|Newer page:||version 14||Last edited on Sunday, May 25, 2008 2:05:05 am||by CraigBox|
|Older page:||version 13||Last edited on Friday, December 5, 2003 8:15:55 pm||by CraigBox||Revert|
@@ -6,23 +6,28 @@
!1. Compile a kernel with [IPSec] support
This is nicely covered on the [IPSecInstallation] page. A [Debian] summary:
apt-get install kernel-patch-freeswan
make-kpkg --revision=ipsec.1.0 kernel_image
!2. Get FreeS/WAN
apt-get install freeswan
At this point I'd like to recommend that you're using FreeS/WAN v2.02.
!3. Configure FreeS/WAN
Here is my FreeS/WAN configuration and explanation.
# /etc/ipsec.conf - FreeS/WAN IPsec configuration file
# More elaborate and more varied sample configurations can be found
# in FreeS/WAN's doc/examples file, and in the HTML documentation.
@@ -43,16 +48,19 @@
The ''interfaces'' line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works in the general case. When setting your connection up, you might want to set klips (the [Kernel] level IP Security) and pluto (the IPSEC keying [Daemon]) logging to "all".
The connection is named __tunnelipsec__ and is of ''type'' ([ESP]) tunnel.
Your Linux machine is the ''left'' end of a network that will eventually look like this:
You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)
* ''esp'' sets the [ESP] parameters. __This must be the same encryption and hashing algorithm you specify in your isakmp lines in the PIX config below.__ (Else it plain won't work.)
@@ -61,14 +69,16 @@
* ''auto'' specifies the behaivour when ipsec starts - in this case, it is 'start the connection' - you can set 'add' to add the connection to pluto but not start the tunnel.
Next you need an ipsec.secrets file:
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication. See ipsec_pluto(8) manpage, and HTML documentation.
# You might have an RSA key here depending on if you installed from a .deb
184.108.40.206 220.127.116.11: PSK "''secret''"
It contains the pre-shared secret, a password for the connection that is known at both ends. While it is possible to use RSA sigs between a Cisco and FreeS/WAN, general opinion suggests it doesn't always work, so we will opt for the less secure but more practical option.
!4. Configure firewalling
@@ -82,8 +92,9 @@
Log into, enable and configuration mode.
You will need lines very similar to these:
! I name my access lists. This one also contains lines for not natting
! traffic destined to the internal network
access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
! This access list permits traffic for the tunneled network 
@@ -111,16 +122,21 @@
isakmp policy 5 encryption 3des
isakmp policy 5 hash md5
isakmp policy 5 group 2
isakmp policy 5 lifetime 28800
!6. Start the tunnel
ipsec auto --up tunnelipsec
route add -net 10.7.3.0 netmask 255.255.255.0 dev ipsec0
!7. Ping & use
ping 10.7.3.10 -I 10.69.1.1 
There we go - one working FreeS/WAN to Cisco PIX. If you have any questions, contact details are on my Wiki page.
@@ -130,8 +146,9 @@
Turn logging on (klips/pluto to 'all'). On the PIX, set ''debug crypto isakmp'' and ''debug crypto ipsec''. tcpdump(8) ppp0 on your Linux box, or whatever the connection you are duplicating for your ipsec0 interface. Check that traffic is going both ways.
When you ''ipsec auto --up tunnelipsec'' you should see:
104 "tunnelipsec" #4: STATE_MAIN_I1: initiate
106 "tunnelipsec" #4: STATE_MAIN_I2: sent MI2, expecting MR2
003 "tunnelipsec" #4: ignoring Vendor ID payload
003 "tunnelipsec" #4: ignoring Vendor ID payload
@@ -141,30 +158,37 @@
004 "tunnelipsec" #4: STATE_MAIN_I4: ISAKMP SA established
112 "tunnelipsec" #5: STATE_QUICK_I1: initiate
003 "tunnelipsec" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
004 "tunnelipsec" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
-; __I don't get to STATE_MAIN_I4__ : Make sure you have opened port 500 UDP and protcool 50/51.
-; __I don't get to STATE_QUICK_I2__ : Two likely possibilities:
+; __I don't get to STATE_MAIN_I4__ :Make sure you have opened port 500 UDP and protcool 50/51.
+; __I don't get to STATE_QUICK_I2__ :Two likely possibilities:
* You have set 3DES/MD5 at one end and 3DES/SHA1 at the other, or some similar misconfiguration.
* Your access lists are set up wrong on the PIX. For example,
access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0
will work, where
access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 host 18.104.22.168
while it appears to do to the same thing, will cause problems at this point when the [ISAKMP] phase has finished, and the actual establishing of the tunnel begins.
(You might want to use --verbose in the ipsec auto line.)
-; __I configure my PIX and other IPSEC connections to it die!__ : You can only have one ''crypto map'' command running on an interface at any one time. The PIX 501 only has one interface. You can get around this by creating different priorities within the same crypto map. See [the fine manual|http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/c.htm].
+; __I configure my PIX and other IPSEC connections to it die!__ :You can only have one ''crypto map'' command running on an interface at any one time. The PIX 501 only has one interface. You can get around this by creating different priorities within the same crypto map. See [the fine manual|http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_61/cmd_ref/c.htm].
If after all of this you get pings going out but no responses, see .
Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy. Thanks to everyone who has got in touch and said that they've managed to make their system work as a result of this guide.
- FreeBSD users, check out http://klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm
- You do this by issuing ''crypto map mymap 10 set pfs group2'' (with the correct map name and priority)
- When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access-list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface.
+ [ 1] FreeBSD users, check out http://klub.chip.pl/nolewajk/work/freebsd/FreeBSD-howto.htm
+ [ 2] You do this by issuing ''crypto map mymap 10 set pfs group2'' (with the correct map name and priority)
+ [ 3] When you go to ping your tunnel from your Linux box, you will probably ping using the IP address of ipsec0. Your access-list only allowed traffic from 10.69.1/24. Use ping 10.7.3.x -I 10.69.1.x with the IP of your internal interface.