[vpn] BSD vpn problem
Dan McGinn-Combs
Dan.McGinn-Combs at geac.com
Fri Apr 19 12:53:16 EDT 2002
I've gotten OpenBSD and Checkpoint FW-1 to work together. Actually it was a
piece of cake (at least compared to CP FW-1 and Raptor!). Here are my
parameters (with obscured IP addresses):
Firewall-1 Configuration:
1) A rule permitting IPSec and IKE is not necessary
2) The rule permitting traffic should look like this:
Source Destination Service Action
Encryption_Zone Encryption_Zone ANY Encrypt
3) Encrypt should be:
IKE
ESP
DES
MD5
Any
Use Perfect Forward Frequency = YES
4) The Gateway Host should be configured:
IP Address
External
Gateway
VPN-1
Version 4.1
Domain: Other - Encryption Zone
IKE with DES, MD5, Preshared Secret, Aggressive Mode and Supports Subnets
On the OpenBSD machine the following changes need to be made:
1) Enable isakmpd_flags="" in /etc/rc.conf (so isakmpd will automatically
start).
2) enable net.inet.esp.enable=1 in /etc/sysctl.conf
3) enable net.inet.ip.forwarding=1 in /etc/sysctl.conf
4) Load the following file into /etc/isakmpd/isakmpd.policy and chmod 600
KeyNote-Version: 2
Comment: This policy accepts anything (i.e. no authentication or
configuration)
Authorizer: "POLICY"
5) Load the following file into /etc/isakmpd/isakmpd.conf and chmod 600
# A configuration sample for the isakmpd ISAKMP/Oakley (aka IKE) daemon.
# The network topology of the net is like this:
# 192.168.200.0/24 <-> 208.148.140.245 <-> 208.148.140.101 <->
xxx.yyy.1.0/24
#
# "fwatl" and "fwbsd" are the respective security gateways (aka VPN-nodes).
[General]
Policy-file= /etc/isakmpd/isakmpd.policy
Listen-on= aaa.bbb.140.245
[Phase 1]
Aaa.bbb.140.101= ISAKMP-peer-fwatl
[Phase 2]
Connections= IPSec-ATL1,IPSec-ATL7
[ISAKMP-peer-fwatl]
Phase= 1
Transport= udp
Local-address= aaa.bbb.140.245
Address= aaa.bbb.140.101
Configuration= Default-main-mode
Authentication= TOP.secret
[IPSec-ATL1]
Phase= 2
ISAKMP-peer= ISAKMP-peer-fwatl
Configuration= Default-quick-mode
Local-ID= Net-BSD
Remote-ID= Net-ATL1
[IPSec-ATL7]
Phase= 2
ISAKMP-peer= ISAKMP-peer-fwatl
Configuration= Default-quick-mode
Local-ID= Net-BSD
Remote-ID= Net-ATL7
[Net-BSD]
ID-type= IPV4_ADDR_SUBNET
Network= 192.168.200.0
Netmask= 255.255.255.0
[Net-ATL1]
ID-type= IPV4_ADDR_SUBNET
Network= xxx.yyy.1.0
Netmask= 255.255.255.0
[Net-ATL7]
ID-type= IPV4_ADDR_SUBNET
Network= xxx.yyy.7.0
Netmask= 255.255.255.0
[Default-main-mode]
DOI= IPSEC
EXCHANGE_TYPE= AGGRESSIVE
Transforms= DES-MD5
[Default-quick-mode]
DOI= IPSEC
EXCHANGE_TYPE= QUICK_MODE
Suites= QM-ESP-DES-MD5-PFS-SUITE,QM-ESP-3DES-MD5-PFS-SUITE
6) Make sure your firewall (ipf) is out of the way.
Dan
> -----Original Message-----
> From: Mattias Eriksson [mailto:me at gotanet.se]
> Sent: Friday, April 19, 2002 5:12 AM
> To: vpn at securityfocus.com
> Subject: [vpn] BSD vpn problem
>
>
> Has anyone managed to establish a vpn tunnel between any BSD
> box (I'm using
> FreeBSD) and a Cisco PIX? Or any other firewall for that matter.
>
> I have spent several days trying to figure it out but for
> some reason it doesn't work.
>
> I'm looking for example configurations for the racoon/KAME
> configuration.
>
> Any points/links/suggestions are more than welcome. :)
>
> Thanks!
>
> Mattias E.
>
>
>
>
>
> VPN is sponsored by SecurityFocus.com
>
VPN is sponsored by SecurityFocus.com
More information about the VPN
mailing list