Penguin
Blame: FreeSwanToCiscoPix
EditPageHistoryDiffInfoLikePages
Annotated edit history of FreeSwanToCiscoPix version 14, including all changes. View license author blame.
Rev Author # Line
13 CraigBox 1 !!!Configuring an [IPSec] [VPN] between FreeSwan and a CiscoPix %%%
11 CraigBox 2
3 There are [plenty|http://www.diverdown.cc/vpn/freeswanpix.html] of [pages|http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html] on the web that tell you how to create a [IPSec] [VPN] between [Linux] and a [Cisco] PIX 501 (entry level firewalling product), however none of them tell you enough, or _why_ half the settings are as they are. [1]
4
13 CraigBox 5 The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it only specifies configs, which in my case, weren't enough to get everything working. Go read John's page, and then here are some interesting notes in the form of a HOWTO.
11 CraigBox 6
7 !1. Compile a kernel with [IPSec] support
8
9 This is nicely covered on the [IPSecInstallation] page. A [Debian] summary:
14 CraigBox 10 <pre>
11 CraigBox 11 apt-get install kernel-patch-freeswan
12 cd /usr/src/linux
13 export PATCH_THE_KERNEL=yes
14 make-kpkg --revision=ipsec.1.0 kernel_image
14 CraigBox 15 </pre>
11 CraigBox 16
17 !2. Get FreeS/WAN
18
14 CraigBox 19 <pre>
11 CraigBox 20 apt-get install freeswan
14 CraigBox 21 </pre>
13 CraigBox 22
23 At this point I'd like to recommend that you're using FreeS/WAN v2.02.
11 CraigBox 24
25 !3. Configure FreeS/WAN
26
27 Here is my FreeS/WAN configuration and explanation.
28
14 CraigBox 29 <pre>
11 CraigBox 30 # /etc/ipsec.conf - FreeS/WAN IPsec configuration file
31
32 # More elaborate and more varied sample configurations can be found
33 # in FreeS/WAN's doc/examples file, and in the HTML documentation.
34
35 config setup
36 interfaces=%defaultroute
37 klipsdebug=none
38 plutodebug=none
39
40 conn tunnelipsec
41 type= tunnel
42 left= 202.0.45.170
43 leftnexthop= 202.0.45.190
44 leftsubnet= 10.69.1.0/24
45 right= 203.97.9.162
46 rightnexthop= 203.97.9.161
47 rightsubnet= 10.7.3.0/24
48 esp= 3des-md5-96
49 keyexchange= ike
50 pfs= no
13 CraigBox 51 auto= start
14 CraigBox 52 </pre>
11 CraigBox 53
13 CraigBox 54 The ''interfaces'' line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works in the general case. When setting your connection up, you might want to set klips (the [Kernel] level IP Security) and pluto (the IPSEC keying [Daemon]) logging to "all".
11 CraigBox 55
56 The connection is named __tunnelipsec__ and is of ''type'' ([ESP]) tunnel.
57
58 Your Linux machine is the ''left'' end of a network that will eventually look like this:
59
14 CraigBox 60 <pre>
13 CraigBox 61 10.69.1.0/24===202.0.45.170---202.0.45.190...203.97.9.161---203.97.9.162===10.7.3.0/24
14 CraigBox 62 </pre>
11 CraigBox 63
64 You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)
65
13 CraigBox 66 * ''esp'' sets the [ESP] parameters. __This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.__ (Else it plain won't work.)
67 * ''keyexchange'' sets [IKE] (Internet Key Exchange) and can be set to nothing else.
68 * ''pfs'' is PerfectForwardSecrecy. This needs to be set 'no' unless you specifically enable it on the PIX end[2].
69 * ''auto'' specifies the behaivour when ipsec starts - in this case, it is 'start the connection' - you can set 'add' to add the connection to pluto but not start the tunnel.
11 CraigBox 70
71 Next you need an ipsec.secrets file:
72
14 CraigBox 73 <pre>
11 CraigBox 74 # This file holds shared secrets or RSA private keys for inter-Pluto
75 # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
76
77 # You might have an RSA key here depending on if you installed from a .deb
78
79 202.0.45.170 203.97.9.162: PSK "''secret''"
14 CraigBox 80 </pre>
11 CraigBox 81
13 CraigBox 82 It contains the pre-shared secret, a password for the connection that is known at both ends. While it is possible to use RSA sigs between a Cisco and FreeS/WAN, general opinion suggests it doesn't always work, so we will opt for the less secure but more practical option.
11 CraigBox 83
84 !4. Configure firewalling
85
86 On your external interface, enable port 500 [UDP] (the [ISAKMP] port), and protocols 50 and 51 (IPSEC [ESP] and [AH]).
13 CraigBox 87
88 When you succeed, you are going to have incoming packets reinjected onto the ipsec0 interface, so remember to set up firewalling on this interface too!
11 CraigBox 89
90 !5. Configuring the Cisco PIX 501
91
92 Log into, enable and configuration mode.
93
94 You will need lines very similar to these:
95
14 CraigBox 96 <pre>
11 CraigBox 97 ! I name my access lists. This one also contains lines for not natting
98 ! traffic destined to the internal network
99 access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
100 ! This access list permits traffic for the tunneled network [3]
101 access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
102 ! don't nat traffic on the NO-NAT access list
103 nat (inside) 0 access-list NO-NAT
104 ! Permit IPSEC connections
105 sysopt connection permit-ipsec
106 ! Create a transformation set called 'myset'
107 crypto ipsec transform-set myset esp-3des esp-md5-hmac
108 ! Create a crypto map called 'mymap', to match the access list FREESWAN-VPN.
