Date: Tue, 03 Sep 2002 10:50:02 -0400 From: Mike Tancsa <mike@sentex.net> To: security@freebsd.org Subject: FreeBSD IPSEC connection to a Cisco Router using ESP (FAQ submission) Message-ID: <5.1.1.6.0.20020903104701.0591bc10@marble.sentex.ca>
next in thread | raw e-mail | index | archive | help
Question: How do I setup an IPSEC ESP Tunnel between a Cisco router and FreeBSD
AN Answer:
OK, I have seen a few people ask this question, but I had not found via the
search engines a sample config on how to setup an IPSEC tunnel between a
FreeBSD box and Cisco router. We had a customer over the weekend wanting to
do just this, so I figured I would post the setup here in case anyone else
wanted to do something like this.
Given the following setup
FreeBSD-------------------<Internet>-------------Cisco
192.168.100.9/24 and 1.1.1.1/30 2.2.2.2/30 and 96.0.0.1/24
i.e. 2 machines connected to the Internet, at distant locations-- FreeBSD
box has 1.1.1.1/30 as the public address (i.e. NON RFC 1918) and the Cisco,
2.2.2.2/30. The goal is to setup a VPN tunnel between the two using an
IPSEC connection with AH and ESP. For the setup, I used an old Cisco 4700
with only DES encryption. Note, it is recommended that you use something
stronger like 3des in a production environment.
On the Cisco we have the following config.
4700-router#show run
Building configuration...
Current configuration : 1991 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 4700-router
!
boot system flash c4500-jk8s-mz.122-10b.bin
aaa new-model
!
ip subnet-zero
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
group 2
lifetime 6000
crypto isakmp key donttell address 1.1.1.1.
crypto isakmp key donttell address 2.2.2.2
!
crypto ipsec security-association lifetime seconds 6000
!
crypto ipsec transform-set MB esp-des esp-md5-hmac
!
crypto map FreeBSDIPSEC-MAP 1 ipsec-isakmp
description My customer site called MB
set peer 1.1.1.1
set transform-set MB
set pfs group2
match address 109
!
!
!
!
interface Ethernet0
ip address 96.0.0.1 255.255.255.0
media-type 10BaseT
!
interface FastEthernet0
ip address 2.2.2.2 255.255.255.252
half-duplex
crypto map FreeBSDIPSEC-MAP
!
ip classless
ip route 0.0.0.0 0.0.0.0 2.2.2.1
no ip http server
!
access-list 109 permit ip 192.168.100.0 0.0.0.255 96.0.0.0 0.0.0.255
access-list 109 permit ip 96.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
!
end
4700-router#
On the FreeBSD side, we have the following
script, 00_ipsec.sh you can put in /usr/local/etc/rc.d
#!/bin/sh
case "$1" in
start)
setkey -F
setkey -FP
setkey -c <<EOF
spdadd 192.168.100.0/24 96.0.0.0/24 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/unique ;
spdadd 96.0.0.0/24 192.168.100.0/24 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/unique ;
EOF
;;
stop)
setkey -F
setkey -FP
;;
*)
echo "Usage: `basename $0` {start|stop}" >&2
;;
esac
exit 0
remote anonymous
{
exchange_mode main,base,aggressive;
doi ipsec_doi;
#situation identity_only;
my_identifier address 1.1.1.1;
nonce_size 16;
lifetime time 6000 sec; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 6000 sec;
encryption_algorithm des,3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}
And dont forget to add
2.2.2.2 donttell
to /usr/local/etc/racoon/psk.txt
In terms of interfaces, we just have the 2... No gif. To bring up the
tunnel, make sure you do a ping specifying the source address
e.g.
ping -S 192.168.100.9 96.0.0.1
or just generate something from behind the FreeBSD box.
---Mike
--------------------------------------------------------------------
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, mike@sentex.net
Providing Internet since 1994 www.sentex.net
Cambridge, Ontario Canada www.sentex.net/mike
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20020903104701.0591bc10>