How to terminate Cisco Virtual Tunnel Interface with Linux?

Question

I am trying to replace a Cisco router with a GNU Debian/Linux router. This Cisco router terminates a VPN connection that was setup using VTI. Could someone please help me what software and configuration to use on Debian?

This is a summary from the working configuration on the Cisco router. I have replaced some sensible parts with text in angle brackets. I have no control over the other end of the IPSEC tunnel:

crypto pki trustpoint TP-self-signed-<keyid>
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-<keyid>
 revocation-check none
 rsakeypair TP-self-signed-<keyid>
!
no ip subnet-zero
no ip source-route
ip auth-proxy max-nodata-conns 3
ip admission source-interface Vlan1
ip admission max-nodata-conns 3
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <password> address <remote public IP>
!
crypto ipsec transform-set <xform name> esp-3des esp-sha-hmac
!
crypto ipsec profile <profile name>
 set transform-set <xform name>
!
interface Tunnel98
 ip address <local private tunnel IP> 255.255.255.252
 no ip redirects
 ip mtu 1400
 ip tcp adjust-mss 1360
 tunnel source Dialer1
 tunnel destination <remote public IP>
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile <profile name>
!
interface Vlan1
 ip address <local private IP> 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
interface Dialer1
 ip address negotiated
 ip access-group to-internet out
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username <ppp username> password 7 <ppp password>
 ppp ipcp dns request
 ppp ipcp route default
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.<remote private subnet 1>.0.0 255.255.0.0 <remote private tunnel IP> name <remote net 1 description>
ip route 10.<remote private subnet 2>.0.0 255.255.0.0 <remote private tunnel IP> name <remote net 2 description>
!
ip nat inside source list natacl interface Dialer1 overload
!
ip access-list standard natacl
 permit <local private net> 0.0.0.255
!
ip access-list extended to-internet
 deny   ip any 10.0.0.0 0.255.255.255
 deny   ip any 172.16.0.0 0.15.255.255
 deny   ip any 192.168.0.0 0.0.255.255
 permit ip any any
!
dialer-list 1 protocol ip permit
no cdp run

Thanks for your insights in advance!

Pieter · Answer 1 · 2018-08-30T08:23:37.217

5

VTI support has just been added to Linux. 3.6 Kernel

https://kernelnewbies.org/Linux_3.6#Networking

edited Aug 30 '18 at 08:23

answered Oct 13 '12 at 05:57

Pieter

778
7
11

score 1 · Answer 2 · answered May 29 '09 at 19:02

1

To terminate an IPsec VPN you probably want to look at Openswan or strongSwan.

The Openswan wiki has an entry on interoperability with Cisco:

http://wiki.openswan.org/index.php/Interop/InteroperatingCisco

answered May 29 '09 at 19:02

allaryin

323
4
10

How to terminate Cisco Virtual Tunnel Interface with Linux?

2 Answers2