When using IPSEC, I prefer to use tunnel interfaces so you can route traffic normally across the tunnel and use BGP/OSPF to transfer routes between sites. I managed to get this working from Linux to Cisco as follows, with redundant DSL connections (yuo can adjust to suit your environment):
On the Cisco router:
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key Pre-Shared-Key address Linux-IP-Address no-xauth
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac
mode transport
crypto ipsec profile tun-ipsec
set transform-set TS1
set pfs group2
interface Tunnel0
ip address x.x.x.1 255.255.255.252
ip mtu 1400
ip virtual-reassembly in
tunnel source Static-IP-of-Dialer1
tunnel destination Linux-IP-Address
tunnel route-via Dialer1 mandatory
tunnel protection ipsec profile tun-ipsec
!
interface Tunnel1
ip address x.x.x.5 255.255.255.252
ip mtu 1400
ip nat inside
ip virtual-reassembly in
tunnel source Static-IP-of-Dialer2
tunnel destination Linux-IP-Address
tunnel route-via Dialer2 mandatory
tunnel protection ipsec profile tun-ipsec
On Debian Linux, you need to install the packages racoon and ipsec-tools
In /etc/network/interfaces, add the following:
auto Tunnel-Name
iface Tunnel-Name inet static
address x.x.x.2
netmask 255.255.255.252
network x.x.x.0
broadcast x.x.x.3
mtu 1400
pre-up ip tunnel add Tunnel-Name mode gre remote Static-IP-of-Dialer1 local Linux-IP-Address
post-down ip tunnel del Tunnel-Name
auto Tunnel-Name
iface Tunnel-Name inet static
address x.x.x.6
netmask 255.255.255.252
network x.x.x.4
broadcast x.x.x.7
mtu 1400
pre-up ip tunnel add Tunnel-Name mode gre remote Static-IP-of-Dialer2 local Linux-IP-Address
post-down ip tunnel del Tunnel-Name
In /etc/ipsec-tools.conf add the following:
spdaddLinux-IP-Address Static-IP-of-Dialer1 47 -P out ipsec
esp/transport//require;
spdadd Static-IP-of-Dialer1 Linux-IP-Address 47 -P in ipsec
esp/transport//require;
spdadd Linux-IP-Address Static-IP-of-Dialer2 47 -P out ipsec
esp/transport//require;
spdadd Static-IP-of-Dialer2 Linux-IP-Address 47 -P in ipsec
esp/transport//require;
In /etc/racoon/psk.txt add:
Static-IP-of-Dialer1 Pre-Shared-Key
Static-IP-of-Dialer2 Pre-Shared-Key
In /etc/racoon/racoon.conf add:
remote Static-IP-of-Dialer1 {
exchange_mode main;
lifetime time 1 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
remote Static-IP-of-Dialer2 {
exchange_mode main;
lifetime time 1 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}