Penguin
Recent Changes
Blame: FreeSwanToCiscoAdsl
EditPageHistoryDiffInfoLikePages
Annotated edit history of FreeSwanToCiscoAdsl version 3, including all changes. View license author blame.
Rev Author # Line
2 CraigBox 1 From the team that bought you the FreeSwanToCiscoPix mini-HOWTO, comes... FreeSwan to a [Cisco837|Cisco827] [ADSL] router!
1 CraigBox 2
3 !!!Configuring an [IPSec] [VPN] between FreeSwan and a Cisco ADSL (827/837) router %%%
4
5 The situation has changed somewhat: this configuration is designed for using a FreeS/WAN machine as a head end [VPN] concentrator for a number of Cisco ADSL routers at branch offices. In this example, the [IPSec] head end sits behind a Nokia [M1122], so some NAT workarounds are included. These will be marked and easy to work around.
6
7 !1. Compile a kernel with [IPSec] support
8
9 This is nicely covered on the [IPSecInstallation] page. A [Debian] summary:
10 apt-get install kernel-patch-freeswan
11 cd /usr/src/linux
12 export PATCH_THE_KERNEL=yes
13 make-kpkg --revision=ipsec.1.0 kernel_image
14
15 !2. Get FreeS/WAN
16
17 apt-get install freeswan
18
19 FreeS/WAN has gone the way of the dodo, so you would be well advised to use OpenSwan instead. Until [Debian] Sarge is released, FreeS/WAN it is.
20
21 !3. Configure FreeS/WAN
22
23 Here is my FreeS/WAN configuration and explanation.
24
25 <verbatim>
26 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
27
28 # basic configuration
29 config setup
30 interfaces=%defaultroute
31 # Debug-logging controls: "none" for (almost) none, "all" for lots.
32 klipsdebug=none
33 plutodebug=none
34
35 # turn off opportunistic encryption
36
37 conn block
38 auto=ignore
39
40 conn private
41 auto=ignore
42
43 conn private-or-clear
44 auto=ignore
45
46 conn clear-or-private
47 auto=ignore
48
49 conn clear
50 auto=ignore
51
52 conn packetdefault
53 auto=ignore
54
55 # The tunnel starts here
56
57 conn headend-office1
58 type= tunnel
59 left= 192.168.1.250
60 leftsubnet= 10.1.1.0/24
61 leftnexthop= %defaultroute
62 right= %any
63 rightsubnet= 10.1.2.0/24
64 esp= 3des-md5-96
65 keyexchange= ike
3 CraigBox 66 pfs= yes
1 CraigBox 67 auto= add
68 authby= secret
69 auth= esp
70 </verbatim>
71
72 The ''interfaces'' line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works in the general case. When setting your connection up, you might want to set klips (the [Kernel] level IP Security) and pluto (the IPSEC keying [Daemon]) logging to "all".
73
74 The connection is named __headend-office1__ and is of ''type'' ([ESP]) tunnel.
75
76 The Linux machine is hidden behind a NAT device providing internet access, so we tell FreeS/WAN about the firewall's external IP, not the external IP of the NAT box. So we end up with a network that will eventually look like this:
77 <pre>
78 10.1.1.0/24===192.168.1.250---210.211.212.213...internet...~[Cisco ADSL router]===10.1.2.0/24
79 </pre>
80
81 Note in this example, we don't know very much at all about our network - the 837's are on dynamic IP, so we have no idea at the Linux end what the right side IP addresses will be. For this tunnel we know the right hand subnet to allow, so we specify that - to add more connections, we would have to add more =conn= blocks.
82
83 * ''esp'' sets the [ESP] parameters. __This must be the same encryption and hashing algorithm you specify in your crypto map/isakmp config on the Cisco below.__ (Else it plain won't work.)
84 * ''keyexchange'' sets [IKE] (Internet Key Exchange) and can be set to nothing else.
3 CraigBox 85 * ''pfs'' is PerfectForwardSecrecy. This is set 'yes' because we also enabled it on the Cisco end.
1 CraigBox 86 * ''auto'' specifies the behaivour when ipsec starts - in this case, it is 'start the connection' - you can set 'add' to add the connection to pluto but not start the tunnel.
87
88 Next you need an ipsec.secrets file:
89
90 <pre>
91 # This file holds shared secrets or RSA private keys for inter-Pluto
92 # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
93
94 # You might have an RSA key here depending on if you installed from a .deb
95 # If you do, you might need to remove it
96
97 192.168.1.250 %any: PSK "''supersecretpassphrase''"
98 </pre>
99
100 This file contains the pre-shared secret, a password for the connection that is known at both ends. It should be really really long. While it is possible to use RSA sigs between a Cisco and FreeS/WAN, general opinion suggests it doesn't always work, so we will opt for the less secure but more practical option. Note that we haven't specified who can use this PSK - we can't, as we're effectively in a RoadWarrior configuration; we don't know the IP of the office1 end. This is specified with %any.
101
102 !4. Configure firewalling
103
104 On your external interface, enable port 500 [UDP] (the [ISAKMP] port), and protocol 50 (IPSEC [ESP]).
105
106 When you succeed, you are going to have incoming packets reinjected onto the ipsec0 interface, so remember to set up firewalling on this interface too!
