From owner-freebsd-questions  Thu May 24 17:46: 9 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from rgmail.regenstrief.org (rgmail.regenstrief.org [134.68.31.197])
	by hub.freebsd.org (Postfix) with ESMTP id C65C937B423
	for <freebsd-questions@FreeBSD.ORG>; Thu, 24 May 2001 17:46:06 -0700 (PDT)
	(envelope-from gunther@aurora.regenstrief.org)
Received: from aurora.regenstrief.org (rgnout.regenstrief.org [134.68.31.38])
	by rgmail.regenstrief.org (8.11.0/8.8.7) with ESMTP id f4P0mrX08236;
	Thu, 24 May 2001 19:48:53 -0500
Message-ID: <3B0DAB4C.97B920A9@aurora.regenstrief.org>
Date: Fri, 25 May 2001 00:46:04 +0000
From: Gunther Schadow <gunther@aurora.regenstrief.org>
Organization: Regenstrief Institute for Health Care
X-Mailer: Mozilla 4.75 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Jeff Kreska <jkreska@kreska.org>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: KAME and Cisco IPSEC server?
References: <Pine.BSF.4.21.0105231005390.11612-100000@c528925-a.plano1.tx.home.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Jeff Kreska wrote:
> 
> Any one know if it is possible to connect to CISCo IPSEC server using KAME
> or any other FreeBSD IPSEC software.
> 
> I am not even sure how to find out what type of IPSEC the box is
> expecting.

Then you have to read the CISCO manuals on this. You want to
have both the command reference and the intro to IPsec, IKE,
and CA. Yes, you can do it and it has been done before. On PIX 
firewalls you can only do tunnel mode. With IOS IPsec you can do 
both tunnel and transport. In IOS I think you can do static keys, 
but they seem to prefer IKE. So use racoon, but my work with racoon 
wasn't very successful several months ago. Sakane has improved racoon 
since then though.

Upgrade IPsec on FreeBSD to a recent KAME-snap. Chances are 
you will have problems even with 4.3-RELEASE.

You need to tweak the Cisco thing to do what you can do. Go 
step by step. Start with configured tunnels and static keys.
Then add racoon with preshard key. Only then add certificates.
Racoon can do certificates, but bugs are to be expected. BTW
Cisco's things have bugs too!!!! So if something doesn't work
as expected, there can be many reasons.

good luck,
-Gunther

-- 
Gunther Schadow, M.D., Ph.D.                    gschadow@regenstrief.org
Medical Information Scientist      Regenstrief Institute for Health Care
Adjunct Assistent Professor        Indiana University School of Medicine
tel:1(317)630-7960                         http://aurora.regenstrief.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message