Solved

IPSec Network Question

Posted on 2002-07-24
19
434 Views
Last Modified: 2013-12-06
Hello Experts:

I have a question concerning IPSEC.  I have been given a request for proposal to setup a tunnel between locations.  The existing sites have the following equipment:

Site #1: Cayman 3220-H Router
Site #2: Linux Red Hat 7.0

Both are capable of using IPSEC, but my question is, is it possible to setup a tunnel between these two devices?
0
Comment
Question by:escheider
  • 8
  • 6
  • 5
19 Comments
 
LVL 4

Author Comment

by:escheider
Comment Utility
Linux is using FreeS/Wan
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
If they both have IPSEC implementations, yes. Or is that what you're asking? You simply set up authentication like IKE and establish an encryption method like MD5 or DES or whatever using the WAN IP addresses of each box.

So . . . you'd set up IKE on both ends, supply a hard coded key (the easiest way) then indicate to both sides which encryption method to use in the inbound stream, bring up the interfaces and you've established the tunnel.

I've done this with Cisco to Bay, Cisco to 3Com, and Cisco to Cisco . . . I had the luxury of having all the equipment within arm's reach (cabled back-to-back) to verify the configs before I sent them out.

Good luck.
Steve


0
 
LVL 4

Author Comment

by:escheider
Comment Utility
Yes, I know they are both capable of IPSEC, and it appears that they both support IKE and 3des.  So I guess that does answer my question.

0
 
LVL 4

Author Comment

by:escheider
Comment Utility
Ok steve, let me ask you another question.  Will it be a problem if one end is assigned a dynamic ip address?
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Yes, because when you configure IKE to authenticate the far end of the tunnel you'll have to define a peer address.

I don't know what it would be, but there may be some goofy way to work around this . . . I don't think there is with Cisco, Bay or 3Com but I'm not familiar with Cayman or the IPSEC / IKE implementation on Free/Swan. You'll probably have to get a permanent lease on the DHCP assigned address or remove an address from the pool to assign it as a static.

Good luck.
Steve
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Steve is absolutely correct. You MUST have a static IP address that is available on both ends of the spectrum to be able to make this work. You CANNOT use dynamic address assignment as the RFC for IPSEC does not support this. As Steve says, a permanent lease would work, however, keep in mind, if your setting up a tunnel over the internet, these IP's have to be valid on the internet to be able to pass traffic between them for tunneling or just encryption.

Oh, by the way Steve, MD5 is an authentication protocol and not an encryption protocol.
0
 
LVL 4

Author Comment

by:escheider
Comment Utility
Last question.

Any suggestions to make this process easier?  I understand the technology and have been doing quite a bit of reading on it on how to set it up, just wondering if you guys could make any suggestions so I can avoid some possible snafus?  (such as is linux with Frees/wan a good selection or should a router be used instead that supports ipsec termination?)

Then I'll award points.  Thanks for all the suggestions so far.
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Linux would be good if your were using an IPSEC connection to encrypt traffic between two computers, however, I would not use it as a termination point for an IPSEC connection that would be carrying a whole companys traffic. A router with the appropriate software installed would be the frontal point that I would use. This gives you the ability to configure everything at one location. Not only the IPSEC but also routing and any type of access lists that you may want to set up for accessing different sites/locations. Software is also more vulnerable to manipulation than firmware on a router. If your server becomes compromised then network access is gained. However with a router it is extremely hard to compromise it and not have the rest of the network know that something is going on.
0
 
LVL 4

Author Comment

by:escheider
Comment Utility
hmmm, interesting point.  So the termination point could actually fall behind the frontal router/firewall.  I didn't know that.  So the IPSec 'box' could actually reside on a private address range?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 16

Accepted Solution

by:
SteveJ earned 25 total points
Comment Utility
I didn't intentionally imply that the IPSec tunnel had to be on a point-to-point network . . . as I may have done when I told you I configured the routers I was working with in a back-to-back environment. Actually, in the resulting configuration the two IPSec endpoints have several routers between them. One end of the IPSec tunnel is on a Cisco 2621 router in our group. The tunnel then goes through a large Cisco router, a Checkpoint firewall, through a corporate intranet, into another Checkpoint firewall, through another Cisco 7xxx and terminates in a Cisco 3660 router.

As far as linux and IPSec: IPSec is IPSec, IKE is IKE, and DES3 is DES3 whether it's on a Linux box, or a Cayman, Cisco, or Bob's Garage router. I don't disagree with mikecr to the extent that I'd want a box specifically designed for routing as opposed to a general purpose box with routing software.

Encryption / decryption takes a LOT of CPU. We're going to be upgrading the Cisco 2621 here because the throughput with IKE, MD5 and ESP has dropped by a factor of 10. Whatever "box" you use had better have quite a bit of memory and a boat load of CPU cycles available.

Good luck.
Steve
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Steve, I would suggest saving some money if your going to upgrade and getting a 1751 with the encryption module. Unless you have about 250 people behind it all needing to be encrypted it will serve your purpose well. The encryption module takes the load off of the CPU which helps to require less memory also.

Escheider, if your going to go across the internet, the termination points of your connection must be live internet addresses, however, I have never tried it with a one to one nat but I believe it would be unlikely to work. They can be behind your router as long as they are live addresses. I currently have 42 IPSEC tunnels whose termination point goes from a Cisco 3620 or 1751 in the remote location and terminate on one 7206 at my location. This router is more than enough to handle the load, however unless your going to need to do what we do, you won't need something that powerful. That's why I suggested the 1751 to Steve. I agree with him whole heartedly as it will use memory and CPU, doing it on a Linux box for me is not an option. If your familiar with IPSEC, you know that you have two modes, tunnel or payload. You can create an Encrypted tunnel, or, encrypt the payload of the packets, or both. I currently do the tunnel portion but will be doing the payload portion soon at a couple locations. The best thing to do would be see how much traffic you would be generating that you would need to encrypt and this will help you figure out what kind of horsepower you will need.

0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
In fact I have more than a hundred devices that ship data across this link which is why I was going for the larger box. I don't have experience with the 1751 and the 3660 at the far end seems to handle the load just find (the 2621 here stays at about 80% CPU constantly).

By the way (I have played with this in the lab) you CAN configure a private-to-private network with static NAT across the internet. I pulled a document off the Cisco site that tells how. The config looks a little goofy because of the order of operation on NAT and the way ACLs work.

Steve
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
I was wondering if it could be done. I was thinking about it in a meeting the other day.
0
 
LVL 16

Expert Comment

by:SteveJ
Comment Utility
Im no "rocket scientist". I needed Cisco Document 14144 to pull it off.

Steve
0
 
LVL 4

Author Comment

by:escheider
Comment Utility
ok, got it working ... but don't know who i should award points to?  both were very helpful
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
You can create another question if you wish and assign it zero points then have someone answer it and award them points.
0
 
LVL 4

Author Comment

by:escheider
Comment Utility
thank u for all of your help .. i actually got it working .. yipee.  Mike, i will be creating the question as u suggested to award u points as well

thanks again
0
 
LVL 17

Expert Comment

by:mikecr
Comment Utility
No problem. If there is anything else we can do for you, let us know.
0
 
LVL 4

Author Comment

by:escheider
Comment Utility
mike

I have created the question and i am awaiting your acceptance of the points
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Let’s list some of the technologies that enable smooth teleworking. 
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now