TACACS_PLUS over IPSec

TACACS+-over-IPSec might be worth to consider for setups where TACACS+-over-TLS1.3 isn't supported.

Strictly spoken, this isn't a TACACS+ feature, but just a matter of building a tunnel between your NAD and your server. For IOS-XE, you could just follow the Cisco Configure ISE 3.3 Native IPSec to Secure NAD (IOS-XE) Communication docs and complement it with, for example, a suitable strongSwan /etc/swanctl/conf.d/your-switch-name.conf:

connections {
   switch-1 {
      local_addrs  = 10.48.23.85
      remote_addrs = 10.62.148.79
      local {
         auth = psk
         id = 10.48.23.85
      }
      remote {
         auth = psk
         id = 10.62.148.79
      }
      children {
         net-net {
            local_ts  = 10.48.23.85/32
            remote_ts = 10.62.148.79/32
            esp_proposals = aes256-sha512-modp4096
         }
      }
      version = 2
      mobike = no
      proposals = aes256-sha512-modp4096
   }
}

secrets {
   ike-1 {
      id-1 = 10.62.148.79
      secret = cisco123
   }
}

(This may or may not work for you, I've tested this with differing IP addresses, but the Linux side of configuration looked obvious enough.)

Please don't ask me for guidance on configuring strongSwan. I'd have to lookup that, and I'm just not going to.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

TACACS_PLUS over IPSec

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally