Differences between version 12 and predecessor to the previous major change of FreeSwanToCiscoPix.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 12 | Last edited on Friday, July 18, 2003 4:03:48 pm | by CraigBox | Revert |
| Older page: | version 9 | Last edited on Friday, July 18, 2003 1:59:47 pm | by CraigBox | Revert |
@@ -1,4 +1,7 @@
+!Configuring an [IPSec] [VPN] between FreeSwan and a CiscoPix
+CraigBox (updated 18/7/03)
+
There are [plenty|http://www.diverdown.cc/vpn/freeswanpix.html] of [pages|http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html] on the web that tell you how to create a [IPSec] [VPN] between [Linux] and a [Cisco] PIX 501 (entry level firewalling product), however none of them tell you enough, or _why_ half the settings are as they are. [1]
The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it only specifies configs, which in my case, weren't enough to get everything working. Go read John's page and then here are some interesting notes.
@@ -53,16 +56,20 @@
You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)
''esp'' sets the [ESP] parameters. __This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.__
-''keyexchange'' sets [IKE] (Internet Key Exchange) and can be set to nothing else.
''pfs'' is Perfect Forwarding Secrecy[2] and
needs to be set no for a PIX
unless you specifically enabled
it on the PIX end. When ipsec starts, automatically add this connection to pluto (__but this will not automatically create the tunnel.__)
+''keyexchange'' sets [IKE] (Internet Key Exchange) and can be set to nothing else.
+
+
''pfs'' is PerfectForwardSecrecy. This
needs to be set '
no'
unless you specifically enable
it on the PIX end[2]
. When ipsec starts, automatically add this connection to pluto (__but this will not automatically create the tunnel.__)
Next you need an ipsec.secrets file:
-# This file holds shared secrets or RSA private keys for inter-Pluto
-# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
+
# This file holds shared secrets or RSA private keys for inter-Pluto
+ # authentication. See ipsec_pluto(8) manpage, and HTML documentation.
+
+ # You might have an RSA key here depending on if you installed from a .deb
-202..45.170 203.97.9.162: PSK "''secret''"
+
202..45.170 203.97.9.162: PSK "''secret''"
It contains the pre-shared secret, a password for the connection that is known at both ends.
!4. Configure firewalling
@@ -134,19 +141,29 @@
112 "tunnelipsec" #5: STATE_QUICK_I1: initiate
003 "tunnelipsec" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
004 "tunnelipsec" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
-If you
don't get to STATE_MAIN_I4, make
sure you have opened port 500 UDP and protcool 50/51.
-If you
don't get to STATE_QUICK_I2, chances are you
have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some similar misconfiguration.
+; __I
don't get to STATE_MAIN_I4__ : Make
sure you have opened port 500 UDP and protcool 50/51.
+; __I
don't get to STATE_QUICK_I2__ : Two likely possibilities:
+* You
have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some similar misconfiguration.
+* Your access lists are set up wrong on the PIX. For example,
+
+ access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.
+will work, where
+ access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 host 202..45.170
+while it appears to do to the same thing, will cause problems at this point when the [ISAKMP] phase has finished, and the actual establishing of the tunnel begins
.
(You might want to use --verbose in the ipsec auto line.)
+; __I configure my PIX and other IPSEC connections to it die!__ : You can only have one ''crypto map'' command running on an interface at any one time. The PIX 501 only has one interface. You can get around this by creating different priorities within the same crypto map. See [the fine manual|http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/c.htm].
If after all of this you get pings going out but no responses, see [3].
+
+Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy.
-- CraigBox
-----
[1] FreeBSD users, check out http://klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm
-[2] See PerfectForwardSecrecy
+[2] You do this by issuing ''crypto map mymap 10 set pfs group2'' (with the correct map name and priority)
[3] When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access-list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface.
CategorySecurity
