Mattias Lindgren shares his experience setting up a VPN connection with a Cisco device:
Mattias continues below.
This evening's contestants consist of a Soekris
Net4801 running OpenBSD 4.3 and a Cisco 2621 router running 12.4 code.
OpenBSD already has a great framework for working with IPSec, called
which we used to simplify the configuration. It reads from
to generate reasonable IPSec flows. The networks are denoted as follows:
- OpenBSD private subnet: a.a.a.a/24
- Cisco private subnet: b.b.b.b/24
- OpenBSD public address: A.A.A.A
- Cisco public address: B.B.B.B
I started out by editing my ipsec.conf file on the OpenBSD box and entered the following:
This denotes that we will be using a combination of aes-128 and hmac-sha
for our encryption and authenticaton. Group modp1536 corresponds with
Cisco's Group 5 statement which is needed on the Cisco when using AES.
ike esp from a.a.a.a/24 to b.b.b.b/24 \
peer B.B.B.B \
main auth hmac-sha1 enc aes-128 group modp1536 \
quick auth hmac-sha1 enc aes-128 \
srcid A.A.A.A psk "mekmitasdigoat"
The next step is to allow the appropriate traffic through the PF
firewall. The following lines were entered:
pass in on $ext_if inet proto udp from B.B.B.B to A.A.A.A port 500
pass in on $ext_if inet proto esp from B.B.B.B to A.A.A.A
set skip on enc0
All that remains on OpenBSD is to start up the VPN subsystems with the following commands:
ipsecctl -f /etc/ipsec.conf
Now, moving over to the Cisco side. The relevant configuration sections looks something like this:
crypto isakmp policy 10
crypto isakmp key mekmitasdigoat address A.A.A.A
crypto isakmp keepalive 30 5
crypto ipsec transform-set aes-set esp-aes esp-sha-hmac
crypto map VPN 15 ipsec-isakmp
set peer A.A.A.A
set transform-set aes-set
match address VPN-to-OpenBSD
crypto map VPN
ip address B.B.B.B
ip access-group INET in
ip access-list extended INET
permit esp any any
permit udp any any eq isakmp
ip access-list extended VPN-to-OpenBSD
permit ip b.b.b.b 0.0.0.255 a.a.a.a 0.0.0.255
That was all there is to it. VPN came up on the first try. Time spent:
4 minutes 1 seconds, d'oh!
Thank you, Mattias, for sharing your IPSec experiences with us.