Differences between current version and previous revision of FreeSwanToCiscoAdsl.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 3 | Last edited on Tuesday, September 7, 2004 10:48:17 am | by CraigBox | |
| Older page: | version 2 | Last edited on Monday, September 6, 2004 6:52:31 pm | by CraigBox | Revert |
@@ -62,9 +62,9 @@
right= %any
rightsubnet= 10.1.2.0/24
esp= 3des-md5-96
keyexchange= ike
- pfs= no
+ pfs= yes
auto= add
authby= secret
auth= esp
</verbatim>
@@ -81,9 +81,9 @@
Note in this example, we don't know very much at all about our network - the 837's are on dynamic IP, so we have no idea at the Linux end what the right side IP addresses will be. For this tunnel we know the right hand subnet to allow, so we specify that - to add more connections, we would have to add more =conn= blocks.
* ''esp'' sets the [ESP] parameters. __This must be the same encryption and hashing algorithm you specify in your crypto map/isakmp config on the Cisco below.__ (Else it plain won't work.)
* ''keyexchange'' sets [IKE] (Internet Key Exchange) and can be set to nothing else.
-* ''pfs'' is PerfectForwardSecrecy. This needs to be
set 'no
' unless you specifically enable
it on the Cisco end (see footnotes)
+* ''pfs'' is PerfectForwardSecrecy. This is
set 'yes
' because we also enabled
it on the Cisco end.
* ''auto'' specifies the behaivour when ipsec starts - in this case, it is 'start the connection' - you can set 'add' to add the connection to pluto but not start the tunnel.
Next you need an ipsec.secrets file:
@@ -155,14 +155,17 @@
crypto map cm-cryptomap 1 ipsec-isakmp
set peer 210.211.212.213
set transform-set tr-3des-md5
match address FREESWAN-VPN
+ set pfs group2
!
! Apply the crypto map to the Dialer0 (ADSL) interface
interface Dialer0
crypto map cm-cryptomap
!
</verbatim>
+
+Check [Cisco's reference for IPSec network commands|http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_command_reference_chapter09186a008010a7c9.html] if you need more details.
!6. Start the tunnel
At the head (left) end, this tunnel can't connect out; remember we dont know what IP the right hand end is on. So, when you start FreeS/WAN, it will automatically add the connection and wait for the right end to connect.
@@ -188,8 +191,10 @@
!Cisco end
On the 837, set ''debug crypto isakmp'' and ''debug crypto ipsec''. If you're on a console you should see the debug information; if not, type =ter mon= to monitor it; and =ter no mon= to turn it off again.
+
+* [IP Security Troubleshooting (cisco.com)|http://www.cisco.com/en/US/tech/tk583/tk372/technologies_tech_note09186a00800949c5.shtml]
!Things to watch out for
* Before you start debugging double check that you've opened the right things on the right firewalls.
@@ -205,9 +210,5 @@
-- CraigBox
-----
-Footnotes
-
-# To enable PFS on the Cisco, try something like ''crypto map cm-cryptomap 1 set pfs group2'' (with the correct map name and priority)
-
CategorySecurity