107
108 Remember in this example that I am pinholing 500/UDP and protocol 50 on an external internet access device, so if you're doing that too, time to pinhole some ports.
109
110 !5. Configuring the Cisco ADSL router
111
2 CraigBox 112 Make sure you have a [3DES] firmware on your ADSL router - Free/Open/Swan doesn't support single [DES] unless you tell it to go into ultra-unsecure-mode!
1 CraigBox 113
2 CraigBox 114 Log into, enable and configuration mode. You will need lines very similar to these:
1 CraigBox 115
116 <verbatim>
117 ! Access lists. This one make sure that traffic destined between
118 ! networks isn't natted.
119 !
120 access-list NO-NAT remark Traffic to NAT
121 access-list NO-NAT deny ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
122 access-list NO-NAT permit ip 10.1.2.0 0.0.0.255 any
123 !
124 ! This access list permits traffic for the tunneled network
125 !
126 access-list FREESWAN-VPN permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
127 access-list FREESWAN-VPN permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
128 access-list FREESWAN-VPN deny ip any any
129 !
130 ! don't nat traffic on the NO-NAT access list
131 !
132 ip nat inside source list NO-NAT interface Dialer0 overload
133 !
134 ! Create a transformation set (encryption & hash) to select 3DES and MD5
135 !
136 crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac
137 !
138 ! Enable the keying protocol [ISAKMP] with no extended auth and the Cisco not
139 ! pushing config down (which it should only do to its own VPN client)
140 !
141 crypto isakmp policy 1
142 encr 3des
143 hash md5
144 authentication pre-share
145 group 2
146 lifetime 28800
147 !
148 ! Specify the passphrase here:
149 !
150 crypto isakmp key 0 supersecretpassphrase address 210.211.212.213 no-xauth
151
152 ! Create a crypto map called 'cm-cryptomap', to set the IP of the other end,
153 ! and which transformation set to use.
154 !
155 crypto map cm-cryptomap 1 ipsec-isakmp
156 set peer 210.211.212.213
157 set transform-set tr-3des-md5
158 match address FREESWAN-VPN
3 CraigBox 159 set pfs group2
1 CraigBox 160 !
161 ! Apply the crypto map to the Dialer0 (ADSL) interface
162 interface Dialer0
163 crypto map cm-cryptomap
164 !
165 </verbatim>
3 CraigBox 166
167 Check [Cisco's reference for IPSec network commands|http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a7c9.html] if you need more details.
1 CraigBox 168
169 !6. Start the tunnel
170
2 CraigBox 171 At the head (left) end, this tunnel can't connect out; remember we dont know what IP the right hand end is on. So, when you start FreeS/WAN, it will automatically add the connection and wait for the right end to connect.
1 CraigBox 172
2 CraigBox 173 The tunnel will come up automatically from the Cisco, when you're trying to use it. To force a reconnect try =clear crypto sa=
1 CraigBox 174
175 !7. Ping & use
2 CraigBox 176
177 From a machine on the Cisco network, try pinging something on the network at the left end: =ping 10.1.1.1= You should get responses. You can also ping from the right end to the left (a good test, is can a machine on the left network ping the Cisco's internal IP.)
1 CraigBox 178
179 There we go - one working FreeS/WAN to Cisco 837. If you have any questions, contact details are on [my Wiki page|CraigBox].
180
181 !8. Debugging
182
183 The ipsec0 interface should have the same IP address as the interface through which you contact your default gateway (possibly ppp0). This is how it's meant to be.
184
185 !FreeS/WAN end
2 CraigBox 186 Turn logging on (klips/pluto to 'all'). Then watch the syslog scroll by with tail -f. Remember, the ISAKMP part is done by pluto and the IPSEC SA part is done by klips, so you might want to grep on those names. Make sure you get ISAKMP working first, then IPSEC.
1 CraigBox 187
188 You can see how your connection is going using =ipsec auto --status=
189
190 You can always tcpdump(8) eth1 on your Linux box, or whatever the connection you are duplicating for your ipsec0 interface. Check that traffic is going both ways.
191
192 !Cisco end
193
194 On the 837, set ''debug crypto isakmp'' and ''debug crypto ipsec''. If you're on a console you should see the debug information; if not, type =ter mon= to monitor it; and =ter no mon= to turn it off again.
3 CraigBox 195
196 * [IP Security Troubleshooting (cisco.com)|http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml]
1 CraigBox 197
198 !Things to watch out for
199
200 * Before you start debugging double check that you've opened the right things on the right firewalls.
201 * Don't try and use identities (left-id or crypto identity); it breaks things.
202 * Manually try and add your FreeS/WAN connection to see any errors you might have in your config.
2 CraigBox 203 * Pings from your FreeS/WAN machine to the other end will use the external interface, which isn't part of the range thats allowed on your tunnel. Use a machine behind the network, or if you really need to be able to connect out from the server to the other end, you'll need another connection block with leftsubnet=(external IP).
1 CraigBox 204
205 !9. Conclusion
206
207 Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy. Thanks to everyone who has got in touch and said that they've managed to make their system work as a result of the PIX guide; I hope this is as useful.
208
209 Thanks especially to GreigMcGill for thinking that this would be a 2 second Thursday afternoon job and instead giving me something solid to write about :)
210
211 -- CraigBox
212
213 -----
214 CategorySecurity

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach()