Re: OpenBSD <-> Cisco IPSEC

Fri, 10 Mar 2006 21:36:29 -0800 

Hi Matthew
Thanx for a great reply (even though I didn't supply information). Here is some more information: The OpenBSD side is simple: OpenBSD 3.8-stable (and 3.9 when it comes out). Since I didn't have time to develop a policy I'm following the other location's policy. The Cisco they have is a 3745 concentrator. The encryption algorithm is 3DES. Hash algorithm is SHA1. DH group 2 (for phase 1) and phase 2 is esp-3des esp-sha-hmac..... 



TIA
Paolo


Matthew Closson wrote:


On Fri, 10 Mar 2006, Paolo Supino wrote:


Hi


I need to setup an IPSEC VPN between 2 locations. 1 location runs 
Cisco gear (out of my control) and the other runs OpenBSD (my 
decision). I've never setup a VPN between Cisco and OpenBSD before (I 
did between Cisco to Cisco and OpenBSD to OpenBSD) and I was 
wondering if there are any pitfalls or incompatibilities between 
Cisco and OpenBSD implementations of IPSEC that will cause problems?


TIA
Paolo



Paolo,


As others have said we need more details.  I have setup isakmpd and 
IPSEC in tunnel mode with Cisco PIX's, as well as Cisco 3000 series 
VPN concentrators (which is really from Altiga Networks).  Getting the 
tunnel established between these devices is never a problem, 
especially if you define out every section in isakmpd.conf and only 
offer a single encryption/hash algorithm in your proposals.  The 
biggest problem I have had is rekeying.  I have had a lot of issues 
with tunnels getting out of sync, where my side keeps using XXX 
SA/SPI, while the other said moves on to another one or the reverse of 
that.



Cisco devices I have seen default their lifetime's to 86400 seconds 
for IKE and 28800 seconds for IPSEC.  This is of course different from 
isakmpd so you will want to keep that in mind.


I would highly recommend you read all the info listed here.

https://www.icsalabs.com/icsa/main.php?pid=fggfgd


iCSA does interoperability testing between various IPSEC 
implementations and they cover several Cisco products.  As well as in 
their paper:



"IPSEC VPN Advanced Troubleshooting" - they state that an excellent 
tools for debugging interoperability problems in the field is 
OpenBSD's isakmpd.



A lot of information on the specific cisco device you want to talk to 
may be available at http://www.cisco.com/univercd



I am also curious as to the successes and failures other people have 
had with cisco devices and rekeying, especially cisco 3005, cisco 3030 
concentrators.


                -Matt-
























					Reply via email to