OpenBSD Journal
Home : : Add Story : : Archives : : About : : Create Account : : Login :
0 to IPSEC in 4 minutes (To a Cisco!)
Contributed by merdely on Thu Jul 17 02:07:47 2008 (GMT)
from the vroooooom dept.

Mattias Lindgren shares his experience setting up a VPN connection with a Cisco device:

A friend of mine and I wanted to see how easy it would be to set up a reasonably secure IPSec tunnel between OpenBSD and a Cisco router. Inspired by the SecurityFocus article "Zero to IPSec in 4 minutes", we wanted to see if we could repeat the same feat.

Mattias continues below.

Edit (2008/07/16): Cisco configuration fixed as pointed out in the comments. (merdely)

This evening's contestants consist of a Soekris Net4801 running OpenBSD 4.3 and a Cisco 2621 router running 12.4 code. OpenBSD already has a great framework for working with IPSec, called ipsecctl(8), which we used to simplify the configuration. It reads from ipsec.conf(5) to generate reasonable IPSec flows. The networks are denoted as follows:

  • OpenBSD private subnet: a.a.a.a/24
  • Cisco private subnet: b.b.b.b/24
  • OpenBSD public address: A.A.A.A
  • Cisco public address: B.B.B.B

I started out by editing my ipsec.conf file on the OpenBSD box and entered the following:

ike esp from a.a.a.a/24 to b.b.b.b/24 \
     peer B.B.B.B \
     main auth hmac-sha1 enc aes-128 group modp1536 \
     quick auth hmac-sha1 enc aes-128 \
     srcid A.A.A.A psk "mekmitasdigoat"
This denotes that we will be using a combination of aes-128 and hmac-sha for our encryption and authenticaton. Group modp1536 corresponds with Cisco's Group 5 statement which is needed on the Cisco when using AES.

The next step is to allow the appropriate traffic through the PF firewall. The following lines were entered:

pass in on $ext_if inet proto udp from B.B.B.B to A.A.A.A port 500
pass in on $ext_if inet proto esp from B.B.B.B to A.A.A.A
set skip on enc0

All that remains on OpenBSD is to start up the VPN subsystems with the following commands:

isakmpd -K
ipsecctl -f /etc/ipsec.conf

Now, moving over to the Cisco side. The relevant configuration sections looks something like this:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
crypto isakmp key mekmitasdigoat address A.A.A.A
crypto isakmp keepalive 30 5
crypto ipsec transform-set aes-set esp-aes esp-sha-hmac
crypto map VPN 15 ipsec-isakmp
 set peer A.A.A.A
 set transform-set aes-set
 match address VPN-to-OpenBSD
interface FastEthernet0/0
 crypto map VPN
 ip address B.B.B.B
 ip access-group INET in
ip access-list extended INET
 permit esp any any
 permit udp any any eq isakmp
ip access-list extended VPN-to-OpenBSD
 permit ip b.b.b.b a.a.a.a

That was all there is to it. VPN came up on the first try. Time spent: 4 minutes 1 seconds, d'oh!

Thank you, Mattias, for sharing your IPSec experiences with us.


<< Call For Donations - PCIe machine needed for driver development | Reply | Flattened | Expanded | Heads Up! openchrome(4) replaces via(4) >>

Threshold: Help

Related Links
more by merdely

  Re: 0 to IPSEC in 4 minutes (To a Cisco!) (mod 12/60)
by Terrell Prude' Jr. ( ( (this is a spamtrap address)) on Sat Jul 12 01:50:31 2008 (GMT)
  Thanks for this. I deal with Cisco routers all the time, and like it or not, they're a big gorilla in this space. My customers routinely ask for "Cisco" because "we've got to interoperate with Cisco, and everyone knows Cisco." Yes, I know--don't bother saying it--and I agree. :-)

An easy way to do IPSec interoperability with them makes it easier for me to convince folks to consider OpenBSD ("oh, you've got existing Ciscos? No problem!"). It's like FOSS platforms in Microsoft shops. You've got to interoperate with the existing Windows structure *easily*, or else you get shot down.

This is good news. Will give it a shot at my earliest opportunity.

  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: 0 to IPSEC in 4 minutes (To a Cisco!) (mod 5/63)
by jason (jason) ( on Sat Jul 12 04:13:29 2008 (GMT)
  Good read. Thorough, yet brief and to the point. Thanks for the story!
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: 0 to IPSEC in 4 minutes (To a Cisco!) (mod -1/55)
by Name ( on Sat Jul 12 10:22:12 2008 (GMT)
  Thanks, very usefull, i have arounf 25 VPN tunnels across the globe, fully OpenBSD based, works like a charm, but adding locations with a cisco will be possible 2 now...(without the need to place a BSD (what WILL happen at the end anyways :-)) But I will use it for sure...! thx for the effort !
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: 0 to IPSEC in 4 minutes (To a Cisco!) (mod -1/53)
by Anonymous Coward ( on Sat Jul 12 20:35:03 2008 (GMT)
  Two scenarios come to mind...

What if either the Cisco or OpenBSD side is a roadwarrior?
What about the possibility of connecting multiple clients to one, or the other? (multiple Cisco clients connecting to OpenBSD in a roadwarrior fashion or multiple OpenBSD clients connecting to a Cisco in a roadwarrior fashion?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: 0 to IPSEC in 4 minutes (To a Cisco!) (mod -3/49)
by Anonymous Coward ( on Tue Jul 15 07:38:28 2008 (GMT)
  where crypto map on cisco interface?
really this cisco conf is work?
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: 0 to IPSEC in 4 minutes (To a Cisco!) (mod -2/22)
by mxffiles ( on Tue Feb 7 08:27:35 2017 (GMT)
  This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this. Software mxf Software mxf converter free download to convert HD camcorder files. ts converter convert ts video files to avi, mp4, wmv, mov mts to avi mp4 mov mkv iMovie, FCP/FCE with mts converter, so to convert mts files for your PC and mobiles. mod converter and convert tod files just free download mod video converter. m2ts
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

  Re: 0 to IPSEC in 4 minutes (To a Cisco!) (mod 0/0)
by Sakhaeian ( ( on Fri May 12 08:30:11 2017 (GMT)
  There are so many sites of the things that are used in different journals. I am suggesting best essays that are good in showing different journals so that we need to check and research many things.
  [ Show thread ] [ Reply to this comment ] [ Mod Up ] [ Mod Down ]

[ Home | Add Story | Archives | Polls | About ]

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. Some icons from used with permission from Kathleen. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. Search engine is ht://Dig. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]