Contributed by merdely on from the vroooooom dept.
Mattias Lindgren shares his experience setting up a VPN connection with a Cisco device:
A friend of mine and I wanted to see how easy it would be to set up a reasonably secure IPSec tunnel between OpenBSD and a Cisco router. Inspired by the SecurityFocus article "Zero to IPSec in 4 minutes", we wanted to see if we could repeat the same feat.
Mattias continues below.
Edit (2008/07/16): Cisco configuration fixed as pointed out in the comments. (merdely)
This evening's contestants consist of a Soekris Net4801 running OpenBSD 4.3 and a Cisco 2621 router running 12.4 code. OpenBSD already has a great framework for working with IPSec, called ipsecctl(8), which we used to simplify the configuration. It reads from ipsec.conf(5) to generate reasonable IPSec flows. The networks are denoted as follows:
- OpenBSD private subnet: a.a.a.a/24
- Cisco private subnet: b.b.b.b/24
- OpenBSD public address: A.A.A.A
- Cisco public address: B.B.B.B
I started out by editing my ipsec.conf file on the OpenBSD box and entered the following:This denotes that we will be using a combination of aes-128 and hmac-sha for our encryption and authenticaton. Group modp1536 corresponds with Cisco's Group 5 statement which is needed on the Cisco when using AES.ike esp from a.a.a.a/24 to b.b.b.b/24 \ peer B.B.B.B \ main auth hmac-sha1 enc aes-128 group modp1536 \ quick auth hmac-sha1 enc aes-128 \ srcid A.A.A.A psk "mekmitasdigoat"
The next step is to allow the appropriate traffic through the PF firewall. The following lines were entered:pass in on $ext_if inet proto udp from B.B.B.B to A.A.A.A port 500 pass in on $ext_if inet proto esp from B.B.B.B to A.A.A.A set skip on enc0
All that remains on OpenBSD is to start up the VPN subsystems with the following commands:isakmpd -K ipsecctl -f /etc/ipsec.conf
Now, moving over to the Cisco side. The relevant configuration sections looks something like this:crypto isakmp policy 10 encr aes authentication pre-share group 5 crypto isakmp key mekmitasdigoat address A.A.A.A crypto isakmp keepalive 30 5 crypto ipsec transform-set aes-set esp-aes esp-sha-hmac ! crypto map VPN 15 ipsec-isakmp set peer A.A.A.A set transform-set aes-set match address VPN-to-OpenBSD ! interface FastEthernet0/0 crypto map VPN ip address B.B.B.B ip access-group INET in ! ip access-list extended INET permit esp any any permit udp any any eq isakmp ! ip access-list extended VPN-to-OpenBSD permit ip b.b.b.b 0.0.0.255 a.a.a.a 0.0.0.255
That was all there is to it. VPN came up on the first try. Time spent: 4 minutes 1 seconds, d'oh!
Thank you, Mattias, for sharing your IPSec experiences with us.
(Comments are closed)