Differences between version 13 and predecessor to the previous major change of FreeSwanToCiscoPix.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 13 | Last edited on Friday, December 5, 2003 8:15:55 pm | by CraigBox | Revert |
| Older page: | version 12 | Last edited on Friday, July 18, 2003 4:03:48 pm | by CraigBox | Revert |
@@ -1,10 +1,9 @@
-!Configuring an [IPSec] [VPN] between FreeSwan and a CiscoPix
-CraigBox (updated 18/7/03)
+!!
!Configuring an [IPSec] [VPN] between FreeSwan and a CiscoPix %%%
There are [plenty|http://www.diverdown.cc/vpn/freeswanpix.html] of [pages|http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html] on the web that tell you how to create a [IPSec] [VPN] between [Linux] and a [Cisco] PIX 501 (entry level firewalling product), however none of them tell you enough, or _why_ half the settings are as they are. [1]
-The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it only specifies configs, which in my case, weren't enough to get everything working. Go read John's page and then here are some interesting notes.
+The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it only specifies configs, which in my case, weren't enough to get everything working. Go read John's page,
and then here are some interesting notes in the form of a HOWTO
.
!1. Compile a kernel with [IPSec] support
This is nicely covered on the [IPSecInstallation] page. A [Debian] summary:
@@ -15,8 +14,10 @@
!2. Get FreeS/WAN
apt-get install freeswan
+
+At this point I'd like to recommend that you're using FreeS/WAN v2.02.
!3. Configure FreeS/WAN
Here is my FreeS/WAN configuration and explanation.
@@ -29,9 +30,8 @@
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
- plutoload="tunnelipsec"
conn tunnelipsec
type= tunnel
left= 202.0.45.170
@@ -42,25 +42,24 @@
rightsubnet= 10.7.3.0/24
esp= 3des-md5-96
keyexchange= ike
pfs= no
- auto= add
+ auto= start
-The ''interfaces'' line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works. When setting your connection up, you might want to set klips (Kernel IP Security) and pluto (the IPSEC keying [Daemon]) logging to "all".
+The ''interfaces'' line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works in the general case
. When setting your connection up, you might want to set klips (the [
Kernel] level
IP Security) and pluto (the IPSEC keying [Daemon]) logging to "all".
The connection is named __tunnelipsec__ and is of ''type'' ([ESP]) tunnel.
Your Linux machine is the ''left'' end of a network that will eventually look like this:
-10.69.1./24===202..45.170---202..45.190...203.97.9.161---203.97.9.162===10.7.3./24
+
10.69.1./24===202..45.170---202..45.190...203.97.9.161---203.97.9.162===10.7.3./24
You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)
-''esp'' sets the [ESP] parameters. __This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.__
-
-
-
- When
ipsec starts, automatically
add this
connection to pluto (__
but this will
not automatically create
the tunnel.__)
+*
''esp'' sets the [ESP] parameters. __This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.__ (Else it plain won't work.)
+*
''keyexchange'' sets [IKE] (Internet Key Exchange) and can be set to nothing else.
+*
''pfs'' is PerfectForwardSecrecy. This needs to be set 'no' unless you specifically enable it on the PIX end[2].
+* ''auto'' specifies the behaivour when
ipsec starts - in this case
, it is 'start the connection' - you can set '
add' to add the
connection to pluto but not start
the tunnel.
Next you need an ipsec.secrets file:
# This file holds shared secrets or RSA private keys for inter-Pluto
@@ -69,13 +68,15 @@
# You might have an RSA key here depending on if you installed from a .deb
202.0.45.170 203.97.9.162: PSK "''secret''"
-It contains the pre-shared secret, a password for the connection that is known at both ends.
+It contains the pre-shared secret, a password for the connection that is known at both ends. While it is possible to use RSA sigs between a Cisco and FreeS/WAN, general opinion suggests it doesn't always work, so we will opt for the less secure but more practical option
.
!4. Configure firewalling
On your external interface, enable port 500 [UDP] (the [ISAKMP] port), and protocols 50 and 51 (IPSEC [ESP] and [AH]).
+
+When you succeed, you are going to have incoming packets reinjected onto the ipsec0 interface, so remember to set up firewalling on this interface too!
!5. Configuring the Cisco PIX 501
Log into, enable and configuration mode.
@@ -156,9 +157,9 @@
; __I configure my PIX and other IPSEC connections to it die!__ : You can only have one ''crypto map'' command running on an interface at any one time. The PIX 501 only has one interface. You can get around this by creating different priorities within the same crypto map. See [the fine manual|http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/c.htm].
If after all of this you get pings going out but no responses, see [3].
-Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy.
+Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy. Thanks to everyone who has got in touch and said that they've managed to make their system work as a result of this guide
.
-- CraigBox
-----
