[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ISKAMPD to Cisco PIX, remote client-to-site config

To: misc@openbsd.org
Subject: ISKAMPD to Cisco PIX, remote client-to-site config
From: Jason <jason_jks@yahoo.com>
Date: Tue, 16 Sep 2003 12:37:36 -0700
Hi all,

I'm not quite sure if this is the right mailing list for this, but I'll try
 it anyway.  It looks like the openbsd-tech is not as busy as this one (over
 the past week anyway) and I couldn't find an openbsd-vpn mailing list or
 equivalent, so I'll post it here.

Anyway, I have an ISAKMPD <--> Cisco PIX configuration question/problem. 
 Just to preempt: I've read the man page, FAQ, and searched and searched the
 internet for about a week for this and actually contacted Cisco for
configuration help (we have a service contract--in short they said that it
was an openbsd issue, not a PIX issue), so turning to the mailing list is
kind of a last resort.  It seems that either nobody has had this problem, or
I'm just missing something obvious here.  Hopefully someone here will have
experience with this and can help.

Network layout:
 10.0.0.0/24 (Openbsd) ----> (internet) -----> (PIX) 10.0.2.0/23

Okay, here's the deal.  I'm trying to connect an OpenBSD 3.3 box to a PIX 515
running 6.3.1.  I've actually successfully got this to work with a
Site-to-Site configuration.  In fact it works perfectly with good
encryption/authentication, IKE is perfect, everything works fine.

The problem lies in the fact that I want to setup a Remote Client-to-Site
setup instead of site-to-site.  This means that all of the 10.0.0.0 network
can see the 10.0.2.0 network, but not vice versa.  And also trying to pull
from an IP address pool on the PIX so that all traffic coming across the VPN
can be mapped to one IP address (10.0.3.220 for example).

So ideally connection will be initiated from the openbsd box, it will connect
to the PIX and the pix will assign it an IP address based on a range
(10.0.3.220-10.03.224), so that all traffic from my home machine (the bsd
box) will appear as if it's coming from one IP address, 10.0.3.220.

Does that make sense?  I've attached both config files to the bottom in hopes
that someone can take a look at this and help me see where my error is.  I
didn't post the policy file because I didn't think it was relevant.

Thanks in advance,
Jason Schoonover
jason_jks@yahoo.com



ISAKMPD.CONF
-------------------------------------
[General]
Policy-File=            /etc/isakmpd/isakmpd.policy
Retransmits=            2
Exchange-max-time=      10

[Phase 1]
12.34.56.78=          pix-p1

[Phase 2]
Connections=            pix-p2

[my-fqdn]
ID-type=                FQDN
Name=                   mcp.scat.on

[my-ipv4-net]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.0.0
Netmask=                255.255.255.0

### Phase 1
###########

[pix-p1]
Phase=                  1
Address=                12.34.56.78
Configuration=          Default-main-mode
ID=                     my-fqdn
Remote-ID=              pix-fqdn
Authentication=         mysecret

[pix-fqdn]
ID-type=                FQDN
name=                   pix.something.com

### Phase 2
###########

[pix-p2]
Phase=                  2
ISAKMP-peer=            pix-p1
Configuration=          Default-quick-mode
Local-ID=               my-ipv4-net
Remote-ID=              pix-ipv4-net

[pix-ipv4-net]
ID-type=                IPV4_ADDR_SUBNET
Network=                10.0.2.0
Netmask=                255.255.254.0


#################
### Crypto suites
#################

## PHASE 1 (isakmp policy equiv on PIX)
#######################################

[Default-main-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             3DES-MD5

[3DES-MD5]
ENCRYPTION_ALGORITHM=   3DES_CBC
HASH_ALGORITHM=         MD5
GROUP_DESCRIPTION=      MODP_1536
Life=                   LIFE_IN_SECS,LIFE_IN_KB


## PHASE 2 (crypto map equiv on PIX)
####################################

[Default-quick-mode]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-SHA-PFS-SUITE

[QM-ESP-AES-SHA-PFS-SUITE]
Protocols=              QM-ESP-AES-SHA-PFS

[QM-ESP-AES-SHA-PFS]
PROTOCOL_ID=            IPSEC_ESP
Transforms=             QM-ESP-AES-SHA-PFS-XF

[QM-ESP-AES-SHA-PFS-XF]
TRANSFORM_ID=                   AES
ENCAPSULATION_MODE=             TUNNEL
AUTHENTICATION_ALGORITHM=       HMAC_SHA
GROUP_DESCRIPTION=              MODP_1536
Life=                           LIFE_IN_SECS


# Life for all modes
####################

[LIFE_IN_SECS]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          3600,1600:86400

[LIFE_IN_KB]
LIFE_TYPE=              KILOBYTES
LIFE_DURATION=          4608000,200000:5000000




pix.config (relevant)
--------------------------------------
hostname pix
domain-name something.com

nat (inside) 0 access-list nonat
ip local pool PIXVPN 10.0.3.220-10.0.3.224

access-list nonat permit ip 10.0.2.0 255.255.254.0 10.0.0.0 255.255.255.0

crypto ipsec transform-set set1 esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10 set pfs group5
crypto dynamic-map dynmap 10 set transform-set set1
crypto map map1 10 ipsec-isakmp dynamic dynmap
crypto map map1 client configuration address initiate
crypto map map1 client configuration address respond
crypto map map1 interface outside

isakmp enable outside
isakmp key mysecret address 0.0.0.0 netmask 0.0.0.0
isakmp client configuration address-pool local PIXVPN outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 5
isakmp policy 10 lifetime 3600

sysopt connection permit-ipsec

-------------------------------------------------------
Prev by Date: Re: Migrating RAIDframe array to new box?
Next by Date: Re: help building sendmail after patch
Prev by thread: Re: help building sendmail after patch
Next by thread: Quarantining web content creators
Index(es):
- Date
- Thread