Date: Wed, 14 Nov 2001 09:39:59 -0800 From: "John P. Campbell" <jpc@jpcampbell.com> To: freebsd-questions@freebsd.org Subject: IPSEC and Cisco PIX Message-ID: <20011114093959.A16641@jpcampbell.com>
next in thread | raw e-mail | index | archive | help
Has anyone been successful establishing a VPN with a FreeBSD client
to a Cisco PIX Firewall device?
I've seen evidence of this working from various searches, but no
concrete examples.
Here is what I have so far. Below is a fairly complete listing
of my effort and configuration. Any additional info that is needed
can be provided, I'm sure.
Thanks in advance.
My machine:
-------------------------------------------------------------
FreeBSD 4.4
racoon 20011026a
In the kernel:
options IPSEC
options IPSEC_ESP
options IPSEC_DEBUG
pseudo-device gif 4 # IPv6 and IPv4 tunneling
-------------------------------------------------------------
Cisco End:
-------------------------------------------------------------
Cisco PIX 515 with following parameters:
isakmp policy parameters used by us at VPN gateway:
encryption algorithm: DES - Data Encryption Standard
hash algorithm: Message Digest 5
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limit
Default isakmp policy parameters of VPN gateway:
encryption algorithm: DES - Data Encryption Standard
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit
-------------------------------------------------------------
I was given a groupname (remoteusers) and userid along with
corresponding "passwords".
I placed them in a file called psk.txt (referenced in racoon.conf).
I've tried various combinations of the following in that file.
-- FROM psk.txt ---
$VPNIP password1
groupname@$VPNIP password1
groupname password1
myuserid password2
-- END psk.txt ---
In racoon.conf I have the following entries:
sainfo anonymous
{
pfs_group 2;
lifetime time 30 sec;
encryption_algorithm des ;
authentication_algorithm hmac_md5 ;
compression_algorithm deflate ;
}
racoon anonymous
{
exchange_mode main;
nonce_size 16;
lifetime time 1 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method rsasig;
dh_group 1 ;
lifetime time 86400 sec; # sec,min,hour
}
}
'setkey -DP' give the output as follows.
$MYIP = IP address of FreeBSD client
192.168.20.1 - internal ip of VPN
$VPNIP - public ip of VPN
192.168.0.0/16[any] $MYIP[any] any
in ipsec
esp/tunnel/192.168.20.1-$MYIP/require
spid=26 seq=1 pid=3783
refcnt=1
$MYIP[any] 192.168.0.0/16[any] any
out ipsec
esp/tunnel/$MYIP-192.168.20.1/require
spid=25 seq=0 pid=3783
refcnt=1
'gifconfig -a' yields:
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
inet6 fe80::2c0:f0ff:fe56:7823%gif0 prefixlen 64
inet $MYIP --> 255.255.255.0 netmask 0xff000000
physical address inet $MYIP --> $VPNIP
Now, when I start up racoon, I issue the following command:
racoon -F -v -f myconfig.conf -p 800 (for some reason the default
port doesn't work)
This seems to start up fine. When I try to send traffic to an
internal IP on the other end of the Cisco, I get the following
($MYIP defined above):
-- BEGIN OUTPUT --
2001-11-13 16:42:50: INFO: isakmp.c:1726:isakmp_post_acquire(): \
IPsec-SA request for 192.168.20.1 queued due to no phase1 found.
2001-11-13 16:42:50: INFO: isakmp.c:816:isakmp_ph1begin_i(): \
initiate new phase 1 negotiation: $MYIP[800]<=>192.168.20.1[500]
2001-11-13 16:42:50: INFO: isakmp.c:821:isakmp_ph1begin_i(): \
begin Identity Protection mode.
2001-11-13 16:43:06: ERROR: isakmp.c:1818:isakmp_chkph1there(): \
phase2 negotiation failed due to time up waiting for phase1. ESP \
192.168.20.1->$MYIP
2001-11-13 16:43:06: INFO: isakmp.c:1823:isakmp_chkph1there(): \
delete phase 2 handler.
-- END OUTPUT --
On the Cisco End I get the following. Note, that it tries both DES
and 3DES. Our VPN only supports DES. Ulitimately, the Cisco sees the
Client as "acceptable", but nothing seems to happen as far as
authenticating with the shared keys.
ISAKMP (0): retransmitting phase 1...
crypto_isakmp_process_block: src $MYIP, dest $VPNIP
crypto_isakmp_process_block: src $MYIP, dest $VPNIP
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 60
ISAKMP: encryption 3DES-CBC
ISAKMP: auth pre-share
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 60
ISAKMP: encryption 3DES-CBC
ISAKMP: auth pre-share
ISAKMP: hash SHA
ISAKMP: default group 2
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): no offers accepted!
ISAKMP (0): SA not acceptable!
return status is IKMP_ERR_TRANS
ISAKMP (0): deleting SA: src $MYIP, dst $VPNIP
ISADB: reaper checking SA 0x8100aae0, conn_id = 0
ISADB: reaper checking SA 0x810f3f50, conn_id = 0 DELETE IT!
ISADB: reaper checking SA 0x8100aae0, conn_id = 0
crypto_isakmp_process_block: src $MYIP, dest $VPNIP
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: life type in seconds
ISAKMP: life duration (basic) of 60
ISAKMP: encryption DES-CBC
ISAKMP: auth pre-share
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type
ID_FQDN return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src $MYIP, dest $VPNIP
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011114093959.A16641>