OpenBSD Journal

0 to IPSEC in 4 minutes (To a Cisco!)

Contributed by merdely on from the vroooooom dept.

Mattias Lindgren shares his experience setting up a VPN connection with a Cisco device:

A friend of mine and I wanted to see how easy it would be to set up a reasonably secure IPSec tunnel between OpenBSD and a Cisco router. Inspired by the SecurityFocus article "Zero to IPSec in 4 minutes", we wanted to see if we could repeat the same feat.

Mattias continues below.

Edit (2008/07/16): Cisco configuration fixed as pointed out in the comments. (merdely)

This evening's contestants consist of a Soekris Net4801 running OpenBSD 4.3 and a Cisco 2621 router running 12.4 code. OpenBSD already has a great framework for working with IPSec, called ipsecctl(8), which we used to simplify the configuration. It reads from ipsec.conf(5) to generate reasonable IPSec flows. The networks are denoted as follows:

  • OpenBSD private subnet: a.a.a.a/24
  • Cisco private subnet: b.b.b.b/24
  • OpenBSD public address: A.A.A.A
  • Cisco public address: B.B.B.B

I started out by editing my ipsec.conf file on the OpenBSD box and entered the following:

ike esp from a.a.a.a/24 to b.b.b.b/24 \
     peer B.B.B.B \
     main auth hmac-sha1 enc aes-128 group modp1536 \
     quick auth hmac-sha1 enc aes-128 \
     srcid A.A.A.A psk "mekmitasdigoat"
This denotes that we will be using a combination of aes-128 and hmac-sha for our encryption and authenticaton. Group modp1536 corresponds with Cisco's Group 5 statement which is needed on the Cisco when using AES.

The next step is to allow the appropriate traffic through the PF firewall. The following lines were entered:

pass in on $ext_if inet proto udp from B.B.B.B to A.A.A.A port 500
pass in on $ext_if inet proto esp from B.B.B.B to A.A.A.A
set skip on enc0

All that remains on OpenBSD is to start up the VPN subsystems with the following commands:

isakmpd -K
ipsecctl -f /etc/ipsec.conf

Now, moving over to the Cisco side. The relevant configuration sections looks something like this:

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 5
crypto isakmp key mekmitasdigoat address A.A.A.A
crypto isakmp keepalive 30 5
crypto ipsec transform-set aes-set esp-aes esp-sha-hmac
!
crypto map VPN 15 ipsec-isakmp
 set peer A.A.A.A
 set transform-set aes-set
 match address VPN-to-OpenBSD
!
interface FastEthernet0/0
 crypto map VPN
 ip address B.B.B.B
 ip access-group INET in
!
ip access-list extended INET
 permit esp any any
 permit udp any any eq isakmp
!
ip access-list extended VPN-to-OpenBSD
 permit ip b.b.b.b 0.0.0.255 a.a.a.a 0.0.0.255

That was all there is to it. VPN came up on the first try. Time spent: 4 minutes 1 seconds, d'oh!

Thank you, Mattias, for sharing your IPSec experiences with us.

(Comments are closed)


  1. By Terrell Prude' Jr. (151.188.18.44) tprude@cmosnetworks.com (this is a spamtrap address) on http://www.cmosnetworks.com/

    Thanks for this. I deal with Cisco routers all the time, and like it or not, they're a big gorilla in this space. My customers routinely ask for "Cisco" because "we've got to interoperate with Cisco, and everyone knows Cisco." Yes, I know--don't bother saying it--and I agree. :-)

    An easy way to do IPSec interoperability with them makes it easier for me to convince folks to consider OpenBSD ("oh, you've got existing Ciscos? No problem!"). It's like FOSS platforms in Microsoft shops. You've got to interoperate with the existing Windows structure *easily*, or else you get shot down.

    This is good news. Will give it a shot at my earliest opportunity.

    --TP

  2. By jason (jason) jason@dixongroup.net on http://www.dixongroup.net/

    Good read. Thorough, yet brief and to the point. Thanks for the story!

  3. By Name (86.91.41.86) on

    Thanks, very usefull, i have arounf 25 VPN tunnels across the globe, fully OpenBSD based, works like a charm, but adding locations with a cisco will be possible 2 now...(without the need to place a BSD (what WILL happen at the end anyways :-)) But I will use it for sure...! thx for the effort !

  4. By Anonymous Coward (70.51.19.72) on

    Two scenarios come to mind...

    What if either the Cisco or OpenBSD side is a roadwarrior?
    What about the possibility of connecting multiple clients to one, or the other? (multiple Cisco clients connecting to OpenBSD in a roadwarrior fashion or multiple OpenBSD clients connecting to a Cisco in a roadwarrior fashion?

  5. By Anonymous Coward (81.26.133.206) on

    where crypto map on cisco interface?
    really this cisco conf is work?

    1. By Anonymous Coward (212.0.160.18) on

      > where crypto map on cisco interface?
      > really this cisco conf is work?

      hehe, good catch. I guess it doesn't :)

      1. By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on

        > > where crypto map on cisco interface?
        > > really this cisco conf is work?
        >
        > hehe, good catch. I guess it doesn't :)

        The crypto map section should have the command "set pfs group2".

    2. By Mattias Lindgren (mlindgren) on

      > where crypto map on cisco interface?
      > really this cisco conf is work?

      Thanks for pointing that out, forgot to add that in the original config :(

      Luckily we have editors that can fix these sorts of things!

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]