Talking to a Cisco PIX Firewall

The original guide is found at http://thoughtstorm.net/howto/bsdtopix.

General Information

Okay, I wrestled this for a few days; there is no real documentation on making a xBSD-based firewall talk the VPN talk to a Cisco PIX that I could find. soldes timberland 2017 nike air max soldes It’s based on racoon, with ipfilter doing the firewalling. new balance soldes nike air max femme pas cher gif interface support should already be compiled into the kernel unless you specifically removed it.


Requirements

  1. A working xBSD installation
  2. racoon (from ports)
  3. ipfilter (other firewalling should be fine, just change the syntax for the rules)

Installation

To start, install racoon.

 # cd /usr/ports/security/raccoon # make install clean 

This makes and installs raccoon, the utility we need to do the key exchange and setup the permanent connection.

It creates a dir in /usr/local/etc called raccoon, along with a startup script at /usr/local/etc/rc.d/raccoon.sh

Configuration

Raccoon

Open /usr/local/etc/raccoon/raccoon.conf in your text editor of choice.[/code]

Mine looks like this. This may vary slightly based on what authentication methods the PIX is using. chaussures timberland soldes adidas yeezy nike dunk I believe this

configuration is standard for the Cisco site-to-site setup.

 path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log debug; padding { maximum_length 20; # maximum padding length.  ugg soldes 2017 ugg boots bailey timberland soldes hommes randomize off; # enable randomize length. timberland soldes 2017 asics nike air max classic bw strict_check off; # enable strict check.  asics basket adidas gazelle soldes exclusive_tail off; # extract last one octet.  ugg soldes ugg bailey bow cheap ffxiv gil } timer { counter 5; # maximum trying count to send. adidas yeezy boost basket air jordan soldes interval 30 sec; # maximum interval to resend. ugg australia chaussure asics persend 1; phase1 15 sec; phase2 15 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier address; nonce_size 16; lifetime time 23 hour; initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 3600 sec; encryption_algorithm 3des,des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } 

Notice the entry:

 path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; 

This tells raccoon where to get the shared key from. Asics 2017 nike kwazi soldes The format follows:

 PIXIPADDRESS SHAREDKEY BSDIPADDRESS SHAREDKEY 

example:

 66.94.234.13 somep@ssw0rd 207.68.172.246 somep@ssw0rd 

Interfaces

Now we need to setup the interfaces. nike internationalist bottes ugg pas cher I created a script that does the setup for us. nike air max flyknit ultra 2.0 nike air max 90 homme Because we are tunneling between two NAT’d networks, we need to setup the routes between the two. chaussures nike femme 2017 We start raccoon, destroy gif0 in case it is still hanging around from a stale startup, create it and setup the tunnel.

 #!/bin/sh LOCAL_NETWORK=10.0.0.0/8 LOCAL_INSIDE=10.0.0.1 LOCAL_OUTSIDE=X.X.X.X REMOTE_NETWORK=192.168.252.0/24 REMOTE_INSIDE=192.168.252.2 REMOTE_OUTSIDE=X.X.X.X /usr/local/etc/rc.d/racoon.sh start /sbin/ifconfig gif0 destroy /sbin/ifconfig gif0 create /sbin/ifconfig gif0 tunnel ${LOCAL_OUTSIDE} ${REMOTE_OUTSIDE} /sbin/ifconfig gif0 inet ${LOCAL_INSIDE} ${REMOTE_INSIDE} netmask 255.255.255.255 /sbin/route add -net ${REMOTE_NETWORK} ${REMOTE_INSIDE} /usr/sbin/setkey -c << EOF flush; spdflush; spdadd ${LOCAL_NETWORK} ${REMOTE_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${REMOTE_OUTSIDE}/require; spdadd ${REMOTE_NETWORK} ${LOCAL_NETWORK} any -P in ipsec esp/tunnel/${REMOTE_OUTSIDE}-${LOCAL_OUTSIDE}/require; EOF 

IPF Firewall

Now, to make sure the correct packets get through to the tunnel add the following to ipf.rules

 pass in on gif0 all pass out on gif0 all and even though these don't make sense, it was the only way I could get packets to move, the IP is the remote PIX: pass in quick from IP to any pass out quick from any to IP pass in quick proto 17 from IP to any pass in quick proto 50 from IP to any pass in quick proto 51 from IP to any pass in quick proto tcp from IP to any pass in quick proto icmp from IP to any 

Add the following to /etc/rc.conf

 ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" gif_interfaces="gif0 inet" racoon_enable="YES" 

Edit /etc/ipsec.conf to suite your needs.

Speak Your Mind

*