FreeBSD to Cisco PIX
Had been trying to somehow build a site-to-site VPN tunnel with something on the remote end and a Cisco PIX on the main end. Didn't quite work out with Linux -- and it's a little unclear why, my guess being that the Open or Free SWAN didn't really take to single DES, and even though they COULD have supported it, they had moral objections to trying to do a lot with a bit of weak hardware ;-)
At any rate, with a Pentium I-233 Compaq Presario, I threw in a Realtek 8139A nic -- don't need much, as it was just a T1, and the 10mbps should be more than adequate for that purpose.
Installing FreeBSD was a matter of downloading the .iso from their website, and booting from the CD generated thereby. As I recall, the installation was fairly straightforward, and I just had the installer auto-generate the partitions, and didn't have it install a graphical user interface.
Now, as I progressed on my path, I noticed that there were several obsticles in the way, most notably the kernel -- apparently, and while not I suppose without reason, but frustrating to my goal, was that FreeBSD doesn't come standard with IPSEC. You have to recompile a new kernel to include it, here are the steps I took:
(1) using the directions here (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html) should tell you how to recompile the kernel. It's very straightforward.
(2) when you make your options file, throw this in:
options IPSEC #Ipsec support
options IPSEC_ESP #For the esp
options IPSEC_DEBUG #because you know it ain't gonna work right the first time
(3) Go through the process of making the new kernel, and restart
***Update***
When you go to install racoon, from /usr/ports/security/racoon, and do the make install clean, it's gonna scream at you about an updated version. To tell it to knock it off, edit the makefile (I use nano), and just comment out the check for brokenness like so:
#.if ...
#BROKEN= ...
#.endif
Once you've got your new Kernel up, it's time to start making some tunnels. Take a look at these two websites:
http://www.bsdguides.org/guides/freebsd/networking/vpn_pix.php
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
Of note in that one above is the need to chmod 600 your psk.txt file -- the racoon won't work otherwise.
The general idea is this:
(1) Install racoon. Racoon is a program that's going to handle the key exchange between the PIX and your Freebsd box.
(2) Set up your virtual interface (gif0) that's going to handle the traffic inbetween everything. (taken from that freebsd page)
gifconfig gif0 A.B.C.D W.X.Y.Z [where a.b.c.d and w.x.y.z are the external interfaces]
ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff
(3) Set up racoon. There are several steps necessary to do this:
(3a) Edit the racoon.conf file. You can use that bsdguides link as a perfect example of how to set up the racoon.conf file.
(3b) Edit the psk.txt file. That is how you're going to set up some privacy there so that the whole world doesn't tunnel into your box. That's fairly simple, just the IP address and the pre-shared key.
(3c) Set up an /etc/ipsec.conf file. Generically, this is how it's done:
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
racoon_enable="YES"
(4) You should be all set, at least with regards to setting up the PIX / BSD connection. You can toy around with the firewalling, and maybe even NAT, although I haven't been having quite the same amount of success with the NAT (to allow people from behind the BSD to get out) -- since it always seems to NAT out to the world but not allow anyone to route beyond the PIX -- but that's for another post.
Other notes to myself:
I found that in the racoon.conf file, it's best to leave just about everything undone if you don't need it -- especially the "listen", which seemed to ALWAYS screw up when I tried to limit just the one NIC that I needed...
And let's not forget cooky network loses, you can use this doc to help configure yourself: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/config-network-setup.html or use the
sysinstall
program to help out with it. Doesn't always retain the settings, but it's alright.
At any rate, with a Pentium I-233 Compaq Presario, I threw in a Realtek 8139A nic -- don't need much, as it was just a T1, and the 10mbps should be more than adequate for that purpose.
Installing FreeBSD was a matter of downloading the .iso from their website, and booting from the CD generated thereby. As I recall, the installation was fairly straightforward, and I just had the installer auto-generate the partitions, and didn't have it install a graphical user interface.
Now, as I progressed on my path, I noticed that there were several obsticles in the way, most notably the kernel -- apparently, and while not I suppose without reason, but frustrating to my goal, was that FreeBSD doesn't come standard with IPSEC. You have to recompile a new kernel to include it, here are the steps I took:
(1) using the directions here (http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html) should tell you how to recompile the kernel. It's very straightforward.
(2) when you make your options file, throw this in:
options IPSEC #Ipsec support
options IPSEC_ESP #For the esp
options IPSEC_DEBUG #because you know it ain't gonna work right the first time
(3) Go through the process of making the new kernel, and restart
***Update***
When you go to install racoon, from /usr/ports/security/racoon, and do the make install clean, it's gonna scream at you about an updated version. To tell it to knock it off, edit the makefile (I use nano), and just comment out the check for brokenness like so:
#.if ...
#BROKEN= ...
#.endif
Once you've got your new Kernel up, it's time to start making some tunnels. Take a look at these two websites:
http://www.bsdguides.org/guides/freebsd/networking/vpn_pix.php
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html
Of note in that one above is the need to chmod 600 your psk.txt file -- the racoon won't work otherwise.
The general idea is this:
(1) Install racoon. Racoon is a program that's going to handle the key exchange between the PIX and your Freebsd box.
(2) Set up your virtual interface (gif0) that's going to handle the traffic inbetween everything. (taken from that freebsd page)
gifconfig gif0 A.B.C.D W.X.Y.Z [where a.b.c.d and w.x.y.z are the external interfaces]
ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff
(3) Set up racoon. There are several steps necessary to do this:
(3a) Edit the racoon.conf file. You can use that bsdguides link as a perfect example of how to set up the racoon.conf file.
(3b) Edit the psk.txt file. That is how you're going to set up some privacy there so that the whole world doesn't tunnel into your box. That's fairly simple, just the IP address and the pre-shared key.
(3c) Set up an /etc/ipsec.conf file. Generically, this is how it's done:
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
(3d) Edit your /etc/rc.conf file with some key lines:
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
racoon_enable="YES"
(4) You should be all set, at least with regards to setting up the PIX / BSD connection. You can toy around with the firewalling, and maybe even NAT, although I haven't been having quite the same amount of success with the NAT (to allow people from behind the BSD to get out) -- since it always seems to NAT out to the world but not allow anyone to route beyond the PIX -- but that's for another post.
Other notes to myself:
I found that in the racoon.conf file, it's best to leave just about everything undone if you don't need it -- especially the "listen", which seemed to ALWAYS screw up when I tried to limit just the one NIC that I needed...
And let's not forget cooky network loses, you can use this doc to help configure yourself: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/config-network-setup.html or use the
sysinstall
program to help out with it. Doesn't always retain the settings, but it's alright.
posted by Aeschulus | 3:50 PM
0 Comments:
Post a Comment
<< Home