Talking to a Cisco PIX Firewall
Updated: 08/11/2005
General Information
Okay, I wrestled this for a few days; there is no real documentation on making a xBSD-based firewall talk thegif interface support should already be compiled into the kernel unless you specifically removed it.Requirements
Installation
To start, install racoon.|
# # |
cd /usr/ports/security/raccoon make install clean |
/usr/local/etc called raccoon, along with a startup script at /usr/local/etc/rc.d/raccoon.sh
Configuration
Raccoon
Open/usr/local/etc/raccoon/raccoon.conf in your text editor of choice.[/code]|
path include "/usr/local/etc/racoon" ; path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; log debug; padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } timer { counter 5; # maximum trying count to send. interval 30 sec; # maximum interval to resend. persend 1; phase1 15 sec; phase2 15 sec; } remote anonymous { exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier address; nonce_size 16; lifetime time 23 hour; initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 3600 sec; encryption_algorithm 3des,des; authentication_algorithm hmac_md5; compression_algorithm deflate ; } |
|
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; |
|
PIXIPADDRESS SHAREDKEY BSDIPADDRESS SHAREDKEY |
|
66.94.234.13 somep@ssw0rd 207.68.172.246 somep@ssw0rd |
Interfaces
Now we need to setup the interfaces. I created a script that does the setup for us. Because we are tunneling between two NAT'd networks, we need to setup the routes between the two. We start raccoon, destroygif0 in case it is still hanging around from a stale startup, create it and setup the tunnel.|
#!/bin/sh LOCAL_NETWORK=10.0.0.0/8 LOCAL_INSIDE=10.0.0.1 LOCAL_OUTSIDE=X.X.X.X REMOTE_NETWORK=192.168.252.0/24 REMOTE_INSIDE=192.168.252.2 REMOTE_OUTSIDE=X.X.X.X /usr/local/etc/rc.d/racoon.sh start /sbin/ifconfig gif0 destroy /sbin/ifconfig gif0 create /sbin/ifconfig gif0 tunnel ${LOCAL_OUTSIDE} ${REMOTE_OUTSIDE} /sbin/ifconfig gif0 inet ${LOCAL_INSIDE} ${REMOTE_INSIDE} netmask 255.255.255.255 /sbin/route add -net ${REMOTE_NETWORK} ${REMOTE_INSIDE} /usr/sbin/setkey -c << EOF flush; spdflush; spdadd ${LOCAL_NETWORK} ${REMOTE_NETWORK} any -P out ipsec esp/tunnel/${LOCAL_OUTSIDE}-${REMOTE_OUTSIDE}/require; spdadd ${REMOTE_NETWORK} ${LOCAL_NETWORK} any -P in ipsec esp/tunnel/${REMOTE_OUTSIDE}-${LOCAL_OUTSIDE}/require; EOF |
IPF Firewall
Now, to make sure the correct packets get through to the tunnel add the following toipf.rules
|
pass in on gif0 all pass out on gif0 all |
|
pass in quick from IP to any pass out quick from any to IP pass in quick proto 17 from IP to any pass in quick proto 50 from IP to any pass in quick proto 51 from IP to any pass in quick proto tcp from IP to any pass in quick proto icmp from IP to any |
/etc/rc.conf
|
ipsec_enable="YES" ipsec_file="/etc/ipsec.conf" gif_interfaces="gif0 inet" racoon_enable="YES" |
/etc/ipsec.conf to suite your needs. Here is an example:|
flush; spdflush; spdadd BSDIP/32 PIXIP/32 ipencap -P out ipsec esp/tunnel/BSDIP-PIXIP/require; spdadd PIXIP/32 BSDIP/32 ipencap -P out ipsec esp/tunnel/PIXIP-BSDIP/require; |
Author: Donald Talton
donald at thoughtstorm dot net