This content shamelessly lifted from the Waikato Linux Users Group page FreeSwanToCiscoPix. The most recent version can be found on WLUG's wiki; along with a new page for *Swan to a Cisco 837 ADSL router.
Please note that this page was written for Freeswan; I belive that Openswan is a straight fork/continuating and so the configurations should all work, but I have never tested it.
Seeing as the person who swiped it seems to be the OpenSwan author, I think I can let it slide. Especially if he pops by the WLUG wiki and tells me if I can get the Cisco VPN client interoperating with a Swan headend :) -- CraigBox
There are plenty of pages on the web that tell you how to create a IPsec VPN between Linux and a CiscoPIX 501 (entry level firewalling product), however none of them tell you enough, or why half the settings are as they are. ~[1]
The best example I've found so far is http://www.johnleach.co.uk/documents/freeswan-pix/freeswan-pix.html (very recent page - good work Google!). However, it only specifies configs, which in my case, weren't enough to get everything working. Go read John's page, and then here are some interesting notes in the form of a HOWTO.
This is nicely covered on the WLUG IPSec Installation page. A Debian summary:
apt-get install kernel-patch-freeswan cd /usr/src/linux export PATCH_THE_KERNEL=yes make-kpkg --revision=ipsec.1.0 kernel_image
apt-get install openswan
Here is my Openswan configuration and explanation.
# /etc/ipsec.conf - Openswan IPsec configuration file
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
conn tunnelipsec
type= tunnel
authby= secret
left= 202.0.45.170
leftnexthop= 202.0.45.190
leftsubnet= 10.69.1.0/24
right= 203.97.9.162
rightnexthop= 203.97.9.161
rightsubnet= 10.7.3.0/24
esp= 3des-md5-96
keyexchange= ike
pfs= no
auto= start
The interfaces line tells ipsec to use the same IP address as the interface that the default route is on: this is similar to "ipsec0:eth0" that some configurations recommend, but this works in the general case. When setting your connection up, you might want to set klips (the Kernel Level IP Security) and pluto (the IPSEC keying Daemon) logging to "all".
The connection is named tunnelipsec and is of type ([ESP]) tunnel.
Your Linux machine is the left end of a network that will eventually look like this: 10.69.1.0/24===202.0.45.170---202.0.45.190...203.97.9.161---203.97.9.162===10.7.3.0/24
You need to specify the next hop in either direction (a silly thing perhaps, but you can specify %defaultroute etc again - it doesn't hurt to fill them in though.)
Next you need an ipsec.secrets file:
# This file holds shared secrets or RSA private keys for inter-Pluto # authentication. See ipsec_pluto(8) manpage, and HTML documentation. # You might have an RSA key here depending on if you installed from a .deb 202.0.45.170 203.97.9.162: PSK "''secret''"
It contains the pre-shared secret, a password for the connection that is known at both ends. While it is possible to use RSA sigs between a Cisco and Openswan, general opinion suggests it doesn't always work, so we will opt for the less secure but more practical option.
On your external interface, enable port 500 UDP (the ISAKMP? port), and protocol 50 (IPSEC ESP).
When you succeed, you are going to have incoming packets reinjected onto the ipsec0 interface, so remember to set up firewalling on this interface too!
Log into, enable and configuration mode.
You will need lines very similar to these:
! I name my access lists. This one also contains lines for not natting ! traffic destined to the internal network access-list NO-NAT permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0 ! This access list permits traffic for the tunneled network ~[3] access-list FREESWAN-VPN permit ip 10.7.3.0 255.255.255.0 10.69.1.0 255.255.255.0 ! don't nat traffic on the NO-NAT access list nat (inside) 0 access-list NO-NAT ! Permit IPSEC connections sysopt connection permit-ipsec ! Create a transformation set called 'myset' crypto ipsec transform-set myset esp-3des esp-md5-hmac ! Create a crypto map called 'mymap', to match the access list FREESWAN-VPN. ! Peer it with the public IP of the Linux machine, and pick its IPSEC option ! set 'myset' crypto map mymap 10 ipsec-isakmp crypto map mymap 10 match address FREESWAN-VPN crypto map mymap 10 set peer 202.0.45.170 crypto map mymap 10 set transform-set myset crypto map mymap interface outside ! Enable the keying protocol [ISAKMP] with no extended auth and the Cisco not ! pushing config down (which it should only do to its own VPN client) isakmp enable outside isakmp key ''secret'' address 202.0.45.170 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des isakmp policy 5 hash md5 isakmp policy 5 group 2 isakmp policy 5 lifetime 28800
ipsec auto --up tunnelipsec route add -net 10.7.3.0 netmask 255.255.255.0 dev ipsec0
ping 10.7.3.10 -I 10.69.1.1 ~[3]
There we go - one working FreeS/WAN to Cisco PIX. If you have any questions, contact details are on my Wiki page.
The ipsec0 interface should have the same IP address as the interface through which you contact your default gateway (possibly ppp0). This is how it's meant to be.
Turn logging on (klips/pluto to 'all'). On the PIX, set debug crypto isakmp and debug crypto ipsec. tcpdump(8) ppp0 on your Linux box, or whatever the connection you are duplicating for your ipsec0 interface. Check that traffic is going both ways.
When you ipsec auto --up tunnelipsec you should see:
104 "tunnelipsec" #4: STATE_MAIN_I1: initiate 106 "tunnelipsec" #4: STATE_MAIN_I2: sent MI2, expecting MR2 003 "tunnelipsec" #4: ignoring Vendor ID payload 003 "tunnelipsec" #4: ignoring Vendor ID payload 003 "tunnelipsec" #4: ignoring Vendor ID payload 003 "tunnelipsec" #4: ignoring Vendor ID payload 108 "tunnelipsec" #4: STATE_MAIN_I3: sent MI3, expecting MR3 004 "tunnelipsec" #4: STATE_MAIN_I4: ISAKMP SA established 112 "tunnelipsec" #5: STATE_QUICK_I1: initiate 003 "tunnelipsec" #5: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME 004 "tunnelipsec" #5: STATE_QUICK_I2: sent QI2, IPsec SA established
I don't get to STATE_MAIN_I4 :
I don't get to STATE_QUICK_I2 - Two likely possibilities:
(You might want to use --verbose in the ipsec auto line.)
I configure my PIX and other IPSEC connections to it die!:
If after all of this you get pings going out but no responses, see ~[3].
Email on these issues are welcome. It took a long time to figure out and if you can get something as a result of this, I'd be happy. Thanks to everyone who has got in touch and said that they've managed to make their system work as a result of this guide.
-- CraigBox
