IPsec - The Evil Cisco Concentrator

Thu 22 June 2006

Filed under Sec.

Tags IPsec Security

Cisco VPN concentrators are a regular occurrence in the field. They can be the bane of your life. However, there is one simple change to enable these to consistently work with multiple policy routed subnets.

In your /etc/ipsec.conf use set the policy level to 'unique' instead of 'require'.

The entries in /etc/ipsec.conf are fully covered in the ipsec.conf man pages, and online at various locations. Google and find. My focus is the 'policy-level', the last value in the spdadd string. I have only ever seen it set to 'require', but recently I discovered the 'unique' as well as the 'unique:<1-32768>'. This allows for negotiating Phase2 crypto per-policy, or per-group. (unique:). Here is my example of a config which works with a large Cisco VPN concentrator.

Consider this policy file:

/etc/ipsec.conf

#### Tunnel: CheeseSteak Club
  spdadd 88.88.30.231       192.168.1.240/28 any -P in  ipsec esp/tunnel/88.88.30.231-66.66.177.102/require;
  spdadd 192.168.1.240/28   88.88.30.231     any -P out ipsec esp/tunnel/66.66.177.102-88.88.30.231/require;

  spdadd 99.99.0.0/16       192.168.1.240/28 any -P in  ipsec esp/tunnel/88.88.30.231-66.66.177.102/require;
  spdadd 192.168.1.240/28   99.99.0.0/16     any -P out ipsec esp/tunnel/66.66.177.102-88.88.30.231/require;

  spdadd 99.99.0.0/16       66.66.177.102    any -P in  ipsec esp/tunnel/88.88.30.231-66.66.177.102/require;
  spdadd 66.66.177.102      99.99.0.0/16     any -P out ipsec esp/tunnel/66.66.177.102-88.88.30.231/require;

#### Tunnel: Guinness Brewery Concentrator
  spdadd 44.44.82.31         192.168.1.0/24  any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24          44.44.82.31 any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

 ## Main Net (ireland)
  spdadd 10.1.30.205          192.168.1.0/24 any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24          10.1.30.205 any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

  spdadd 10.1.30.205          66.66.177.102  any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 66.66.177.102   10.1.30.205         any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;


 ## Mainland Dist. Net (America: New York)
  spdadd 10.1.30.210          192.168.1.0/24 any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24          10.1.30.210 any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

  spdadd 10.1.30.210          66.66.177.102  any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 66.66.177.102   10.1.30.210         any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;


 ## Western Region Sales (America: Seattle, Wa)
  spdadd 10.2.30.200          192.168.1.0/24 any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24          10.2.30.200 any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

  spdadd 10.2.30.200          66.66.177.102  any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 66.66.177.102   10.2.30.200         any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;


 ## Backup Network (America: Cheyenne, WY)
  spdadd 172.16.106.10        192.168.1.0/24 any -P in  ipsec esp/tunnel/44.44.82.31-66.66.177.102/unique;
  spdadd 192.168.1.0/24       172.16.106.10  any -P out ipsec esp/tunnel/66.66.177.102-44.44.82.31/unique;

Comments


Up To Something © Joshua M Schmidlkofer Powered by Pelican and Twitter Bootstrap. Icons by Font Awesome and Font Awesome More