Penguin

Configuring an IPSec VPN between FreeSwan and a CiscoPix

There are plenty of pages on the web that tell you how to create a IPSec VPN between Linux and a Cisco PIX 501 (entry level firewalling product), however none of them tell you enough, or why half the settings are as they are. 1?

The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it only specifies configs, which in my case, weren't enough to get everything working. Go read John's page, and then here are some interesting notes in the form of a HOWTO.

1. Compile a kernel with IPSec support

This is nicely covered on the IPSecInstallation page. A Debian summary:

 apt-get install kernel-patch-freeswan
 cd /usr/src/linux
 export PATCH_THE_KERNEL=yes
 make-kpkg --revision=ipsec.1.0 kernel_image

2. Get FreeS/WAN

 apt-get install freeswan

At this point I'd like to recommend that you're using FreeS/WAN v2.02.

3. Configure FreeS/WAN

Here is my FreeS/WAN configuration and explanation.

 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file

 # More elaborate and more varied sample configurations can be found
 # in FreeS/WAN's doc/examples file, and in the HTML documentation.

 config setup
        interfaces=%defaultroute
        klipsdebug=none
        plutodebug=none

 conn tunnelipsec
        type=           tunnel
        left=           202.0.45.170
        leftnexthop=    202.0.45.190
        leftsubnet=     10.69.1.0/24
        right=          203.97.9.162
        rightnexthop=   203.97.9.161
        rightsubnet=    10.7.3.0/24
        esp=            3des-md5-96
        keyexchange=    ike
        pfs=            no
        auto=           start

The interfaces line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works in the general case. When setting your connection up, you might want to set klips (the Kernel level IP Security) and pluto (the IPSEC keying Daemon) logging to "all".

The connection is named tunnelipsec and is of type (ESP) tunnel.

Your Linux machine is the left end of a network that will eventually look like this:

 10.69.1.0/24===202.0.45.170---202.0.45.190...203.97.9.161---203.97.9.162===10.7.3.0/24

You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)

  • esp sets the ESP parameters. This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below. (Else it plain won't work.)
  • keyexchange sets IKE (Internet Key Exchange) and can be set to nothing else.
  • pfs is PerfectForwardSecrecy. This needs to be set 'no' unless you specifically enable it on the PIX end2?.
  • auto specifies the behaivour when ipsec starts - in this case, it is 'start the connection' - you can set 'add' to add the connection to pluto but not start the tunnel.

Next you need an ipsec.secrets file:

 # This file holds shared secrets or RSA private keys for inter-Pluto
 # authentication.  See ipsec_pluto(8)? manpage, and HTML documentation.

 # You might have an RSA key here depending on if you installed from a .deb

 202.0.45.170 203.97.9.162: PSK "secret"

It contains the pre-shared secret, a password for the connection that is known at both ends. While it is possible to use RSA sigs between a Cisco and FreeS/WAN, general opinion suggests it doesn't always work, so we will opt for the less secure but more practical option.

4. Configure firewalling

On your external interface, enable port 500 UDP (the ISAKMP port), and protocols 50 and 51 (IPSEC ESP and AH).

When you succeed, you are going to have incoming packets reinjected onto the ipsec0 interface, so remember to set up firewalling on this interface too!

5. Configuring the Cisco PIX 501

Log into, enable and configuration mode.

You will need lines very similar to these:

 ! I name my access lists.  This one also contains lines for not natting
 ! traffic destined to the internal network
 access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
 ! This access list permits traffic for the tunneled network 3?
 access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
 ! don't nat traffic on the NO-NAT access list
 nat (inside) 0 access-list NO-NAT
 ! Permit IPSEC connections
 sysopt connection permit-ipsec
 ! Create a transformation set called 'myset'
 crypto ipsec transform-set myset esp-3des esp-md5-hmac
 ! Create a crypto map called 'mymap', to match the access list FREESWAN-VPN.
 ! Peer it with the public IP of the Linux machine, and pick its IPSEC option
 ! set 'myset'
 crypto map mymap 10 ipsec-isakmp
 crypto map mymap 10 match address FREESWAN-VPN
 crypto map mymap 10 set peer 202.0.45.170
 crypto map mymap 10 set transform-set myset
 crypto map mymap interface outside
 ! Enable the keying protocol ISAKMP with no extended auth and the Cisco not
 ! pushing config down (which it should only do to its own VPN client)
 isakmp enable outside
 isakmp key secret address 202.0.45.170 netmask 255.255.255.255 no-xauth no-config-mode
 isakmp identity address
 isakmp policy 5 authentication pre-share
 isakmp policy 5 encryption 3des
 isakmp policy 5 hash md5
 isakmp policy 5 group 2
 isakmp policy 5 lifetime 28800

6. Start the tunnel

 ipsec auto --up tunnelipsec
 route add -net 10.7.3.0 netmask 255.255.255.0 dev ipsec0

7. Ping & use

 ping 10.7.3.10 -I 10.69.1.1 3?

There we go - one working FreeS/WAN to Cisco PIX. If you have any questions, contact details are on my Wiki page.

8. Debugging

The ipsec0 interface should have the same IP address as the interface through which you contact your default gateway (possibly ppp0). This is how it's meant to be.

Turn logging on (klips/pluto to 'all'). On the PIX, set debug crypto isakmp and debug crypto ipsec. tcpdump(8) ppp0 on your Linux box, or whatever the connection you are duplicating for your ipsec0 interface. Check that traffic is going both ways.

When you ipsec auto --up tunnelipsec you should see:

 104 "tunnelipsec" #4: STATE_MAIN_I1: initiate
 106 "tunnelipsec" #4: STATE_MAIN_I2: sent MI2, expecting MR2
 003 "tunnelipsec" #4: ignoring Vendor ID payload
 003 "tunnelipsec" #4: ignoring Vendor ID payload
 003 "tunnelipsec" #4: ignoring Vendor ID payload
 003 "tunnelipsec" #4: ignoring Vendor ID payload
 108 "tunnelipsec" #4: STATE_MAIN_I3: sent MI3, expecting MR3
 004 "tunnelipsec" #4: STATE_MAIN_I4: ISAKMP SA established
 112 "tunnelipsec" #5: STATE_QUICK_I1: initiate
 003 "tunnelipsec" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
 004 "tunnelipsec" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
I don't get to STATE_MAIN_I4
Make sure you have opened port 500 UDP and protcool 50/51.
I don't get to STATE_QUICK_I2
Two likely possibilities:
  • You have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some similar misconfiguration.
  • Your access lists are set up wrong on the PIX. For example,
 access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0

will work, where

 access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 host 202.0.45.170

while it appears to do to the same thing, will cause problems at this point when the ISAKMP phase has finished, and the actual establishing of the tunnel begins.

(You might want to use --verbose in the ipsec auto line.)

I configure my PIX and other IPSEC connections to it die!
You can only have one crypto map command running on an interface at any one time. The PIX 501 only has one interface. You can get around this by creating different priorities within the same crypto map. See the fine manual.

If after all of this you get pings going out but no responses, see 3?.

Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy. Thanks to everyone who has got in touch and said that they've managed to make their system work as a result of this guide.

-- CraigBox


[1] FreeBSD users, check out http://klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm

[2] You do this by issuing crypto map mymap 10 set pfs group2 (with the correct map name and priority)

[3] When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access-list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface.

CategorySecurity