From owner-freebsd-questions@FreeBSD.ORG Sat Feb 22 08:41:33 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 282D0E0E for ; Sat, 22 Feb 2014 08:41:33 +0000 (UTC) Received: from ms-10.1blu.de (ms-10.1blu.de [178.254.4.101]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id D0FF310A0 for ; Sat, 22 Feb 2014 08:41:32 +0000 (UTC) Received: from [89.204.130.60] (helo=tiny-r255948) by ms-10.1blu.de with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1WH89J-0003g8-SN; Sat, 22 Feb 2014 09:41:30 +0100 Received: from tiny-r255948 (localhost [127.0.0.1]) by tiny-r255948 (8.14.7/8.14.3) with ESMTP id s1M8fRK9001594; Sat, 22 Feb 2014 09:41:27 +0100 (CET) (envelope-from guru@unixarea.de) Received: (from guru@localhost) by tiny-r255948 (8.14.7/8.14.3/Submit) id s1M8fQWu001593; Sat, 22 Feb 2014 09:41:26 +0100 (CET) (envelope-from guru@unixarea.de) X-Authentication-Warning: tiny-r255948: guru set sender to guru@unixarea.de using -f Date: Sat, 22 Feb 2014 09:41:26 +0100 From: Matthias Apitz To: Farzin Falahati Subject: Re: IPSec Message-ID: <20140222084125.GA1567@tiny-r255948> References: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="DocE+STaALJfprDB" Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Operating-System: FreeBSD 10.0-CURRENT r235646 (i386) User-Agent: Mutt/1.5.21 (2010-09-15) X-Con-Id: 51246 X-Con-U: 0-guru X-Originating-IP: 89.204.130.60 Cc: freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: Matthias Apitz List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Feb 2014 08:41:33 -0000 --DocE+STaALJfprDB Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit El día Saturday, February 22, 2014 a las 11:51:23AM +0330, Farzin Falahati escribió: > hello all, > > i wanna create an ipsec tunnel between my FreeBSD and a Cisco router. i > have FreeBSD 9.2 with ipsec-tools 0.8.0. is it possible? you know i > struggle to do it in FreeBSD 8.2 but unfortunately i can't do that. now i > migrate to FreeBSD 9.2 and i heard that ipsec is changed to be more > standard in it. so is it possible to create an ipsec tunnel between > freebsd9.2 and a Cisco router or not? Hello, I've checked my old files from around 2007/2008 and I was using something like: # vpnc --no-detach --gateway xxx.xxx.xxx.xxx --id ipsec --username xxxxxx and some configuration file like (see attached notes). the 'secret' must have been extracted from the a crypted value which your Cisco admin generated for the access; there was/is some C-written tool to do the extraction. I'm attaching my notes from how to configure this; I do not use it anymore, so I can't help with tests. HIH matthias -- Sent from my FreeBSD netbook Matthias Apitz, , http://www.unixarea.de/ f: +49-170-4527211 UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370) UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5 --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="vpnc.txt" $Id: vpnc.txt,v 1.5 2007/06/11 14:07:41 guru Exp $ messages from "make install": ===> Installing for vpnc-0.3.3_1 /bin/mkdir -p /usr/local/share/doc/vpnc ... This port has installed the following files which may act as network servers and may therefore pose a remote security risk to the system. /usr/local/sbin/vpnc This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/vpnc.sh.sample If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type 'make deinstall' to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage: http://www.unix-ag.uni-kl.de/~massar/vpnc/ to config: /usr/local/etc/vpnc.conf: IPSec gateway xxx.xxx.xxx.xxx IPSec ID aaaaaaaaaa IPSec secret bbbbbbbbbb Xauth username xxxxxxxx Xauth password xxxxxxxx some comments about how it works: - the gateway is contacted first on UDP 500 and later on 4500 as proposed by the server; - the 'aaaaaaaaaa' (IPSec ID) is Cisco's 'GroupName' value; - the 'bbbbbbbbbb' (IPSec secret) is Cisco's 'enc_GroupPwd' but in clear text; there is a tool to recalculate the clear text GroupPwd which is written in C in may be fetched from: http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c (local copy is in ~guru/sysSrc/cisco-decrypt.c) and may be compiled with: $ gcc -o cisco-decrypt -I/usr/local/include cisco-decrypt.c -L/usr/local/lib -lgcrypt you lauch it just as root with: # vpnc --no-detach # vpnc --no-detach --debug 3 --udp(?) routings, /etc/resolv.conf are set/reset on up and down via a call to a script /usr/local/sbin/vpnc-script in our case /etc/resolv.conf gets changed to: #@VPNC_GENERATED@ -- this file is generated by vpnc # and will be overwritten by vpnc # as long as the above mark is intact domain blabla.de nameserver xxx.xxx.xxx.xxx the routings to the various networks the Concentrator knows are also set and unset by the above script if the Concentrator provided 'split-network settings'; they are passed as environment variables to /usr/local/sbin/vpnc-script that's all --DocE+STaALJfprDB--