FreeS/WAN or OpenSwan and Cisco PIX VPN
Config guide for FreeS/WAN and OpenSwan to Cisco PIX VPN
I've noticed some search engine activity hitting my resume looking for FreeS/WAN to PIX information, since I happen to mention both on there. I am currently running such a VPN, and decided I should tell people how I did it. It's easy.
First, let me say that I don't know how to make the PIX work with DHCP peers by default, I've seen it mentioned, I've never bothered to deal with it since my IP changes so rarely anyway. When my IP changes, I log in via the Nortel Contivity (with Win32 client from my wife's machine) to add my new IP to the PIX. Aside from that unpleasentness, it works great, is stable, and provides bi-directional access to my whole home network, which is a plus.
For the sake of argument, and since I'm sanitizing here, I've decided to make The Internet 192.168.1.0/24, my home internal LAN is going to be 10.1.0.0/24 and the office is going to be 10.2.0.0/24, just cause I can.
Here's the FreeS/WAN side:
conn office |
|
left=192.168.1.1 | # this is the home machine, "outside" interface |
leftsubnet=10.1.0.0/24 | |
leftnexthop=192.168.1.2 | # this is the outside interface default gateway |
# Do a "route" and look for where traffic for | |
# "0.0.0.0" goes and use that, alternatively, | |
# do a traceroute to anywhere and use the first hop. | |
right=192.168.1.253 | # Outside (internet facing) interface of my target PIX |
rightsubnet=10.2.0.0/24 | |
rightnexthop=192.168.1.254 | # again, the default gateway of the PIX |
rightid=@pixname.domainname | #(for instance PIX515.bob.com). This threw me for |
# a minute. But yeah, it's whatever the name of the | |
#PIX is and whatever you define as the domain on the | |
#PIX | |
authby=secret | |
auth=esp | |
keyexchange=ike | |
pfs=yes | |
auto=start |
Now the ipsec.secrets
192.168.1.1 @pixname.domainname : PSK "passwordhere" #again "@pixname.domainname" is defined in your pix config, it's whatever you tell it.
Now the PIX side, same rules apply. Note that it's very important to have the access-list in FIRST. When you add the Crypto Map, the first line is "match address aclname, if it does not find an ACL of that name, you might end up having to drive to where ever your PIX is and physically turn it off and back on. Not that I speak from experience or anything.
access-list ChrisHome permit ip 10.2.0.0 255.255.255.0 10.1.0.0 255.255.255.0
crypto ipsec transform-set FreeSwan esp-3des esp-md5-hmac
crypto map Company-VPN 50 match address ChrisHome
crypto map Company-VPN 50 set pfs group2
crypto map Company-VPN 50 set peer 192.168.1.1
crypto map Company-VPN 50 set transform-set FreeSwan
isakmp enable outside
isakmp key passwordhere address 192.168.1.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 28000
- 14835 reads