109 ! Peer it with the public IP of the Linux machine, and pick its IPSEC option
110 ! set 'myset'
111 crypto map mymap 10 ipsec-isakmp
112 crypto map mymap 10 match address FREESWAN-VPN
113 crypto map mymap 10 set peer 202.0.45.170
114 crypto map mymap 10 set transform-set myset
115 crypto map mymap interface outside
116 ! Enable the keying protocol [ISAKMP] with no extended auth and the Cisco not
117 ! pushing config down (which it should only do to its own VPN client)
118 isakmp enable outside
119 isakmp key ''secret'' address 202.0.45.170 netmask 255.255.255.255 no-xauth no-config-mode
120 isakmp identity address
121 isakmp policy 5 authentication pre-share
122 isakmp policy 5 encryption 3des
123 isakmp policy 5 hash md5
124 isakmp policy 5 group 2
125 isakmp policy 5 lifetime 28800
14 CraigBox 126 </pre>
11 CraigBox 127
128 !6. Start the tunnel
129
14 CraigBox 130 <pre>
11 CraigBox 131 ipsec auto --up tunnelipsec
132 route add -net 10.7.3.0 netmask 255.255.255.0 dev ipsec0
14 CraigBox 133 </pre>
11 CraigBox 134
135 !7. Ping & use
14 CraigBox 136 <pre>
11 CraigBox 137 ping 10.7.3.10 -I 10.69.1.1 [3]
14 CraigBox 138 </pre>
11 CraigBox 139
140 There we go - one working FreeS/WAN to Cisco PIX. If you have any questions, contact details are on my Wiki page.
141
142 !8. Debugging
143
144 The ipsec0 interface should have the same IP address as the interface through which you contact your default gateway (possibly ppp0). This is how it's meant to be.
145
146 Turn logging on (klips/pluto to 'all'). On the PIX, set ''debug crypto isakmp'' and ''debug crypto ipsec''. tcpdump(8) ppp0 on your Linux box, or whatever the connection you are duplicating for your ipsec0 interface. Check that traffic is going both ways.
147
148 When you ''ipsec auto --up tunnelipsec'' you should see:
149
14 CraigBox 150 <pre>
11 CraigBox 151 104 "tunnelipsec" #4: STATE_MAIN_I1: initiate
152 106 "tunnelipsec" #4: STATE_MAIN_I2: sent MI2, expecting MR2
153 003 "tunnelipsec" #4: ignoring Vendor ID payload
154 003 "tunnelipsec" #4: ignoring Vendor ID payload
155 003 "tunnelipsec" #4: ignoring Vendor ID payload
156 003 "tunnelipsec" #4: ignoring Vendor ID payload
157 108 "tunnelipsec" #4: STATE_MAIN_I3: sent MI3, expecting MR3
158 004 "tunnelipsec" #4: STATE_MAIN_I4: ISAKMP SA established
159 112 "tunnelipsec" #5: STATE_QUICK_I1: initiate
160 003 "tunnelipsec" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
161 004 "tunnelipsec" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
14 CraigBox 162 </pre>
11 CraigBox 163
14 CraigBox 164 ; __I don't get to STATE_MAIN_I4__ :Make sure you have opened port 500 UDP and protcool 50/51.
165 ; __I don't get to STATE_QUICK_I2__ :Two likely possibilities:
11 CraigBox 166 * You have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some similar misconfiguration.
167 * Your access lists are set up wrong on the PIX. For example,
168
14 CraigBox 169 <pre>
11 CraigBox 170 access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
14 CraigBox 171 </pre>
11 CraigBox 172 will work, where
14 CraigBox 173 <pre>
11 CraigBox 174 access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 host 202.0.45.170
14 CraigBox 175 </pre>
11 CraigBox 176 while it appears to do to the same thing, will cause problems at this point when the [ISAKMP] phase has finished, and the actual establishing of the tunnel begins.
177
178 (You might want to use --verbose in the ipsec auto line.)
14 CraigBox 179 ; __I configure my PIX and other IPSEC connections to it die!__ :You can only have one ''crypto map'' command running on an interface at any one time. The PIX 501 only has one interface. You can get around this by creating different priorities within the same crypto map. See [the fine manual|http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/c.htm].
11 CraigBox 180
181 If after all of this you get pings going out but no responses, see [3].
182
13 CraigBox 183 Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy. Thanks to everyone who has got in touch and said that they've managed to make their system work as a result of this guide.
11 CraigBox 184
185 -- CraigBox
186
187 -----
14 CraigBox 188 #[|ftnt_1]~[[1|#ftnt_ref_1]~] FreeBSD users, check out http://klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm
189
190 #[|ftnt_2]~[[2|#ftnt_ref_2]~] You do this by issuing ''crypto map mymap 10 set pfs group2'' (with the correct map name and priority)
191
192 #[|ftnt_3]~[[3|#ftnt_ref_3]~] When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access-list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface.
11 CraigBox 193
194 CategorySecurity

PHP Warning

lib/blame.php:177: Warning: Invalid argument supplied for foreach()