I've been building IPSEC 3DES VPNs for some time with Cisco gear at
both ends - typically 5-50 remote branch locatations on broadband back
in to the central site on a leased line.

Hardware has been Cisco 837-K9 routers at the remote sites and depending
on the number of sites a PIX506E or PIX515E at the center - this works

For some of the stuff that I'm implementing I now want to keep the 837-K9s
at remote locations running both local internet access and 3DES tunnels
but want to land the VPN/tunnel on a Linux box running Fedora Core 3.

Assuming that the FC3 box is up-to-date what is the best way to configure
the Linux box to act as a peer with my remote sites? Where "best" means
straight forward to configure/understand/maintain with minimum of effort...

Googling for "IPSEC Linux HOWTO" results in conflicting and confusing
advice regarding OpenSWAN, FreeSWAN, Racoon, ikakmpd, kernel based
support versus userland, etc. etc... there look to be so many choices...
and its not clear what has become defaco/best practice... in particular
where Fedora FC3 is involved...

Consider an 837-K9 on a broadband conenction with single, fixed, IP address
on the outside ( and internal LAN subnet with the
router being

The corresponding peer (FC3 box) might have the public IP address
and have an internal network but also have other routed/reachable
subnets such as and, so the FC3 box has:

eth0: outside (public internet)
eth1: inside (private network)

We need to use 3DES, MD5, Group1, pre-shared keys, with an SA lifetime
of 68400 seconds (18 hours) -- why? because that bit's been mandated by
the thought police for the project ;o)

Here's some snippets of config from a typical 837 at a remote site:

crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
lifetime 64800
crypto isakmp key 0 let_me_in address no-xauth
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 10 ipsec-isakmp
set peer
set transform-set myset
match address 150

and the ACLs mon the 837-K9 would include:

access-list 101 remark *** Allow IPSEC traffic from center ***
access-list 101 permit ahp host host
access-list 101 permit esp host host
access-list 101 permit udp host host eq isakmp

as part of the input ACL on the Dialler-1 interface (PPP connected broadband).

The ACL below should catch the three subnets causing them to be

access-list 150 remark *** Match address for IPSEC VPN to center ***
access-list 150 permit ip
access-list 150 permit ip

.... so, the question is what's the best way to configure the FC3 box
to act as a peer for this?

Does the FC3 box end up with a logical interface as the end-point of
the tunnel, like "ipsec0" or something? If so, does it get an IP address?

Crucially -- if I am at a remote site can I access services on the FC3
box where the tunnel terminates, ie. on which is the address
of eth1 where a webserver or smb share may be found...

Anyone care to put together a worked example of the setup for the FC3
box? ... I'll send you beer via the IPSEC tunnel )



firewall-wizards mailing list