I have a similar setup from my home (FreeBSD) to my work (PIX-515)
10/8 is my work 192.168.X.0/24 is my home - this setup will give you 3des encrypt tunnel with a Pre-Shared Key
Your PIX will need these config lines(adjust to match your networks):

access-list ipsec-ok-list permit ip 192.168.X.0 #This defines what traffic will apply to the ipsec tunnel
access-list nat-bypass-list permit ip 192.168.X.0 #You will need this along with the nat (inside) 0 line
access-list nat-bypass-list permit ip #Don't know if I need this line
global (outside) 1 (PIX Outside Hide IP)
nat (inside) 0 access-list nat-bypass # I think I had to add this to not nat connections from inside the PIX to my Home LAN - other direction works fine
nat (inside) 1 0 0 # Don't forget to move the default what gets hidden to after the what dosesn't get hidden
# below is the ipsec setup
# trans-set is the definition of what kind of encrption we will be doing
# ipsec-map is the ipsec tunnel definition
# ipsec-ok-list is the traffic ok over the tunnel
crypto ipsec transform-set trans-set esp-3des
crypto map ipsec-map 20 ipsec-isakmp
crypto map ipsec-map 20 match address ipsec-ok-list
crypto map ipsec-map 20 set pfs group2
crypto map ipsec-map 20 set peer (BSD Outside IP)
crypto map ipsec-map 20 set transform-set trans-set
crypto map ipsec-map interface outside
isakmp enable outside
# keys are 10 alphanums long
isakmp key putkeyhere address (BSD Outside IP) netmask
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 3600

IPSEC SPD's using setkey
spdadd 192.168.X.0/24 any -P out ipsec esp/tunnel/(BSD Outside IP)-(PIX Outside IP - not hide IP)/require;
spdadd 192.168.X.0/24 any -P in ipsec esp/tunnel/(PIX Outside IP - not hide IP)-(BSD Outside IP)/require;

Racoons configs:
# begin racoon.conf
path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
path certificate "/etc/ssh" ;

       maximum_length 20;      # maximum padding length.
       randomize off;          # enable randomize length.
       strict_check off;       # enable strict check.
       exclusive_tail off;     # extract last one octet.

       isakmp (Outside BSD IP Goes Here);

       # These value can be changed per remote node.
       counter 5;              # maximum trying count to send.
       interval 20 sec;        # maximum interval to resend.
       persend 1;              # the number of packets per a send.

       # timer for waiting to complete each phase.
       phase1 30 sec;
       phase2 15 sec;

remote (PIX Outside IP Goes Here - not Hide IP) {
       exchange_mode main;
       proposal {
               encryption_algorithm 3des;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;

sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1,non_auth; #don't think you will need hmac_sha1
compression_algorithm deflate;
# End racoon.conf

# begin psk.txt
(PIX Outside IP Goes Here - not Hide IP)    putkeyhere
# end psk.txt

IPFW: Put these above any natd diverts - adjust as needed allow ip from 192.168.X.0/24 to allow ip from to 192.168.X.0/24

Well - Good luck

Jamie Heckford wrote:

Hi All,

I am wondering if it is possible to setup a Cisco PIX 501 (3DES) to talk
to a FreeBSD VPN Gateway.

The VPN gateway currently runs MPD-Netgraph and Poptop to provide access
to all Win XX series clients.

What I am wondering is it possible to setup IPSec / racoon combo on the
FreeBSD system so the PIX 501 can connect to it ok.

The role of the PIX 501 at the remote end will be to send all non-local
traffic out to the internet and VPN destined routes over the VPN

Has anyone had any experience with this? Any comments or suggestions?
Google did not seem to wield to many useful results.

Any help greatly appreciated as usual :)


Jamie Heckford
Network Manager
Trident Microsystems Ltd.

t: +44(0)1737-780790
f: +44(0)1737-771908
w: http://www.tridentmicrosystems.co.uk/

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-net" in the body of the message

To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-net" in the body of the message

Reply via email to