Differences between version 2 and previous revision of FreeSwanToCiscoPix.
Other diffs: Previous Major Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 2 | Last edited on Friday, June 20, 2003 10:28:27 am | by CraigBox | Revert |
| Older page: | version 1 | Last edited on Friday, June 20, 2003 10:22:04 am | by CraigBox | Revert |
@@ -41,17 +41,47 @@
keyexchange= ike
pfs= no
auto= add
-The __
interfaces__
line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works. When setting your connection up, you might want to set klips (Kernel IP Security) and pluto (the IPSEC keying [Daemon]) logging to "all".
+The ''
interfaces''
line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works. When setting your connection up, you might want to set klips (Kernel IP Security) and pluto (the IPSEC keying [Daemon]) logging to "all".
-The connection is named __tunnelipsec__ and is of __
type__
([ESP]) tunnel.
+The connection is named __tunnelipsec__ and is of ''
type''
([ESP]) tunnel.
-Your Linux machine is the __
left__
end of a network that will eventually look like this:
+Your Linux machine is the ''
left''
end of a network that will eventually look like this:
-!!
10.69.1./24===202..45.170---202..45.190...203.97.9.161---203.97.9.162===10.7.3./24
+10.69.1./24===202..45.170---202..45.190...203.97.9.161---203.97.9.162===10.7.3./24
You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)
-__
esp_
_ sets the [ESP] parameters. ''
This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.''
+''
esp''
_ sets the [ESP] parameters. __
This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.__
-__
keyexchange__
sets [IKE] (Internet Key Exchange) and can be set to nothing else. __
pfs__
is Perfect Forwarding Security
and needs to be set no. When ipsec starts, automatically add this connection to pluto (''
but this will not automatically create the tunnel.'')
+''
keyexchange''
sets [IKE] (Internet Key Exchange) and can be set to nothing else. ''
pfs''
is Perfect Forwarding Secrecy
and needs to be set no for a PIX[1]
. When ipsec starts, automatically add this connection to pluto (__
but this will not automatically create the tunnel.__)
+
+!4. Configuring the Cisco PIX 501
+
+Log into, enable and configuration mode.
+
+You will need lines very similar to these:
+
+ access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.
+ access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.
+ nat (inside) 0 access-list NO-NAT
+ sysopt connection permit-ipsec
+ crypto map mymap 10 ipsec-isakmp
+ crypto map mymap 10 match address FREESWAN-VPN
+ crypto map mymap 10 set peer 202..45.170
+ crypto map mymap 10 set transform-set myset
+ crypto map mymap interface outside
+ isakmp enable outside
+ isakmp key
''secret'' address 202..45.170 netmask 255.255.255.255 no-xauth no-config-mode
+ isakmp identity address
+ isakmp policy 5 authentication pre-share
+ isakmp policy 5 encryption 3des
+ isakmp policy 5 hash md5
+ isakmp policy 5 group 2
+ isakmp policy 5 lifetime 28800
+
+
+-----
+[1] With PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier.
+
+CategorySecurity
