From owner-freebsd-net Thu Mar 13 1:51: 4 2003 Delivered-To: freebsd-net@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8A7637B401 for ; Thu, 13 Mar 2003 01:50:59 -0800 (PST) Received: from consult-scs.com (vpn.consult-scs.com [209.172.126.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id A894343FBF for ; Thu, 13 Mar 2003 01:50:58 -0800 (PST) (envelope-from vulture@consult-scs.com) Received: from consult-scs.com ([192.168.2.2]) (authenticated bits=0) by consult-scs.com (8.12.6/8.12.6) with ESMTP id h2D9ow2I006554; Thu, 13 Mar 2003 01:50:59 -0800 (PST) Message-ID: <3E705482.4000202@consult-scs.com> Date: Thu, 13 Mar 2003 01:50:58 -0800 From: Jonathan Feally User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02 X-Accept-Language: en-us, en MIME-Version: 1.0 To: jamie@tridentmicrosystems.co.uk Cc: freebsd-net@freebsd.org Subject: Re: Cisco PIX 501 (3DES) to FreeBSD VPN Gateway References: <014901c2e6fb$7b037880$4a64a8c0@jamieheckford> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-net@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a similar setup from my home (FreeBSD) to my work (PIX-515) 10/8 is my work 192.168.X.0/24 is my home - this setup will give you 3des encrypt tunnel with a Pre-Shared Key Your PIX will need these config lines(adjust to match your networks): access-list ipsec-ok-list permit ip 10.0.0.0 255.0.0.0 192.168.X.0 255.255.255.0 #This defines what traffic will apply to the ipsec tunnel access-list nat-bypass-list permit ip 10.0.0.0 255.0.0.0 192.168.X.0 255.255.255.0 #You will need this along with the nat (inside) 0 line access-list nat-bypass-list permit ip 10.0.0.0 255.0.0.0 10.0.0.0 255.0.0.0 #Don't know if I need this line global (outside) 1 (PIX Outside Hide IP) nat (inside) 0 access-list nat-bypass # I think I had to add this to not nat connections from inside the PIX to my Home LAN - other direction works fine nat (inside) 1 10.0.0.0 255.0.0.0 0 0 # Don't forget to move the default what gets hidden to after the what dosesn't get hidden # below is the ipsec setup # trans-set is the definition of what kind of encrption we will be doing # ipsec-map is the ipsec tunnel definition # ipsec-ok-list is the traffic ok over the tunnel crypto ipsec transform-set trans-set esp-3des crypto map ipsec-map 20 ipsec-isakmp crypto map ipsec-map 20 match address ipsec-ok-list crypto map ipsec-map 20 set pfs group2 crypto map ipsec-map 20 set peer (BSD Outside IP) crypto map ipsec-map 20 set transform-set trans-set crypto map ipsec-map interface outside isakmp enable outside # keys are 10 alphanums long isakmp key putkeyhere address (BSD Outside IP) netmask 255.255.255.255 isakmp identity address isakmp policy 20 authentication pre-share isakmp policy 20 encryption 3des isakmp policy 20 hash sha isakmp policy 20 group 2 isakmp policy 20 lifetime 3600 IPSEC SPD's using setkey spdadd 192.168.X.0/24 10.0.0.0/8 any -P out ipsec esp/tunnel/(BSD Outside IP)-(PIX Outside IP - not hide IP)/require; spdadd 10.0.0.0/8 192.168.X.0/24 any -P in ipsec esp/tunnel/(PIX Outside IP - not hide IP)-(BSD Outside IP)/require; Racoons configs: # begin racoon.conf path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; path certificate "/etc/ssh" ; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } listen { isakmp (Outside BSD IP Goes Here); strict_address; } timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote (PIX Outside IP Goes Here - not Hide IP) { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } sainfo anonymous { pfs_group 2; encryption_algorithm 3des; authentication_algorithm hmac_sha1,non_auth; #don't think you will need hmac_sha1 compression_algorithm deflate; } # End racoon.conf # begin psk.txt (PIX Outside IP Goes Here - not Hide IP) putkeyhere # end psk.txt IPFW: Put these above any natd diverts - adjust as needed allow ip from 192.168.X.0/24 to 10.0.0.0/8 allow ip from 10.0.0.0/8 to 192.168.X.0/24 Well - Good luck Jamie Heckford wrote: >Hi All, > >I am wondering if it is possible to setup a Cisco PIX 501 (3DES) to talk >to a FreeBSD VPN Gateway. > >The VPN gateway currently runs MPD-Netgraph and Poptop to provide access >to all Win XX series clients. > >What I am wondering is it possible to setup IPSec / racoon combo on the >FreeBSD system so the PIX 501 can connect to it ok. > >The role of the PIX 501 at the remote end will be to send all non-local >traffic out to the internet and VPN destined routes over the VPN >connection. > >Has anyone had any experience with this? Any comments or suggestions? >Google did not seem to wield to many useful results. > >Any help greatly appreciated as usual :) > >Cheers, > >-- >Jamie Heckford >Network Manager >Trident Microsystems Ltd. >jamie@tridentmicrosystems.co.uk > >t: +44(0)1737-780790 >f: +44(0)1737-771908 >w: http://www.tridentmicrosystems.co.uk/ > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-net" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-net" in the body of the message