Contributed by merdely on from the vroooooom dept.
Mattias Lindgren shares his experience setting up a VPN connection with a Cisco device:
A friend of mine and I wanted to see how easy it would be to set up a reasonably secure IPSec tunnel between OpenBSD and a Cisco router. Inspired by the SecurityFocus article "Zero to IPSec in 4 minutes", we wanted to see if we could repeat the same feat.
Mattias continues below.
Edit (2008/07/16): Cisco configuration fixed as pointed out in the comments. (merdely)
This evening's contestants consist of a Soekris Net4801 running OpenBSD 4.3 and a Cisco 2621 router running 12.4 code. OpenBSD already has a great framework for working with IPSec, called ipsecctl(8), which we used to simplify the configuration. It reads from ipsec.conf(5) to generate reasonable IPSec flows. The networks are denoted as follows:
- OpenBSD private subnet: a.a.a.a/24
- Cisco private subnet: b.b.b.b/24
- OpenBSD public address: A.A.A.A
- Cisco public address: B.B.B.B
I started out by editing my ipsec.conf file on the OpenBSD box and entered the following:
This denotes that we will be using a combination of aes-128 and hmac-sha for our encryption and authenticaton. Group modp1536 corresponds with Cisco's Group 5 statement which is needed on the Cisco when using AES.ike esp from a.a.a.a/24 to b.b.b.b/24 \ peer B.B.B.B \ main auth hmac-sha1 enc aes-128 group modp1536 \ quick auth hmac-sha1 enc aes-128 \ srcid A.A.A.A psk "mekmitasdigoat"The next step is to allow the appropriate traffic through the PF firewall. The following lines were entered:
pass in on $ext_if inet proto udp from B.B.B.B to A.A.A.A port 500 pass in on $ext_if inet proto esp from B.B.B.B to A.A.A.A set skip on enc0
All that remains on OpenBSD is to start up the VPN subsystems with the following commands:
isakmpd -K ipsecctl -f /etc/ipsec.confNow, moving over to the Cisco side. The relevant configuration sections looks something like this:
crypto isakmp policy 10 encr aes authentication pre-share group 5 crypto isakmp key mekmitasdigoat address A.A.A.A crypto isakmp keepalive 30 5 crypto ipsec transform-set aes-set esp-aes esp-sha-hmac ! crypto map VPN 15 ipsec-isakmp set peer A.A.A.A set transform-set aes-set match address VPN-to-OpenBSD ! interface FastEthernet0/0 crypto map VPN ip address B.B.B.B ip access-group INET in ! ip access-list extended INET permit esp any any permit udp any any eq isakmp ! ip access-list extended VPN-to-OpenBSD permit ip b.b.b.b 0.0.0.255 a.a.a.a 0.0.0.255That was all there is to it. VPN came up on the first try. Time spent: 4 minutes 1 seconds, d'oh!
Thank you, Mattias, for sharing your IPSec experiences with us.
(Comments are closed)
By Terrell Prude' Jr. (151.188.18.44) tprude@cmosnetworks.com (this is a spamtrap address) on http://www.cmosnetworks.com/
An easy way to do IPSec interoperability with them makes it easier for me to convince folks to consider OpenBSD ("oh, you've got existing Ciscos? No problem!"). It's like FOSS platforms in Microsoft shops. You've got to interoperate with the existing Windows structure *easily*, or else you get shot down.
This is good news. Will give it a shot at my earliest opportunity.
--TP
By jason (jason) jason@dixongroup.net on http://www.dixongroup.net/
By Name (86.91.41.86) on
By Anonymous Coward (70.51.19.72) on
What if either the Cisco or OpenBSD side is a roadwarrior?
What about the possibility of connecting multiple clients to one, or the other? (multiple Cisco clients connecting to OpenBSD in a roadwarrior fashion or multiple OpenBSD clients connecting to a Cisco in a roadwarrior fashion?
By Anonymous Coward (81.26.133.206) on
really this cisco conf is work?
Comments
By Anonymous Coward (212.0.160.18) on
> really this cisco conf is work?
hehe, good catch. I guess it doesn't :)
Comments
By Brad (2001:470:8802:3:216:41ff:fe17:6933) brad at comstyle dot com on
> > really this cisco conf is work?
>
> hehe, good catch. I guess it doesn't :)
The crypto map section should have the command "set pfs group2".
By Mattias Lindgren (mlindgren) on
> really this cisco conf is work?
Thanks for pointing that out, forgot to add that in the original config :(
Luckily we have editors that can fix these sorts of things!