From owner-freebsd-questions  Wed Nov 14  9:40:41 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from mail.jpcampbell.com (adsl-64-164-212-130.dsl.snfc21.pacbell.net [64.164.212.130])
	by hub.freebsd.org (Postfix) with ESMTP id 4E6FB37B418
	for <freebsd-questions@freebsd.org>; Wed, 14 Nov 2001 09:40:34 -0800 (PST)
Received: by mail.jpcampbell.com (Postfix, from userid 1000)
	id B4B2C627E; Wed, 14 Nov 2001 09:39:59 -0800 (PST)
Date: Wed, 14 Nov 2001 09:39:59 -0800
From: "John P. Campbell" <jpc@jpcampbell.com>
To: freebsd-questions@freebsd.org
Subject: IPSEC and Cisco PIX
Message-ID: <20011114093959.A16641@jpcampbell.com>
Reply-To: jcampbell@intacct.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.17i
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Has anyone been successful establishing a VPN with a FreeBSD client 
to a Cisco PIX Firewall device?

I've seen evidence of this working from various searches, but no 
concrete examples.

Here is what I have so far.  Below is a fairly complete listing
of my effort and configuration.  Any additional info that is needed
can be provided, I'm sure. 

Thanks in advance.

My machine:

-------------------------------------------------------------
FreeBSD 4.4
racoon 20011026a
In the kernel:
  options         IPSEC
  options         IPSEC_ESP
  options         IPSEC_DEBUG
  pseudo-device   gif     4       # IPv6 and IPv4 tunneling
-------------------------------------------------------------


Cisco End:

-------------------------------------------------------------
Cisco PIX 515 with following parameters: 

isakmp policy parameters used by us at VPN gateway:
        encryption algorithm:   DES - Data Encryption Standard
        hash algorithm:         Message Digest 5
        authentication method:  Pre-Shared Key
        Diffie-Hellman group:   #2 (1024 bit)
        lifetime:               86400 seconds, no volume limit

Default isakmp policy parameters of VPN gateway:
        encryption algorithm:   DES - Data Encryption Standard
        hash algorithm:         Secure Hash Standard
        authentication method:  Rivest-Shamir-Adleman Signature
        Diffie-Hellman group:   #1 (768 bit)
        lifetime:               86400 seconds, no volume limit
-------------------------------------------------------------

I was given a groupname (remoteusers) and userid along with 
corresponding "passwords". 

I placed them in a file called psk.txt (referenced in racoon.conf).  
I've tried various combinations of the following in that file.

-- FROM psk.txt ---
$VPNIP password1
groupname@$VPNIP password1
groupname password1
myuserid password2
-- END psk.txt ---

In racoon.conf I have the following entries:

sainfo anonymous
{
        pfs_group 2;
        lifetime time 30 sec;
        encryption_algorithm des ;
        authentication_algorithm hmac_md5 ;
        compression_algorithm deflate ;
}

racoon anonymous
{
    exchange_mode main;
    
    nonce_size 16;
    lifetime time 1 min;    # sec,min,hour
    initial_contact on;
    proposal_check obey;    # obey, strict or claim
    
    proposal {
        encryption_algorithm des;
        hash_algorithm md5;
        authentication_method rsasig;
        dh_group 1 ;
        lifetime time 86400 sec;    # sec,min,hour
    }
}   

'setkey -DP' give the output as follows.  

$MYIP = IP address of FreeBSD client
192.168.20.1 - internal ip of VPN
$VPNIP - public ip of VPN

192.168.0.0/16[any] $MYIP[any] any
        in ipsec
        esp/tunnel/192.168.20.1-$MYIP/require
        spid=26 seq=1 pid=3783
        refcnt=1
$MYIP[any] 192.168.0.0/16[any] any
        out ipsec
        esp/tunnel/$MYIP-192.168.20.1/require
        spid=25 seq=0 pid=3783
        refcnt=1

'gifconfig -a' yields:

gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        inet6 fe80::2c0:f0ff:fe56:7823%gif0  prefixlen 64 
        inet $MYIP --> 255.255.255.0 netmask 0xff000000 
        physical address inet $MYIP --> $VPNIP

Now, when I start up racoon, I issue the following command:

racoon -F -v -f myconfig.conf -p 800  (for some reason the default 
port doesn't work)

This seems to start up fine.  When I try to send traffic to an 
internal IP on the other end of the Cisco, I get the following 
($MYIP defined above):

-- BEGIN OUTPUT --
2001-11-13 16:42:50: INFO: isakmp.c:1726:isakmp_post_acquire(): \ 
	IPsec-SA request for 192.168.20.1 queued due to no phase1 found.
2001-11-13 16:42:50: INFO: isakmp.c:816:isakmp_ph1begin_i(): \ 
	initiate new phase 1 negotiation: $MYIP[800]<=>192.168.20.1[500]
2001-11-13 16:42:50: INFO: isakmp.c:821:isakmp_ph1begin_i(): \
	begin Identity Protection mode.
2001-11-13 16:43:06: ERROR: isakmp.c:1818:isakmp_chkph1there(): \
	phase2 negotiation failed due to time up waiting for phase1. ESP \
	192.168.20.1->$MYIP
2001-11-13 16:43:06: INFO: isakmp.c:1823:isakmp_chkph1there(): \
	delete phase 2 handler.
-- END OUTPUT --

On the Cisco End I get the following.  Note, that it tries both DES 
and 3DES.  Our VPN only supports DES.  Ulitimately, the Cisco sees the 
Client as "acceptable", but nothing seems to happen as far as 
authenticating with the shared keys.

ISAKMP (0): retransmitting phase 1...
crypto_isakmp_process_block: src $MYIP, dest $VPNIP
crypto_isakmp_process_block: src $MYIP, dest $VPNIP
OAK_AG exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 60
ISAKMP:      encryption 3DES-CBC
ISAKMP:      auth pre-share
ISAKMP:      hash SHA
ISAKMP:      default group 2  
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): Checking ISAKMP transform 1 against priority 65535 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 60
ISAKMP:      encryption 3DES-CBC
ISAKMP:      auth pre-share
ISAKMP:      hash SHA
ISAKMP:      default group 2
ISAKMP (0): atts are not acceptable. Next payload is 0
ISAKMP (0): no offers accepted!
ISAKMP (0): SA not acceptable!
return status is IKMP_ERR_TRANS
ISAKMP (0): deleting SA: src $MYIP, dst $VPNIP
ISADB: reaper checking SA 0x8100aae0, conn_id = 0
ISADB: reaper checking SA 0x810f3f50, conn_id = 0  DELETE IT!

ISADB: reaper checking SA 0x8100aae0, conn_id = 0
crypto_isakmp_process_block: src $MYIP, dest $VPNIP
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP:      life type in seconds
ISAKMP:      life duration (basic) of 60
ISAKMP:      encryption DES-CBC
ISAKMP:      auth pre-share
ISAKMP:      hash MD5
ISAKMP:      default group 2
ISAKMP (0): atts are acceptable. Next payload is 0
ISAKMP (0): SA is doing pre-shared key authentication using id type 
ID_FQDN return status is IKMP_NO_ERROR
crypto_isakmp_process_block: src $MYIP, dest $VPNIP

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message