Differences between version 3 and predecessor to the previous major change of FreeSwanToCiscoPix.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
Newer page: | version 3 | Last edited on Friday, June 20, 2003 10:39:18 am | by CraigBox | Revert |
Older page: | version 2 | Last edited on Friday, June 20, 2003 10:28:27 am | by CraigBox | Revert |
@@ -61,17 +61,29 @@
Log into, enable and configuration mode.
You will need lines very similar to these:
+ ! I name my access lists. This one also contains lines for not natting
+ ! traffic destined to the internal network
access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
+ ! This access list permits traffic for the tunneled network [2]
access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
+ ! don't nat traffic on the NO-NAT access list
nat (inside) 0 access-list NO-NAT
+ ! Permit IPSEC connections
sysopt connection permit-ipsec
+ ! Create a transformation set called 'myset'
+ crypto ipsec transform-set myset esp-3des esp-md5-hmac
+ ! Create a crypto map called 'mymap', to match the access list FREESWAN-VPN.
+ ! Peer it with the public IP of the Linux machine, and pick its IPSEC option
+ ! set 'myset'
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address FREESWAN-VPN
crypto map mymap 10 set peer 202.0.45.170
crypto map mymap 10 set transform-set myset
crypto map mymap interface outside
+ ! Enable the keying protocol [ISAKMP] with no extended auth and the Cisco not
+ ! pushing config down (which it should only do to its own VPN client)
isakmp enable outside
isakmp key ''secret'' address 202.0.45.170 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 5 authentication pre-share
@@ -79,9 +91,21 @@
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
+!5. Start the tunnel
+
+ ipsec auto --up tunnelipsec
+ route add -net 10.7.3.0 netmask 255.255.255.0 dev ipsec0
+
+!6. Ping & use
+ ping 10.7.3.10 -I 10.69.1.1 [2]
+
+There we go - one working FreeS/WAN to Cisco PIX. If you have any questions, contact details are on my Wiki page.
+
+-- CraigBox
-----
[1] With PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier.
+[2] When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access-list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface.
CategorySecurity