From owner-freebsd-questions Thu May 24 17:46: 9 2001 Delivered-To: freebsd-questions@freebsd.org Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197]) by hub.freebsd.org (Postfix) with ESMTP id C65C937B423 for ; Thu, 24 May 2001 17:46:06 -0700 (PDT) (envelope-from gunther@aurora.regenstrief.org) Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38]) by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f4P0mrX08236; Thu, 24 May 2001 19:48:53 -0500 Message-ID: <3B0DAB4C.97B920A9@aurora.regenstrief.org> Date: Fri, 25 May 2001 00:46:04 +0000 From: Gunther Schadow Organization: Regenstrief Institute for Health Care X-Mailer: Mozilla 4.75 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Jeff Kreska Cc: freebsd-questions@FreeBSD.ORG Subject: Re: KAME and Cisco IPSEC server? References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Jeff Kreska wrote: > > Any one know if it is possible to connect to CISCo IPSEC server using KAME > or any other FreeBSD IPSEC software. > > I am not even sure how to find out what type of IPSEC the box is > expecting. Then you have to read the CISCO manuals on this. You want to have both the command reference and the intro to IPsec, IKE, and CA. Yes, you can do it and it has been done before. On PIX firewalls you can only do tunnel mode. With IOS IPsec you can do both tunnel and transport. In IOS I think you can do static keys, but they seem to prefer IKE. So use racoon, but my work with racoon wasn't very successful several months ago. Sakane has improved racoon since then though. Upgrade IPsec on FreeBSD to a recent KAME-snap. Chances are you will have problems even with 4.3-RELEASE. You need to tweak the Cisco thing to do what you can do. Go step by step. Start with configured tunnels and static keys. Then add racoon with preshard key. Only then add certificates. Racoon can do certificates, but bugs are to be expected. BTW Cisco's things have bugs too!!!! So if something doesn't work as expected, there can be many reasons. good luck, -Gunther -- Gunther Schadow, M.D., Ph.D. gschadow@regenstrief.org Medical Information Scientist Regenstrief Institute for Health Care Adjunct Assistent Professor Indiana University School of Medicine tel:1(317)630-7960 http://aurora.regenstrief.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message