Date: Thu, 13 Mar 2003 01:50:58 -0800 From: Jonathan Feally <vulture@consult-scs.com> To: jamie@tridentmicrosystems.co.uk Cc: freebsd-net@freebsd.org Subject: Re: Cisco PIX 501 (3DES) to FreeBSD VPN Gateway Message-ID: <3E705482.4000202@consult-scs.com> References: <014901c2e6fb$7b037880$4a64a8c0@jamieheckford>
next in thread | previous in thread | raw e-mail | index | archive | help
I have a similar setup from my home (FreeBSD) to my work (PIX-515)
10/8 is my work 192.168.X.0/24 is my home - this setup will give you
3des encrypt tunnel with a Pre-Shared Key
Your PIX will need these config lines(adjust to match your networks):
access-list ipsec-ok-list permit ip 10.0.0.0 255.0.0.0 192.168.X.0
255.255.255.0 #This defines what traffic will apply to the ipsec tunnel
access-list nat-bypass-list permit ip 10.0.0.0 255.0.0.0 192.168.X.0
255.255.255.0 #You will need this along with the nat (inside) 0 line
access-list nat-bypass-list permit ip 10.0.0.0 255.0.0.0 10.0.0.0
255.0.0.0 #Don't know if I need this line
global (outside) 1 (PIX Outside Hide IP)
nat (inside) 0 access-list nat-bypass # I think I had to add this to
not nat connections from inside the PIX to my Home LAN - other direction
works fine
nat (inside) 1 10.0.0.0 255.0.0.0 0 0 # Don't forget to move the
default what gets hidden to after the what dosesn't get hidden
# below is the ipsec setup
# trans-set is the definition of what kind of encrption we will be doing
# ipsec-map is the ipsec tunnel definition
# ipsec-ok-list is the traffic ok over the tunnel
crypto ipsec transform-set trans-set esp-3des
crypto map ipsec-map 20 ipsec-isakmp
crypto map ipsec-map 20 match address ipsec-ok-list
crypto map ipsec-map 20 set pfs group2
crypto map ipsec-map 20 set peer (BSD Outside IP)
crypto map ipsec-map 20 set transform-set trans-set
crypto map ipsec-map interface outside
isakmp enable outside
# keys are 10 alphanums long
isakmp key putkeyhere address (BSD Outside IP) netmask 255.255.255.255
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600
IPSEC SPD's using setkey
spdadd 192.168.X.0/24 10.0.0.0/8 any -P out ipsec esp/tunnel/(BSD
Outside IP)-(PIX Outside IP - not hide IP)/require;
spdadd 10.0.0.0/8 192.168.X.0/24 any -P in ipsec esp/tunnel/(PIX Outside
IP - not hide IP)-(BSD Outside IP)/require;
Racoons configs:
# begin racoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/etc/ssh" ;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp (Outside BSD IP Goes Here);
strict_address;
}
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote (PIX Outside IP Goes Here - not Hide IP) {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1,non_auth; #don't think you
will need hmac_sha1
compression_algorithm deflate;
}
# End racoon.conf
# begin psk.txt
(PIX Outside IP Goes Here - not Hide IP) putkeyhere
# end psk.txt
IPFW:
Put these above any natd diverts - adjust as needed
allow ip from 192.168.X.0/24 to 10.0.0.0/8
allow ip from 10.0.0.0/8 to 192.168.X.0/24
Well - Good luck
Jamie Heckford wrote:
>Hi All,
>
>I am wondering if it is possible to setup a Cisco PIX 501 (3DES) to talk
>to a FreeBSD VPN Gateway.
>
>The VPN gateway currently runs MPD-Netgraph and Poptop to provide access
>to all Win XX series clients.
>
>What I am wondering is it possible to setup IPSec / racoon combo on the
>FreeBSD system so the PIX 501 can connect to it ok.
>
>The role of the PIX 501 at the remote end will be to send all non-local
>traffic out to the internet and VPN destined routes over the VPN
>connection.
>
>Has anyone had any experience with this? Any comments or suggestions?
>Google did not seem to wield to many useful results.
>
>Any help greatly appreciated as usual :)
>
>Cheers,
>
>--
>Jamie Heckford
>Network Manager
>Trident Microsystems Ltd.
>jamie@tridentmicrosystems.co.uk
>
>t: +44(0)1737-780790
>f: +44(0)1737-771908
>w: http://www.tridentmicrosystems.co.uk/
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-net" in the body of the message
>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-net" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E705482.4000202>