HowToForums.net Forum Index HowToForums.net
An Open Source of Knowledge
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

HowTo Linux VPN OpenSwan site-to-site with Cisco PIX

 
Post new topic   Reply to topic    HowToForums.net Forum Index -> Servers & Applications
View previous topic :: View next topic  
Author Message
jacob
Site Admin
Site Admin


Joined: 16 Mar 2006
Posts: 73
Location: USA

PostPosted: Sat Oct 28, 2006 7:46 am    Post subject: HowTo Linux VPN OpenSwan site-to-site with Cisco PIX Reply with quote

This HowTo is to help you setup a Site To Site VPN between Linux OpenSwan VPN and Cisco PIX FireWall...


Scenario:
Code:

Left Network [Linux OpenSwan]   Site-to-Site VPN   Right Network [Cisco PIX 515]
Public VPN IP: 70.18.18.28      <-->      Public VPN IP: 60.50.7.194
Internal Network: 192.168.1.0/24   <-->      Internal Network: 172.16.10.0/24
OpenSwan Internal IP: 192.168.1.251   <-->      Cisco IP: 60.50.7.194

         <--VPN Authentication via PreShared Keys-->



CISCO PIX 515 Configuration
Ver 7.05

Code:

access-list outside_cryptomap_120 extended permit ip 192.168.1.0 255.255.255.0 60.50.0.0 255.255.0.0
access-list outside_cryptomap_120 extended permit ip 60.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_120 extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list outside_cryptomap_120 extended permit ip 172.16.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 172.16.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl extended permit ip 192.168.1.0 255.255.255.0 60.50.0.0 255.255.0.0
access-list inside_outbound_nat0_acl extended permit ip 60.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (dmzweb) 0 access-list inside_outbound_nat0_acl

no sysopt connection permit-ipsec

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set peer 70.18.18.28
crypto map outside_map 120 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside

isakmp identity address
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400

tunnel-group DefaultRAGroup general-attributes
 authentication-server-group (outside) none
tunnel-group 70.18.18.28 type ipsec-l2l
tunnel-group 70.18.18.28 ipsec-attributes
 pre-shared-key *





Here’s on an older version 6.3(5) Configuration

Code:

access-list outside_cryptomap_120 permit ip 192.168.1.0 255.255.255.0 60.50.0.0 255.255.0.0
access-list outside_cryptomap_120 permit ip 60.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0
access-list outside_cryptomap_120 permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list outside_cryptomap_120 permit ip 172.16.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 172.16.10.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 172.16.10.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list inside_outbound_nat0_acl permit ip 192.168.1.0 255.255.255.0 60.50.0.0 255.255.0.0
access-list inside_outbound_nat0_acl permit ip 60.50.0.0 255.255.0.0 192.168.1.0 255.255.255.0

nat (inside) 0 access-list inside_outbound_nat0_acl
nat (dmzweb) 0 access-list inside_outbound_nat0_acl

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 120 ipsec-isakmp
crypto map outside_map 120 match address outside_cryptomap_120
crypto map outside_map 120 set peer 70.18.18.28
crypto map outside_map 120 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside


isakmp enable outside
isakmp key ******** address 70.18.18.28 netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
 




The Linux OpenSwan Box (Ubuntu 6.06 Dapper Server )

root@vpngw:~# cat /etc/ipsec.conf
Code:

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.2 2005/11/14 20:10:27 paul Exp $
# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5
version 2.0     # conforms to second version of ipsec.conf specification

#http://www.wlug.org.nz/FreeSwanToCiscoPix
#http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch35_:_Configuring_Linux_VPNs#Introduction


conn tunnelipsec
        type=           tunnel
        authby=         secret
        #RRT
        left=           192.168.1.251
        leftsubnet=     192.168.1.0/24
        leftnexthop=    %defaultroute
        #SAA
        right=          60.50.7.194
        rightsubnet=    172.16.10.0/24
        rightnexthop=   %defaultroute
        esp=            3des-md5
        keyexchange=    ike
        pfs=            no
        auto=           start

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf



root@vpngw:~# uname -a
Code:

Linux vpngw 2.6.15-27-server #1 SMP Sat Sep 16 02:57:21 UTC 2006 i686 GNU/Linux


root@vpngw:~# route
Code:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0   *               255.255.255.0   U     0      0        0 eth0
172.16.10.0     192.168.1.1   255.255.255.0   UG    0      0        0 eth0
default         192.168.1.1   0.0.0.0         UG    0      0        0 eth0



root@vpngw:~# cat /etc/ipsec.secrets
Code:

#For Pre-Shared Keys Use this Format:
#  vpn1-ip-address vpn2-ip-address : PSK "key in quotations"
192.168.1.251 60.50.7.194 : PSK "xxxxxxxxx"



Also this must be done....
root@vpngw:~# cat HowTo_NAT.txt
Code:

IP forwarding
Each Linux VPN device needs to have routing or IP forwarding enabled. To enable it, simply add an ip_forward entry to the /etc/sysctl.conf file.

#
# File: /etc/sysctl.conf
#
#---------------------------------------------------------------
# Enable routing (IP forwarding)
#---------------------------------------------------------------

net/ipv4/ip_forward = 1



Now use the sysctl -p command to activate the settings.

Code:

[root@vpngw tmp]# sysctl -p
...
...
net.ipv4.ip_forward = 1





for search engines
IPSec VPN between Linux and a Cisco PIX
Linux IPSec VPN Site2Site
Configuring Linux VPNs
Configuring an IPSec VPN between OpenSwan and a CiscoPix
Configuring an IPSec VPN between FreeSwan and a CiscoPix
HowTo OpenSwan
HowTo Linux Site to Site VPN
Linux Unix VPn
Cisco to Linux VPN
HowTo OpenSwan Ubuntu
HowTo OpenSwan Debian


Big Thanks to my distant Cisco Guru friend, Shawn de Souza


Have Fun!!! Smile

"Eternity is not Measured in Time"
--Jacob
Back to top
Display posts from previous:   
Post new topic   Reply to topic    HowToForums.net Forum Index -> Servers & Applications All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group