From owner-freebsd-security Tue Sep 10 19:21: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27EFC37B400 for ; Tue, 10 Sep 2002 19:20:56 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FB7543E4A for ; Tue, 10 Sep 2002 19:20:55 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17ox7e-000DFR-00; Tue, 10 Sep 2002 22:20:54 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.36 #1) id 17ox7a-0000ms-00; Tue, 10 Sep 2002 22:20:50 -0400 Date: Tue, 10 Sep 2002 22:20:50 -0400 From: "Scott M. Nolde" To: Mike Tancsa Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD IPSEC connection to a Cisco Router using ESP (FAQ submission) Message-ID: <20020911022050.GA2417@smnolde.com> References: <5.1.1.6.0.20020903104701.0591bc10@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.0.20020903104701.0591bc10@marble.sentex.ca> User-Agent: Mutt/1.4i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike Tancsa(mike@sentex.net)@2002.09.03 10:50:02 +0000: > > > Question: How do I setup an IPSEC ESP Tunnel between a Cisco router and > FreeBSD > > AN Answer: > > OK, I have seen a few people ask this question, but I had not found via the > search engines a sample config on how to setup an IPSEC tunnel between a > FreeBSD box and Cisco router. We had a customer over the weekend wanting to > do just this, so I figured I would post the setup here in case anyone else > wanted to do something like this. > Mike, I appreciate your efforts in documenting this. I have verified 3DES encryption using a Cisco 1720 router with IOS c1700-k2sy-mz.121-5.T8.bin. Other IOSs that support 3DES should work similarly. From racoon's log: 2002-09-10 22:13:16: DEBUG: algorithm.c:509:alg_ipsec_encdef(): encription(3des) 2002-09-10 22:13:16: DEBUG: algorithm.c:552:alg_ipsec_hmacdef(): hmac(hmac_md5)