET
ASA-2(config-network-object)# subnet 192.168.1.0 255.255.255.0
ASA-2(config)# nat (inside,outside) source static INSIDE_NET INSIDE_NET
destination static OUTSIDE_NET OUTSIDE_NET
ASA-2(config)# sysopt connection permit-vpn ! permit-ipsec or use an outside ACL

Between two IOS routers

ROUTER-1(config)# crypto isakmp policy 1
ROUTER-1(config-isakmp)# authentication pre-share
ROUTER-1(config-isakmp)# encryption aes
ROUTER-1(config-isakmp)# hash sha
ROUTER-1(config-isakmp)# group 2
ROUTER-1(config-isakmp)# lifetime 86400
ROUTER-1(config)# crypto isakmp aggressive-mode disable
ROUTER-1(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.2
ROUTER-1(config)# crypto isakmp enable
ROUTER-1(config)# ip access-list extended CRYPTO_ACL
ROUTER-1(config-ext-nacl)# permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ROUTER-1(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-1(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-1(config-crypto-map)# set peer 12.12.12.2
ROUTER-1(config-crypto-map)# match address CRYPTO_ACL
ROUTER-1(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-1(config-crypto-map)# set pfs group2
ROUTER-1(config)# interface fa0/0
ROUTER-1(config-if)# crypto map CRYPTO_MAP
ROUTER-1(config-if)# ip nat outside
ROUTER-1(config)# interface fa0/1
ROUTER-1(config-if)# ip nat inside
ROUTER-1(config)# ip route 192.168.2.0 255.255.255.0 12.12.12.2
ROUTER-1(config)# ip access-list extended ACL_NONAT
ROUTER-1(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ROUTER-1(config-ext-nacl)# permit ip any any
ROUTER-1(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

ROUTER-2(config)# crypto isakmp policy 1
ROUTER-2(config-isakmp)# authentication pre-share
ROUTER-2(config-isakmp)# encryption aes
ROUTER-2(config-isakmp)# hash sha
ROUTER-2(config-isakmp)# group 2
ROUTER-2(config-isakmp)# lifetime 86400
ROUTER-2(config)# crypto isakmp aggressive-mode disable
ROUTER-2(config)# crypto isakmp key 0 SECRET_KEY address 12.12.12.1
ROUTER-2(config)# crypto isakmp enable
ROUTER-2(config)# ip access-list extended CRYPTO_ACL
ROUTER-2(config-ext-nacl)# permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config)# crypto ipsec transform-set TRANSFORM_SET esp-aes esp-sha-hmac
ROUTER-2(config)# crypto map CRYPTO_MAP 1 ipsec-isakmp
ROUTER-2(config-crypto-map)# set peer 12.12.12.1
ROUTER-2(config-crypto-map)# match address CRYPTO_ACL
ROUTER-2(config-crypto-map)# set transform-set TRANSFORM_SET
ROUTER-2(config-crypto-map)# set pfs group2
ROUTER-2(config)# interface fa0/0
ROUTER-2(config-if)# crypto map CRYPTO_MAP
ROUTER-2(config-if)# ip nat outside
ROUTER-2(config)# interface fa0/1
ROUTER-2(config-if)# ip nat inside
ROUTER-2(config)# ip route 192.168.1.0 255.255.255.0 12.12.12.1
ROUTER-2(config)# ip access-list extended ACL_NONAT
ROUTER-2(config-ext-nacl)# deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ROUTER-2(config-ext-nacl)# permit ip any any
ROUTER-2(config)# ip nat inside source list ACL_NONAT interface fa0/0 overload

Between two Openswan servers

LINUX-1# route add default gw 12.12.12.2
LINUX-1# echo 1 > /proc/sys/net/ipv4/ip_forward
LINUX-1# iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT
LINUX-1# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to 12.12.12.1 -o eth0
LINUX-1# cat /etc/ipsec.conf
version 2.0
config setup
 dumpdir=/var/run/pluto/
 nat_traversal=no
 oe=off
 protostack=netkey
conn LINUX-2
 type=tunnel
 left=12.12.12.1
 leftsubnet=192.168.1.0/24
 right=12.12.12.2
 rightsubnet=192.168.2.0/24
 authby=secret
 pfs=yes
 aggrmode=no
 ike="aes128-sha1-modp1024"
 phase2alg="aes128-sha1;modp1024"
 auto=start
LINUX-1# cat /var/lib/openswan/ipsec.secrets.inc 
12.12.12.1 12.12.12.2 : PSK "SECRET_KEY"
LINUX-1# service ipsec start

LINUX-2# route add default gw 12.12.12.1
LINUX-2# echo 1 > /proc/sys/net/ipv4/ip_forward
LINUX-2# iptables -t nat -I POSTROUTING -s 192.168.2.0/24 -d 192.168.1.0/24 -j ACCEPT
LINUX-2# iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -j SNAT --to 12.12.12.2 -o eth0
LINUX-2# cat /etc/ipsec.conf
version 2.0
config setup
 dumpdir=/var/run/pluto/
 nat_traversal=no
 oe=off
 protostack=netkey
conn LINUX-1
 left=12.12.12.1
 leftsubnet=192.168.1.0/24
 right=12.12.12.2
 rightsubnet=192.168.2.0/24
 authby=secret
 pfs=yes
 aggrmode=no
 ike="aes128-sha1-modp1024"
 phase2alg="aes128-sha1;modp1024"
 auto=start
LINUX-2# cat /var/lib/openswan/ipsec.secrets.inc 
12.12.12.1 12.12.12.2 : PSK "SECRET_KEY"
LINUX-2# service ipsec start

# Site-to-site IPsec VPN configurations

No comments: