Setting up a VPN between OpenBSD 4.5 and Cisco PIX

Posted on 2009/05/24 by Balazs

The original of this HOWTO was here: OpenBSD – PIX ISAKMP VPN

Setting up an ISAKMP VPN tunnel between OpenBSD 4.5 and Cisco Pix

Configuration:

  Site A:

    OpenBSD 4.5
    Internal Network: 192.168.0.0/24
    External IP: 1.1.1.1

  Site B:

    Cisco Pix 6.1
    Internal Network: 10.0.0.0/8
    External IP: 2.2.2.2

  VPN parameters:

    Shared Secret: theSecret
    Encryption Algorith: 3DES
    Hash Algorith: SHA
    Diffie-Helman Group: 2 (1024bit)

========================================================================

Pix Configuration:

access-list to_siteA permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

access-list no_nat   permit ip 10.0.0.0 255.0.0.0 192.168.0.0 255.255.255.0

sysopt connection permit-ipsec

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address to_siteA
crypto map newmap 10 set peer 1.1.1.1
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside

isakmp enable outside
isakmp key theSecret address 1.1.1.1 netmask 255.255.255.255
isakmp identity address

isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000

========================================================================

OpenBSD config:

/etc/ipf.rules

# Adjust for your particular packet filtering setup and NIC
pass   in  quick on ep0 proto esp from any to 1.1.1.1
pass   in  quick on ep0 proto udp from any to 1.1.1.1 port = 500

/etc/isakmpd/isakmpd.conf

[General]
Retransmits=			5
Exchange-max-time=		120
Listen-on=			1.1.1.1
Default-Phase2-Lifetime=        3600,80:86400

[Phase 1]
2.2.2.2=			SiteBPix

[Phase 2]
Connections=			SiteA-SiteB-10

[SiteBPix]
Phase=				1
Transport=			udp
Local-address=			1.1.1.1
Address=			2.2.2.2
Configuration=			Default-main-mode
Authentication=			theSecret

[SiteA-SiteB-10]
Phase=				2
ISAKMP-peer=			SiteBPix
Configuration=			Default-quick-mode
Local-ID=			Net-SiteA
Remote-ID=			Net-SiteB-10

[Net-SiteA]
ID-type=			IPV4_ADDR_SUBNET
Network=			192.168.0.0
Netmask=			255.255.255.0

[Net-SiteB-10]
ID-type=			IPV4_ADDR_SUBNET
Network=			10.0.0.0
Netmask=			255.0.0.0

[Default-main-mode]
DOI=				IPSEC
EXCHANGE_TYPE=			ID_PROT
Transforms=			3DES-SHA

[Default-quick-mode]
DOI=				IPSEC
EXCHANGE_TYPE=			QUICK_MODE
Suites=				QM-ESP-3DES-SHA-PFS-SUITE

[DES-SHA]
GROUP_DESCRIPTION=		MODP_1024

[QM-ESP-3DES-SHA-PFS-SUITE]
GROUP_DESCRIPTION=		MODP_1024

/etc/isakmpd/isakmpd.policy

KeyNote-Version: 2
Authorizer: "POLICY"

This entry was posted in OpenBSD and tagged , , , . Bookmark the permalink.

NewPush has solutions to fit your business needs.  For more than a decade, our focus has been to take on the technical challenges that are the hardest and most time-consumming.  Our goal is to free up your resources to focus on the core activities of your business and to drive your business performance.  Please visit our main site at newpush.com for more information or call us at +1-303-423-4500.