Penguin
Recent Changes
Diff: FreeSwanToCiscoPix
EditPageHistoryDiffInfoLikePages

Differences between version 9 and predecessor to the previous major change of FreeSwanToCiscoPix.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 9 Last edited on Friday, July 18, 2003 1:59:47 pm by CraigBox Revert
Older page: version 2 Last edited on Friday, June 20, 2003 10:28:27 am by CraigBox Revert
@@ -1,11 +1,11 @@
-There are [plenty|http://www.diverdown.cc/vpn/freeswanpix.html] of [pages|http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html] on the web that tell you how to create a [IPSec] [VPN] between [Linux] and a [Cisco] PIX 501 (entry level firewalling product), however none of them tell you enough, or _why_ half the settings are as they are. 
+There are [plenty|http://www.diverdown.cc/vpn/freeswanpix.html] of [pages|http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html] on the web that tell you how to create a [IPSec] [VPN] between [Linux] and a [Cisco] PIX 501 (entry level firewalling product), however none of them tell you enough, or _why_ half the settings are as they are. [1]  
  
-The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it specifies configs, which weren't enough information to get everything working. 
+The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it only specifies configs, which in my case, weren't enough to get everything working. Go read John's page and then here are some interesting notes
  
-!1. Compile a kernel with IPSec support 
+!1. Compile a kernel with [ IPSec] support 
  
-This is nicely covered on the IPSecInstallation page. A [Debian] summary: 
+This is nicely covered on the [ IPSecInstallation] page. A [Debian] summary: 
  apt-get install kernel-patch-freeswan 
  cd /usr/src/linux 
  export PATCH_THE_KERNEL=yes 
  make-kpkg --revision=ipsec.1.0 kernel_image 
@@ -51,27 +51,52 @@
 10.69.1.0/24===202.0.45.170---202.0.45.190...203.97.9.161---203.97.9.162===10.7.3.0/24 
  
 You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.) 
  
-''esp''_ sets the [ESP] parameters. __This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.__ 
+''esp'' sets the [ESP] parameters. __This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.__ 
  
-''keyexchange'' sets [IKE] (Internet Key Exchange) and can be set to nothing else. ''pfs'' is Perfect Forwarding Secrecy and needs to be set no for a PIX[1] . When ipsec starts, automatically add this connection to pluto (__but this will not automatically create the tunnel.__) 
+''keyexchange'' sets [IKE] (Internet Key Exchange) and can be set to nothing else. ''pfs'' is Perfect Forwarding Secrecy[2] and needs to be set no for a PIX unless you specifically enabled it on the PIX end . When ipsec starts, automatically add this connection to pluto (__but this will not automatically create the tunnel.__) 
  
-!4. Configuring the Cisco PIX 501 
+Next you need an ipsec.secrets file:  
+  
+# This file holds shared secrets or RSA private keys for inter-Pluto  
+# authentication. See ipsec_pluto(8) manpage, and HTML documentation.  
+  
+202..45.170 203.97.9.162: PSK "''secret''"  
+  
+It contains the pre-shared secret, a password for the connection that is known at both ends.  
+  
+ !4. Configure firewalling  
+  
+On your external interface, enable port 500 [UDP] (the [ISAKMP] port), and protocols 50 and 51 (IPSEC [ESP] and [AH]).  
+  
+!5 . Configuring the Cisco PIX 501 
  
 Log into, enable and configuration mode. 
  
 You will need lines very similar to these: 
  
+ ! I name my access lists. This one also contains lines for not natting  
+ ! traffic destined to the internal network  
  access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0 
+ ! This access list permits traffic for the tunneled network [3]  
  access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0 
+ ! don't nat traffic on the NO-NAT access list  
  nat (inside) 0 access-list NO-NAT 
+ ! Permit IPSEC connections  
  sysopt connection permit-ipsec 
+ ! Create a transformation set called 'myset'  
+ crypto ipsec transform-set myset esp-3des esp-md5-hmac  
+ ! Create a crypto map called 'mymap', to match the access list FREESWAN-VPN.  
+ ! Peer it with the public IP of the Linux machine, and pick its IPSEC option  
+ ! set 'myset'  
  crypto map mymap 10 ipsec-isakmp 
  crypto map mymap 10 match address FREESWAN-VPN 
  crypto map mymap 10 set peer 202.0.45.170 
  crypto map mymap 10 set transform-set myset 
  crypto map mymap interface outside 
+ ! Enable the keying protocol [ISAKMP] with no extended auth and the Cisco not  
+ ! pushing config down (which it should only do to its own VPN client)  
  isakmp enable outside 
  isakmp key ''secret'' address 202.0.45.170 netmask 255.255.255.255 no-xauth no-config-mode 
  isakmp identity address 
  isakmp policy 5 authentication pre-share 
@@ -79,9 +104,49 @@
  isakmp policy 5 hash md5 
  isakmp policy 5 group 2 
  isakmp policy 5 lifetime 28800 
  
+!6. Start the tunnel  
+  
+ ipsec auto --up tunnelipsec  
+ route add -net 10.7.3.0 netmask 255.255.255.0 dev ipsec0  
+  
+!7. Ping & use  
+ ping 10.7.3.10 -I 10.69.1.1 [3]  
+  
+There we go - one working FreeS/WAN to Cisco PIX. If you have any questions, contact details are on my Wiki page.  
+  
+!8. Debugging  
+  
+The ipsec0 interface should have the same IP address as the interface through which you contact your default gateway (possibly ppp0). This is how it's meant to be.  
+  
+Turn logging on (klips/pluto to 'all'). On the PIX, set ''debug crypto isakmp'' and ''debug crypto ipsec''. tcpdump(8) ppp0 on your Linux box, or whatever the connection you are duplicating for your ipsec0 interface. Check that traffic is going both ways.  
+  
+When you ''ipsec auto --up tunnelipsec'' you should see:  
+  
+ 104 "tunnelipsec" #4: STATE_MAIN_I1: initiate  
+ 106 "tunnelipsec" #4: STATE_MAIN_I2: sent MI2, expecting MR2  
+ 003 "tunnelipsec" #4: ignoring Vendor ID payload  
+ 003 "tunnelipsec" #4: ignoring Vendor ID payload  
+ 003 "tunnelipsec" #4: ignoring Vendor ID payload  
+ 003 "tunnelipsec" #4: ignoring Vendor ID payload  
+ 108 "tunnelipsec" #4: STATE_MAIN_I3: sent MI3, expecting MR3  
+ 004 "tunnelipsec" #4: STATE_MAIN_I4: ISAKMP SA established  
+ 112 "tunnelipsec" #5: STATE_QUICK_I1: initiate  
+ 003 "tunnelipsec" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME  
+ 004 "tunnelipsec" #5: STATE_QUICK_I2: sent QI2, IPsec SA established  
+  
+If you don't get to STATE_MAIN_I4, make sure you have opened port 500 UDP and protcool 50/51.  
+If you don't get to STATE_QUICK_I2, chances are you have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some similar misconfiguration.  
+  
+(You might want to use --verbose in the ipsec auto line.)  
+  
+If after all of this you get pings going out but no responses, see [3].  
+  
+-- CraigBox  
  
 ----- 
-[1] With PFS , penetration of the key -exchange protocol does not compromise keys negotiated earlier
+[1] FreeBSD users , check out http://klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm  
+[2] See PerfectForwardSecrecy  
+[3] When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access -list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface
  
 CategorySecurity