Talking to a Cisco PIX Firewall

The original guide is found at http://thoughtstorm.net/howto/bsdtopix.

General Information

Okay, I wrestled this for a few days; there is no real documentation on making a xBSD-based firewall talk the
VPN talk to a Cisco PIX that I could find. It’s based on racoon, with ipfilter doing the firewalling. gif interface support should already be compiled into the kernel unless you specifically removed it.

Requirements

  1. A working xBSD installation
  2. racoon (from ports)
  3. ipfilter (other firewalling should be fine, just change the syntax for the rules)

Installation

To start, install racoon.

# cd /usr/ports/security/raccoon
# make install clean

This makes and installs raccoon, the utility we need to do the key exchange and setup the permanent connection.

It creates a dir in /usr/local/etc called raccoon, along with a startup script at /usr/local/etc/rc.d/raccoon.sh

Configuration

Raccoon

Open /usr/local/etc/raccoon/raccoon.conf in your text editor of choice.[/code]

Mine looks like this. This may vary slightly based on what authentication methods the PIX is using. I believe this

configuration is standard for the Cisco site-to-site setup.

path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug;
padding
{
        maximum_length 20;      # maximum padding length.
        randomize off;          # enable randomize length.
        strict_check off;       # enable strict check.
        exclusive_tail off;     # extract last one octet.
}
timer
{
        counter 5;              # maximum trying count to send.
        interval 30 sec;        # maximum interval to resend.
        persend 1;
        phase1 15 sec;
        phase2 15 sec;
}

remote anonymous
{
        exchange_mode main;
        doi ipsec_doi;
        situation identity_only;

        my_identifier address;

        nonce_size 16;
        lifetime time 23 hour;
        initial_contact on;
        support_mip6 on;
        proposal_check obey;    # obey, strict or claim

        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key ;
                dh_group 2 ;
        }
}
sainfo anonymous
{
        pfs_group 1;
        lifetime time 3600 sec;
        encryption_algorithm 3des,des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate ;
}

Notice the entry:

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

This tells raccoon where to get the shared key from. The format follows:

PIXIPADDRESS SHAREDKEY
BSDIPADDRESS SHAREDKEY

example:

66.94.234.13 somep@ssw0rd
207.68.172.246 somep@ssw0rd

Interfaces

Now we need to setup the interfaces. I created a script that does the setup for us. Because we are tunneling between two NAT'd networks, we need to setup the routes between the two. We start raccoon, destroy gif0 in case it is still hanging around from a stale startup, create it and setup the tunnel.

#!/bin/sh

LOCAL_NETWORK=10.0.0.0/8
LOCAL_INSIDE=10.0.0.1
LOCAL_OUTSIDE=X.X.X.X

REMOTE_NETWORK=192.168.252.0/24
REMOTE_INSIDE=192.168.252.2
REMOTE_OUTSIDE=X.X.X.X

/usr/local/etc/rc.d/racoon.sh start

/sbin/ifconfig gif0 destroy
/sbin/ifconfig gif0 create
/sbin/ifconfig gif0 tunnel ${LOCAL_OUTSIDE} ${REMOTE_OUTSIDE}
/sbin/ifconfig gif0 inet ${LOCAL_INSIDE} ${REMOTE_INSIDE} netmask 255.255.255.255

/sbin/route add -net ${REMOTE_NETWORK} ${REMOTE_INSIDE}

/usr/sbin/setkey -c << EOF
flush;
spdflush;
spdadd ${LOCAL_NETWORK} ${REMOTE_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${REMOTE_OUTSIDE}/require;
spdadd ${REMOTE_NETWORK} ${LOCAL_NETWORK} any -P in  ipsec esp/tunnel/${REMOTE_OUTSIDE}-${LOCAL_OUTSIDE}/require;
EOF

IPF Firewall

Now, to make sure the correct packets get through to the tunnel add the following to ipf.rules

pass in on gif0 all
pass out on gif0 all
and even though these don't make sense, it was the only way I could get packets to move, the IP is the remote PIX:
pass in quick from IP to any
pass out quick from any to IP
pass in quick proto 17 from IP to any
pass in quick proto 50 from IP to any
pass in quick proto 51 from IP to any
pass in quick proto tcp from IP to any
pass in quick proto icmp from IP to any

Add the following to /etc/rc.conf

ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"

gif_interfaces="gif0 inet"
racoon_enable="YES"

Edit /etc/ipsec.conf to suite your needs. Here is an example:

flush;
spdflush;
spdadd BSDIP/32 PIXIP/32 ipencap -P out ipsec esp/tunnel/BSDIP-PIXIP/require;
spdadd PIXIP/32 BSDIP/32 ipencap -P out ipsec esp/tunnel/PIXIP-BSDIP/require;

Reboot, and you should have a working static VPN to those pesky PIX devices.

Speak Your Mind

*