Re: FreeBSD IPSEC connection to a Cisco Router using ESP (FAQ submission)

From: Scott M. Nolde (scott@smnolde.com)
Date: 09/11/02 

Date: Tue, 10 Sep 2002 22:20:50 -0400
From: "Scott M. Nolde" <scott@smnolde.com>
To: Mike Tancsa <mike@sentex.net>

Mike Tancsa(mike@sentex.net)@2002.09.03 10:50:02 +0000:
>
>
> Question: How do I setup an IPSEC ESP Tunnel between a Cisco router and
> FreeBSD
>
> AN Answer:
>
> OK, I have seen a few people ask this question, but I had not found via the
> search engines a sample config on how to setup an IPSEC tunnel between a
> FreeBSD box and Cisco router. We had a customer over the weekend wanting to
> do just this, so I figured I would post the setup here in case anyone else
> wanted to do something like this.
>

<snippage>

Mike,

I appreciate your efforts in documenting this. I have verified 3DES
encryption using a Cisco 1720 router with IOS c1700-k2sy-mz.121-5.T8.bin.
Other IOSs that support 3DES should work similarly.

From racoon's log:
2002-09-10 22:13:16: DEBUG: algorithm.c:509:alg_ipsec_encdef():
encription(3des)
2002-09-10 22:13:16: DEBUG: algorithm.c:552:alg_ipsec_hmacdef():
hmac(hmac_md5)

From the Cisco 1720 log:
04:10:19: IPSEC(initialize_sas): ,
  (key eng. msg.) src= 192.168.10.20, dest= 192.168.10.7,
    src_proxy= 192.168.10.20/255.255.255.255/0/0 (type=1),
    dest_proxy= 192.168.10.7/255.255.255.255/0/0 (type=1),
    protocol= ESP, transform= esp-3des esp-md5-hmac ,
    lifedur= 300s and 4608000kb,
    spi= 0xA7471E6(175403494), conn_id= 2001, keysize= 0, flags= 0x25

04:10:19: IPSEC(create_sa): sa created,
  (sa) sa_dest= 192.168.10.7, sa_prot= 50,
    sa_spi= 0xA7471E6(175403494),
    sa_trans= esp-3des esp-md5-hmac , sa_conn_id= 2001

The changes to the router configuration is minor, as you change esp-des to
esp-3des. raccon.conf is changed by using 3des instead of des in the
sainfo section. 

-- 
Scott Nolde
GPG Key 0xD869AB48
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • Cisco <-> FreeBSD / Kame / Raccon Ipsec Interoperabilty
    ... One is running a cisco router and a second that has a FreeBSD ... Behind both boxes is a LAN that I would like to connect ... The dynamic IP is assigned during the setup of the IPsec ...
    (FreeBSD-Security)
  • Re: How to turn DNS off in sshd_config?
    ... >> is a feature, not a bug. ... The solution is to fix your naming setup. ... I use putty to connect to freebsd. ... Sometimes connection fails and I need to restart ppp (it ...
    (comp.unix.bsd.freebsd.misc)
  • Re: Internet 2
    ... I just setup a freebsd box with the 5.1 release to be a gateway/firewall. ... The installation was smooth and to setup the gateway/firewall with nat a lot of sources are available on Internet. ...
    (freebsd-questions)
  • Re: Firebox: GRE over IPsec
    ... > another CISCO router placed somewhere in the DMZ with a box behind it. ... The 700 will easily do a Branch to Branch VPN with every major appliance ... I have IPSec tunnels between Watchguard and the following: ... setup the WG unit to do a manual VPN tunnel to the remote location. ...
    (comp.security.firewalls)
  • RE: [Freebsd-security] Re: Possible compromise ?
    ... is that you reinstall. ... I was not able to install and setup FreeBSD by ... >> me to retrieve connection dates from that file. ...
    (FreeBSD-Security)