The situation has changed somewhat: this configuration is designed for using a FreeS/WAN machine as a head end VPN concentrator for a number of Cisco ADSL routers at branch offices. In this example, the IPSec head end sits behind a Nokia M1122, so some NAT workarounds are included. These will be marked and easy to work around.
Here is my FreeS/WAN configuration and explanation.
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file # basic configuration config setup interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=none plutodebug=none # turn off opportunistic encryption conn block auto=ignore conn private auto=ignore conn private-or-clear auto=ignore conn clear-or-private auto=ignore conn clear auto=ignore conn packetdefault auto=ignore # The tunnel starts here conn headend-office1 type= tunnel left= 192.168.1.250 leftsubnet= 10.1.1.0/24 leftnexthop= %defaultroute right= %any rightsubnet= 10.1.2.0/24 esp= 3des-md5-96 keyexchange= ike pfs= yes auto= add authby= secret auth= esp
The interfaces line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works in the general case. When setting your connection up, you might want to set klips (the Kernel level IP Security) and pluto (the IPSEC keying Daemon) logging to "all".
The connection is named headend-office1 and is of type (ESP) tunnel.
10.1.1.0/24===192.168.1.250---188.8.131.52...internet...[Cisco ADSL router]===10.1.2.0/24
Note in this example, we don't know very much at all about our network - the 837's are on dynamic IP, so we have no idea at the Linux end what the right side IP addresses will be. For this tunnel we know the right hand subnet to allow, so we specify that - to add more connections, we would have to add more conn blocks.
Next you need an ipsec.secrets file:
# This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8)? manpage, and HTML documentation. # You might have an RSA key here depending on if you installed from a .deb # If you do, you might need to remove it 192.168.1.250 %any: PSK "supersecretpassphrase"
This file contains the pre-shared secret, a password for the connection that is known at both ends. It should be really really long. While it is possible to use RSA sigs between a Cisco and FreeS/WAN, general opinion suggests it doesn't always work, so we will opt for the less secure but more practical option. Note that we haven't specified who can use this PSK - we can't, as we're effectively in a RoadWarrior configuration; we don't know the IP of the office1 end. This is specified with %any.
When you succeed, you are going to have incoming packets reinjected onto the ipsec0 interface, so remember to set up firewalling on this interface too!
Remember in this example that I am pinholing 500/UDP and protocol 50 on an external internet access device, so if you're doing that too, time to pinhole some ports.
Log into, enable and configuration mode. You will need lines very similar to these:
! Access lists. This one make sure that traffic destined between ! networks isn't natted. ! access-list NO-NAT remark Traffic to NAT access-list NO-NAT deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list NO-NAT permit ip 10.1.2.0 0.0.0.255 any ! ! This access list permits traffic for the tunneled network ! access-list FREESWAN-VPN permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255 access-list FREESWAN-VPN permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 access-list FREESWAN-VPN deny ip any any ! ! don't nat traffic on the NO-NAT access list ! ip nat inside source list NO-NAT interface Dialer0 overload ! ! Create a transformation set (encryption & hash) to select 3DES and MD5 ! crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac ! ! Enable the keying protocol [ISAKMP] with no extended auth and the Cisco not ! pushing config down (which it should only do to its own VPN client) ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 28800 ! ! Specify the passphrase here: ! crypto isakmp key 0 supersecretpassphrase address 184.108.40.206 no-xauth ! Create a crypto map called 'cm-cryptomap', to set the IP of the other end, ! and which transformation set to use. ! crypto map cm-cryptomap 1 ipsec-isakmp set peer 220.127.116.11 set transform-set tr-3des-md5 match address FREESWAN-VPN set pfs group2 ! ! Apply the crypto map to the Dialer0 (ADSL) interface interface Dialer0 crypto map cm-cryptomap !
Check Cisco's reference for IPSec network commands if you need more details.
At the head (left) end, this tunnel can't connect out; remember we dont know what IP the right hand end is on. So, when you start FreeS/WAN, it will automatically add the connection and wait for the right end to connect.
The tunnel will come up automatically from the Cisco, when you're trying to use it. To force a reconnect try clear crypto sa
From a machine on the Cisco network, try pinging something on the network at the left end: ping 10.1.1.1 You should get responses. You can also ping from the right end to the left (a good test, is can a machine on the left network ping the Cisco's internal IP.)
There we go - one working FreeS/WAN to Cisco 837. If you have any questions, contact details are on my Wiki page.
The ipsec0 interface should have the same IP address as the interface through which you contact your default gateway (possibly ppp0). This is how it's meant to be.
Turn logging on (klips/pluto to 'all'). Then watch the syslog scroll by with tail -f. Remember, the ISAKMP part is done by pluto and the IPSEC SA part is done by klips, so you might want to grep on those names. Make sure you get ISAKMP working first, then IPSEC.
You can see how your connection is going using ipsec auto --status
You can always tcpdump(8) eth1 on your Linux box, or whatever the connection you are duplicating for your ipsec0 interface. Check that traffic is going both ways.
On the 837, set debug crypto isakmp and debug crypto ipsec. If you're on a console you should see the debug information; if not, type ter mon to monitor it; and ter no mon to turn it off again.
Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy. Thanks to everyone who has got in touch and said that they've managed to make their system work as a result of the PIX guide; I hope this is as useful.
Thanks especially to GreigMcGill for thinking that this would be a 2 second Thursday afternoon job and instead giving me something solid to write about :)