There are plenty of pages on the web that tell you how to create a IPSec VPN between Linux and a Cisco PIX 501 (entry level firewalling product), however none of them tell you enough, or why half the settings are as they are.

The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it specifies configs, which weren't enough information to get everything working.

1. Compile a kernel with IPSec support

This is nicely covered on the IPSecInstallation page. A Debian summary

apt-get install kernel-patch-freeswan cd /usr/src/linux export PATCH_THE_KERNEL=yes make-kpkg --revision=ipsec.1.0 kernel_image

2. Get FreeS/WAN

apt-get install freeswan

3. Configure FreeS/WAN

Here is my FreeS/WAN configuration and explanation.

1. /etc/ipsec.conf - FreeS/WAN IPsec configuration file
2. More elaborate and more varied sample configurations can be found
3. in FreeS/WAN's doc/examples file, and in the HTML documentation.

config setup

interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload="tunnelipsec"

conn tunnelipsec

type= tunnel left= 202.0.45.170 leftnexthop= 202.0.45.190 leftsubnet= 10.69.1.0/24 right= 203.97.9.162 rightnexthop= 203.97.9.161 rightsubnet= 10.7.3.0/24 esp= 3des-md5-96 keyexchange= ike pfs= no auto= add

The interfaces line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works. When setting your connection up, you might want to set klips (Kernel IP Security) and pluto (the IPSEC keying Daemon) logging to "all".

The connection is named tunnelipsec and is of type (ESP) tunnel.

Your Linux machine is the left end of a network that will eventually look like this:

10.69.1.0/24===202.0.45.170---202.0.45.190...203.97.9.161---203.97.9.162===10.7.3.0/24

You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)

esp_ sets the ESP parameters. This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.

keyexchange sets IKE (Internet Key Exchange) and can be set to nothing else. pfs is Perfect Forwarding Secrecy and needs to be set no for a PIX1?. When ipsec starts, automatically add this connection to pluto (but this will not automatically create the tunnel.)

4. Configuring the Cisco PIX 501

Log into, enable and configuration mode.

You will need lines very similar to these

I name my access lists. This one also contains lines for not natting

traffic destined to the internal network

access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0

This access list permits traffic for the tunneled network 2?

access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0

don't nat traffic on the NO-NAT access list

nat (inside) 0 access-list NO-NAT

Permit IPSEC connections

sysopt connection permit-ipsec

Create a transformation set called 'myset'

crypto ipsec transform-set myset esp-3des esp-md5-hmac

Create a crypto map called 'mymap', to match the access list FREESWAN-VPN.

Peer it with the public IP of the Linux machine, and pick its IPSEC option

set 'myset'

crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address FREESWAN-VPN crypto map mymap 10 set peer 202.0.45.170 crypto map mymap 10 set transform-set myset crypto map mymap interface outside

Enable the keying protocol ISAKMP with no extended auth and the Cisco not

pushing config down (which it should only do to its own VPN client)

isakmp enable outside isakmp key secret address 202.0.45.170 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash md5 isakmp policy 5 group 2 isakmp policy 5 lifetime 28800

5. Start the tunnel

ipsec auto --up tunnelipsec route add -net 10.7.3.0 netmask 255.255.255.0 dev ipsec0

6. Ping & use

ping 10.7.3.10 -I 10.69.1.1 2?

There we go - one working FreeS/WAN to Cisco PIX. If you have any questions, contact details are on my Wiki page.

-- CraigBox

1? With PFS, penetration of the key-exchange protocol does not compromise keys negotiated earlier. 2? When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access-list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface.

CategorySecurity