IKEv2 has a lot of features that make it suitable for my system, like tunneling IPv6 over IPSEC and MOBIKE, but unfortunately it isn’t widely employed, so I need to tunnel IPv6 over IPv4 over IKEv1/IPSEC.
This time I had to connect a network behind a Cisco device that only support IKEv1. I always recommend to make first a plot or diagram, if you can draw it means you understood it.
I recommend to use loopback interfaces working with tunnels because they are always up:
auto lo:0 iface lo:0 inet static address 10.1.1.1 netmask 255.255.255.255
I have Strongswan in my hub host, that supports IKEv1 and IKEv2 simultaneous. Strongswan 4.x have one daemon per IKE version, in 5.x the same daemon handle both versions.
interface Loopback0 ip address 10.1.1.2 255.255.255.255
This is my Strongswan IKEv1 configuration:
# /etc/ipsec.conf - strongSwan IPsec configuration file config setup strictcrlpolicy=no charonstart=yes #IKEv2 daemon plutostart=yes #IKEv1 daemon nat_traversal=yes #enable IKEv1 nat traversal
And Cisco IKEv1/IPSEC side:
conn rwv1 keyexchange=ikev1 left=220.127.116.11 # Public IP Address leftsourceip=10.1.1.1 # Private IP address leftid=18.104.22.168 # Cisco by default uses IP as identifiers right=%any rightsubnetwithin=10.1.1.2/24 rightid=22.214.171.124 auto=add
It’s important to note that the access-list network must match the stongswan configuration parameters to establish the IPSEC tunnel.
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 crypto isakmp key SECRETKEY address 126.96.36.199 crypto isakmp nat keepalive 60 ! ! crypto ipsec transform-set IPSEC1 esp-aes esp-sha-hmac ! crypto ipsec profile IPSEC1 set transform-set IPSEC1 ! ! crypto map monitor 10 ipsec-isakmp set peer 188.8.131.52 set transform-set IPSEC1 set pfs group2 match address 110 interface Dialer1 ... crypto map monitor ... access-list 110 permit ip host 10.1.1.2 host 10.1.1.1
The IPSEC tunnel is established when there is traffic matching the acces list. I use this trick to keep the tunnel up:
You can check the status with the command:
ip sla 1 icmp-echo 10.1.1.1 source-ip 10.1.1.2 frequency 120 ip sla schedule 1 life forever start-time now
Once we have the IPSEC tunnel established between the loopbacks, now we need to tunnel the IPv6 protocol, I choose a static IPv6 tunnel but there are multiple possibilities.
#sh ip sla statistics 1 IPSLAs Latest Operation Statistics IPSLA operation id: 1 Latest RTT: 160 milliseconds Latest operation return code: OK Number of successes: 14 Number of failures: 0 Operation time to live: Forever
interface Tunnel1 no ip address ipv6 unnumbered Vlan1 tunnel source Loopback0 tunnel destination 10.1.1.1 tunnel mode ipv6ip interface Vlan1 ... ipv6 address 2001:2::1/64 ... ipv6 route 2001::/64 Tunnel1
You can ping6 now the other network:
ip tunnel add sit mode sit ttl 255 remote 10.1.1.2 local 10.1.1.1 ip link set dev sit up ip route add 2001:2::/64 dev sit
It’s time now to configure collectd to graph the Cisco device using the snmp plugin:
root@monitorhost:~# ping6 2001:2::2 PING 2001:2::2(2001:2::2) 56 data bytes 64 bytes from 2001:2::2 icmp_seq=1 ttl=63 time=165 ms 64 bytes from 2001:2::2 icmp_seq=2 ttl=63 time=172 ms ...
And here we have the pretty grafana graphs:
<Plugin snmp> <Data "std_traffic"> Type "if_octets" Table true InstancePrefix "traffic" Instance "IF-MIB::ifDescr" Values "IF-MIB::ifInOctets" "IF-MIB::ifOutOctets" </Data> ... <Host "cisco0001"> Address "udp6:[2001:2::1]:161" #This is because it uses Net-SNMP Version 2 Community "public" # Too common for pentesters ;) Collect "std_traffic" </Host> ... </Plugin>