There are plenty of pages on the web that tell you how to create a IPSec VPN between Linux and a Cisco PIX 501 (entry level firewalling product), however none of them tell you enough, or why half the settings are as they are. 1?
The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it only specifies configs, which in my case, weren't enough to get everything working. Go read John's page, and then here are some interesting notes in the form of a HOWTO.
apt-get install kernel-patch-freeswan cd /usr/src/linux export PATCH_THE_KERNEL=yes make-kpkg --revision=ipsec.1.0 kernel_image
apt-get install freeswan
At this point I'd like to recommend that you're using FreeS/WAN v2.02.
Here is my FreeS/WAN configuration and explanation.
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. config setup interfaces=%defaultroute klipsdebug=none plutodebug=none conn tunnelipsec type= tunnel left= 18.104.22.168 leftnexthop= 22.214.171.124 leftsubnet= 10.69.1.0/24 right= 126.96.36.199 rightnexthop= 188.8.131.52 rightsubnet= 10.7.3.0/24 esp= 3des-md5-96 keyexchange= ike pfs= no auto= start
The interfaces line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works in the general case. When setting your connection up, you might want to set klips (the Kernel level IP Security) and pluto (the IPSEC keying Daemon) logging to "all".
The connection is named tunnelipsec and is of type (ESP) tunnel.
Your Linux machine is the left end of a network that will eventually look like this:
You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)
Next you need an ipsec.secrets file:
# This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8)? manpage, and HTML documentation. # You might have an RSA key here depending on if you installed from a .deb 184.108.40.206 220.127.116.11: PSK "secret"
It contains the pre-shared secret, a password for the connection that is known at both ends. While it is possible to use RSA sigs between a Cisco and FreeS/WAN, general opinion suggests it doesn't always work, so we will opt for the less secure but more practical option.
When you succeed, you are going to have incoming packets reinjected onto the ipsec0 interface, so remember to set up firewalling on this interface too!
Log into, enable and configuration mode.
You will need lines very similar to these:
! I name my access lists. This one also contains lines for not natting ! traffic destined to the internal network access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0 ! This access list permits traffic for the tunneled network 3? access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0 ! don't nat traffic on the NO-NAT access list nat (inside) 0 access-list NO-NAT ! Permit IPSEC connections sysopt connection permit-ipsec ! Create a transformation set called 'myset' crypto ipsec transform-set myset esp-3des esp-md5-hmac ! Create a crypto map called 'mymap', to match the access list FREESWAN-VPN. ! Peer it with the public IP of the Linux machine, and pick its IPSEC option ! set 'myset' crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address FREESWAN-VPN crypto map mymap 10 set peer 18.104.22.168 crypto map mymap 10 set transform-set myset crypto map mymap interface outside ! Enable the keying protocol ISAKMP with no extended auth and the Cisco not ! pushing config down (which it should only do to its own VPN client) isakmp enable outside isakmp key secret address 22.214.171.124 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash md5 isakmp policy 5 group 2 isakmp policy 5 lifetime 28800
ipsec auto --up tunnelipsec route add -net 10.7.3.0 netmask 255.255.255.0 dev ipsec0
ping 10.7.3.10 -I 10.69.1.1 3?
There we go - one working FreeS/WAN to Cisco PIX. If you have any questions, contact details are on my Wiki page.
The ipsec0 interface should have the same IP address as the interface through which you contact your default gateway (possibly ppp0). This is how it's meant to be.
Turn logging on (klips/pluto to 'all'). On the PIX, set debug crypto isakmp and debug crypto ipsec. tcpdump(8) ppp0 on your Linux box, or whatever the connection you are duplicating for your ipsec0 interface. Check that traffic is going both ways.
When you ipsec auto --up tunnelipsec you should see:
104 "tunnelipsec" #4: STATE_MAIN_I1: initiate 106 "tunnelipsec" #4: STATE_MAIN_I2: sent MI2, expecting MR2 003 "tunnelipsec" #4: ignoring Vendor ID payload 003 "tunnelipsec" #4: ignoring Vendor ID payload 003 "tunnelipsec" #4: ignoring Vendor ID payload 003 "tunnelipsec" #4: ignoring Vendor ID payload 108 "tunnelipsec" #4: STATE_MAIN_I3: sent MI3, expecting MR3 004 "tunnelipsec" #4: STATE_MAIN_I4: ISAKMP SA established 112 "tunnelipsec" #5: STATE_QUICK_I1: initiate 003 "tunnelipsec" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME 004 "tunnelipsec" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 host 126.96.36.199
while it appears to do to the same thing, will cause problems at this point when the ISAKMP phase has finished, and the actual establishing of the tunnel begins.
If after all of this you get pings going out but no responses, see 3?.
Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy. Thanks to everyone who has got in touch and said that they've managed to make their system work as a result of this guide.
 FreeBSD users, check out http://klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm
 You do this by issuing crypto map mymap 10 set pfs group2 (with the correct map name and priority)
 When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access-list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface.
lib/main.php:944: Notice: PageInfo: Cannot find action page