There are plenty of pages on the web that tell you how to create a IPSec VPN between Linux and a Cisco PIX 501 (entry level firewalling product), however none of them tell you enough, or why half the settings are as they are. 1?

The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it only specifies configs, which in my case, weren't enough to get everything working. Go read John's page and then here are some interesting notes.

1. Compile a kernel with IPSec support

This is nicely covered on the IPSecInstallation page. A Debian summary

apt-get install kernel-patch-freeswan cd /usr/src/linux export PATCH_THE_KERNEL=yes make-kpkg --revision=ipsec.1.0 kernel_image

2. Get FreeS/WAN

apt-get install freeswan

3. Configure FreeS/WAN

Here is my FreeS/WAN configuration and explanation.

1. /etc/ipsec.conf - FreeS/WAN IPsec configuration file
2. More elaborate and more varied sample configurations can be found
3. in FreeS/WAN's doc/examples file, and in the HTML documentation.

config setup

interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload="tunnelipsec"

conn tunnelipsec

type= tunnel left= 202.0.45.170 leftnexthop= 202.0.45.190 leftsubnet= 10.69.1.0/24 right= 203.97.9.162 rightnexthop= 203.97.9.161 rightsubnet= 10.7.3.0/24 esp= 3des-md5-96 keyexchange= ike pfs= no auto= add

The interfaces line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works. When setting your connection up, you might want to set klips (Kernel IP Security) and pluto (the IPSEC keying Daemon) logging to "all".

The connection is named tunnelipsec and is of type (ESP) tunnel.

Your Linux machine is the left end of a network that will eventually look like this:

10.69.1.0/24===202.0.45.170---202.0.45.190...203.97.9.161---203.97.9.162===10.7.3.0/24

You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)

esp sets the ESP parameters. This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.

keyexchange sets IKE (Internet Key Exchange) and can be set to nothing else. pfs is Perfect Forwarding Secrecy2? and needs to be set no for a PIX unless you specifically enabled it on the PIX end. When ipsec starts, automatically add this connection to pluto (but this will not automatically create the tunnel.)

Next you need an ipsec.secrets file:

1. This file holds shared secrets or RSA private keys for inter-Pluto
2. authentication. See ipsec_pluto(8)? manpage, and HTML documentation.

202.0.45.170 203.97.9.162: PSK "secret"

It contains the pre-shared secret, a password for the connection that is known at both ends.

4. Configure firewalling

On your external interface, enable port 500 UDP (the ISAKMP port), and protocols 50 and 51 (IPSEC ESP and AH).

5. Configuring the Cisco PIX 501

Log into, enable and configuration mode.

You will need lines very similar to these

I name my access lists. This one also contains lines for not natting

traffic destined to the internal network

access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0

This access list permits traffic for the tunneled network 3?

access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0

don't nat traffic on the NO-NAT access list

nat (inside) 0 access-list NO-NAT

Permit IPSEC connections

sysopt connection permit-ipsec

Create a transformation set called 'myset'

crypto ipsec transform-set myset esp-3des esp-md5-hmac

Create a crypto map called 'mymap', to match the access list FREESWAN-VPN.

Peer it with the public IP of the Linux machine, and pick its IPSEC option

set 'myset'

crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address FREESWAN-VPN crypto map mymap 10 set peer 202.0.45.170 crypto map mymap 10 set transform-set myset crypto map mymap interface outside

Enable the keying protocol ISAKMP with no extended auth and the Cisco not

pushing config down (which it should only do to its own VPN client)

isakmp enable outside isakmp key secret address 202.0.45.170 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash md5 isakmp policy 5 group 2 isakmp policy 5 lifetime 28800

6. Start the tunnel

ipsec auto --up tunnelipsec route add -net 10.7.3.0 netmask 255.255.255.0 dev ipsec0

7. Ping & use

ping 10.7.3.10 -I 10.69.1.1 3?

There we go - one working FreeS/WAN to Cisco PIX. If you have any questions, contact details are on my Wiki page.

8. Debugging

The ipsec0 interface should have the same IP address as the interface through which you contact your default gateway (possibly ppp0). This is how it's meant to be.

Turn logging on (klips/pluto to 'all'). On the PIX, set debug crypto isakmp and debug crypto ipsec. tcpdump(8) ppp0 on your Linux box, or whatever the connection you are duplicating for your ipsec0 interface. Check that traffic is going both ways.

When you ipsec auto --up tunnelipsec you should see

104 "tunnelipsec" #4: STATE_MAIN_I1: initiate 106 "tunnelipsec" #4: STATE_MAIN_I2: sent MI2, expecting MR2 003 "tunnelipsec" #4: ignoring Vendor ID payload 003 "tunnelipsec" #4: ignoring Vendor ID payload 003 "tunnelipsec" #4: ignoring Vendor ID payload 003 "tunnelipsec" #4: ignoring Vendor ID payload 108 "tunnelipsec" #4: STATE_MAIN_I3: sent MI3, expecting MR3 004 "tunnelipsec" #4: STATE_MAIN_I4: ISAKMP SA established 112 "tunnelipsec" #5: STATE_QUICK_I1: initiate 003 "tunnelipsec" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME 004 "tunnelipsec" #5: STATE_QUICK_I2: sent QI2, IPsec SA established

If you don't get to STATE_MAIN_I4, make sure you have opened port 500 UDP and protcool 50/51. If you don't get to STATE_QUICK_I2, chances are you have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some similar misconfiguration.

(You might want to use --verbose in the ipsec auto line.)

If after all of this you get pings going out but no responses, see 3?.

-- CraigBox

1? FreeBSD users, check out http://klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm 2? See PerfectForwardSecrecy 3? When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access-list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface.

CategorySecurity