Re: VPN
On Sun, 2003-05-04 at 06:08, Ron Johnson wrote:
> On Sat, 2003-05-03 at 20:58, Mark Roach wrote:
> > On Sat, 2003-05-03 at 07:49, Håvard Stranden wrote:
> > > On Sat, May 03, 2003 at 10:39:39AM +0200, Christian Schoenebeck wrote:
> > > > Hi!
> > > >
> > > > I'm still wondering how far VPN is a standard, because I need a Linux
> > > > replacement for a Cisco VPN client, which is AFAIK only available for
> > > > Windows anyway. So, iIs there a compatible client I can use?
> > > >
> > > No, the Cisco VPN client is also available for Linux. As far as I know,
> > > unfortunately there's no client you can use to replace it. You have to
> > > use the Cisco VPN client on a Cisco VPN.
> >
> > Nope, I have several debian/freeswan systems acting as lan to lan ipsec
> > gateways with a Cisco VPN Concentrator, I have given some info on the
> > subject on this list in the past, but if it is usefult, and someone is
> > willing to host it somewhere I can make a mini-howto on the subject.
>
> How about giving it to tldp.org? They'll host it for free...
I guess I can ask them, my thinking was that the howto will likely be
pretty debian centric, not sure if that is a problem for the tldp.org
folks.
I will get started on this and let you all take a look probably in the
first half of this week. In the meantime, here is some info on the
subject that I sent to someone else a while back...
ipsec.conf:
------------------------------------------------------
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
# %defaultroute is okay for most simple cases.
interfaces=%defaultroute
#interfaces="ipsec0=ppp0"
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=none
plutodebug=none
# Use auto= parameters in conn descriptions to control startup actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
conn UHG-Cisco
keyingtries=0
authby=secret
# Left security gateway, subnet behind it, next hop toward right.
left=66.237.226.250
leftsubnet=10.13.0.0/16
leftnexthop=66.237.226.241
# Right security gateway, subnet behind it, next hop toward left.
right=68.17.114.243
rightsubnet=10.13.7.64/27
rightnexthop=66.20.107.1
keylife=8h
lifetime=8h
auto=start
ipsec.secrets:
----------------------------------------------
hah, just kidding ;-)
Then on the concentrator,
then on the cisco side I set up a Lan-to-Lan connection like so:
Name [MyConnection ] Enter the name for this
LAN-to-LAN connection.
[One of: Ethernet 2 (Public) Select the interface for
Interface (66.237.226.250)] this LAN-to-LAN
connection.
Enter the IP address of
Peer [68.17.114.243 ] the remote peer for this
LAN-to-LAN connection.
Digital Certificate [None (Use Preshared Keys)] Select the digital
certificate to use.
Certificate # Entire certificate chain Choose how to send the
Transmission o Identity certificate only digital certificate to
the IKE peer.
Enter the preshared key
Preshared Key [my little secret] for this LAN-to-LAN
connection.
Specify the packet
Authentication [ESP/MD5/HMAC-128] authentication mechanism
to use.
Encryption [3DES-168] Specify the encryption
mechanism to use.
Select the IKE Proposal
IKE Proposal [One of: FreeSwan] to use for this LAN-to-
LAN connection.
Choose the filter to
apply to the traffic
Filter [--None--] that is tunneled through
this LAN-to-LAN
connection.
Check to let NAT-
T compatible IPSec peers
establish this LAN-to-
IPSec NAT-T º LAN connection through a
NAT device. You must
also enable IPSec over
NAT-T under NAT
Transparency.
Choose the bandwidth
Bandwidth Policy [---None---] policy to apply to this
LAN-to-LAN connection.
Choose the routing
mechanism to
Routing [None] use.Parameters below are
ignored if Network
Autodiscovery is chosen.
===============================================================================
Local Network: If a LAN-to-LAN NAT rule is used, this is the Translated Network
address.
Network List [Use IP Address/Wildcard-mask below]
Specify the local
network address list or
IP Address [10.13.0.0 ] the IP address and
wildcard mask for this
LAN-to-LAN connection.
Note: Enter a wildcard
mask, which is the
reverse of a subnet
mask. A wildcard mask
Wildcard Mask [0.0.255.255 ] has 1s in bit positions
to ignore, 0s in bit
positions to match. For
example, 10.10.1.0/
0.0.0.255 = all
10.10.1.nnn addresses.
===============================================================================
Remote Network: If a LAN-to-LAN NAT rule is used, this is the Remote Network
address.
Network List [Use IP Address/Wildcard-mask below]
Specify the remote
network address list or
IP Address [10.13.7.64 ] the IP address and
wildcard mask for this
LAN-to-LAN connection.
Note: Enter a wildcard
mask, which is the
reverse of a subnet
mask. A wildcard mask
Wildcard Mask [0.0.0.31 ] has 1s in bit positions
to ignore, 0s in bit
positions to match. For
example, 10.10.1.0/
0.0.0.255 = all
10.10.1.nnn addresses.
Then the FreeSwan Ike Proposal:
Modify a configured IKE Proposal.
Proposal Name FreeSwan________________________ Specify the name of this IKE Proposal.
Authentication Mode [Preshared Keys_________________] Select the authentication mode to use.
Authentication Algorithm [MD5/HMAC-128] Select the packet authentication algorithm to use.
Encryption Algorithm [3DES-168] Select the encryption algorithm to use.
Diffie-Hellman Group [Group 2 (1024-bits)] Select the Diffie Hellman Group to use.
Lifetime Measurement [Time] Select the lifetime measurement of the IKE keys.
Data Lifetime 10000_______________ Specify the data lifetime in kilobytes (KB).
Time Lifetime 28800_______________ Specify the time lifetime in seconds.
And, finally the L2L: MyConnection Security Association:
Modify a configured Security Association.
SA Name L2L: MyConnection Specify the name of this Security Association (SA).
Inheritance [From Rule] Select the granularity of this SA.
________________________________________________________________________________________________
IPSec Parameters
Authentication Algorithm [ESP/MD5/HMAC-128] Select the packet authentication algorithm to use.
Encryption Algorithm [3DES-168] Select the ESP encryption algorithm to use.
Encapsulation Mode [Tunnel___] Select the Encapsulation Mode for this SA.
Perfect Forward Secrecy [Group 2 (1024-bits)] Select the use of Perfect Forward Secrecy.
Lifetime Measurement [Time] Select the lifetime measurement of the IPSec keys.
Data Lifetime 10000_______________ Specify the data lifetime in kilobytes (KB).
Time Lifetime 28800_______________ Specify the time lifetime in seconds.
________________________________________________________________________________________________
IKE Parameters
IKE Peer 68.17.114.243_______ Specify the IKE Peer for a LAN-to-LAN IPSec connection.
Negotiation Mode [Main______] Select the IKE Negotiation mode to use.
Digital Certificate [None (Use Preshared Keys)] Select the Digital Certificate to use.
Certificate Transmission (*) Entire certificate chain
( ) Identity certificate only Choose how to send the digital certificate to the IKE peer.
IKE Proposal [FreeSwan________] Select the IKE Proposal to use as IKE initiator.
Reply to:
- References:
- VPN
- From: Christian Schoenebeck <christian.schoenebeck@epost.de>
- Re: VPN
- From: =?unknown-8bit?q?H=E5vard?= Stranden <havarden@cloudchaser.net>
- Re: VPN
- From: Mark Roach <mrroach@okmaybe.com>
- Re: VPN
- From: Ron Johnson <ron.l.johnson@cox.net>