Chapter 14. Example IPSec VPN Configurations

Table of Contents

14.1. Cisco PIX Firewall
14.1.1. PIX Configuration
14.1.2. SmallWall Configuration
14.2. Smoothwall
14.3. FreeS/WAN
14.4. Sonicwall
14.4.1. Sonicwall Configuration
14.4.2. SmallWall Configuration
14.5. Nortel
14.6. Mobile User VPN with IPsec?
14.6.1. SmallWall setup
14.6.2. Client setup

SmallWall can connect to any third party VPN device that supports standard IPsec site to site VPN's, which includes most any VPN device and firewall with IPsec VPN support.

This chapter will provide instructions on connecting SmallWall with a number of third party IPsec devices.

Below you will find sample configurations for the following devices.

14.1. Cisco PIX Firewall

The following describes how to configure a site to site IPsec VPN tunnel between a PIX Firewall and SmallWall.

Note

This is a very old software version for a very old firewall. That ASA is configured via the WebGUI, and is much easier.

14.1.1. PIX Configuration

First we need to make sure the PIX has 3DES enabled.

pixfirewall# sh ver

Cisco PIX Firewall Version 6.3(3)
Cisco PIX Device Manager Version 2.0(2)

Compiled on Wed 13-Aug-03 13:55 by morlee

pixfirewall up 157 days 5 hours

Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz
Flash E28F128J3 @ 0x300, 16MB
BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: ethernet0: address is 000b.4605.d319, irq 10
1: ethernet1: address is 000b.4605.d31a, irq 11
2: ethernet2: address is 0002.b3b3.2e54, irq 11
Licensed Features:
Failover: Disabled
VPN-DES: Enabled
VPN-3DES-AES: Enabled

If the "VPN-3DES-AES" line above does not show "Enabled", you need to install the PIX 3DES key. This is now available free from Cisco for all PIX firewalls. Do NOT use DES for a VPN if you want it to be cryptographically secure. DES is only slightly better than transmitting in clear text.

Note

Since the Pix was retired, 3DES has also been found to be broken. Bust some older hardware only supports 3DES, so it is still provided.

Next we'll see if any VPN configurations are in place on the PIX.

pixfirewall# sh isakmp policy

Default protection suite
encryption algorithm: DES - Data Encryption Standard (56 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Rivest-Shamir-Adleman Signature
Diffie-Hellman group: #1 (768 bit)
lifetime: 86400 seconds, no volume limit

If you only see the default policy, there are no VPN's configured. This document cannot be followed verbatim if you have current VPN's (though you should be able to figure it out, just be careful not to break your existing VPN's with any duplicate names).

Allow IPSec connections to the PIX

pixfirewall(config)# sysopt connection permit-ipsec

Enable ISAKMP on the outside interface (where "outside" is the name of the internet-facing interface)

pixfirewall(config)# isakmp enable outside

isakmp policy command on PIX

pixfirewall(config)# isakmp policy ?
Usage: isakmp policy %lt;priority> authen %lt;pre-share|rsa-sig>
isakmp policy %lt;priority> encrypt %lt;aes|aes-192|aes-256|des|3des>
isakmp policy %lt;priority> hash %lt;md5|sha>
isakmp policy %lt;priority> group %lt;1|2|5>
isakmp policy %lt;priority> lifetime %lt;seconds>

Now we need to configure the ISAKMP policy on the PIX. Enter the following commands in configure mode:

isakmp policy 10 authen pre-share
isakmp policy 10 encrypt 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400    

This policy uses pre-shared keys as authenticator, 3DES encryption, md5 hashing, group 2, and 86400 second lifetime.

Now we need to define the pre-shared key for this connection. (1.1.1.1 = public IP address of SmallWall, qwertyuiop is the shared key, randomly generate something to use for your configuration)

isakmp key qwertyuiop address 1.1.1.1 netmask 255.255.255.255

Now we need to create an access list defining what traffic can cross this tunnel.

access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0

Define transform set for this connection called "monovpnset"

crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac

Define security association lifetime

crypto ipsec security-association lifetime seconds 86400 kilobytes 50000

Now to set up the actual connection, the crypto map "monovpnmap". (where 1.1.1.1 is the public IP address of the SmallWall device)

crypto map monovpnmap 10 ipsec-isakmp
crypto map monovpnmap 10 set peer 1.1.1.1
crypto map monovpnmap 10 set transform-set monovpnset
crypto map monovpnmap 10 match address monovpn

These lines specify type of VPN (ipsec-isakmp), peer IP address (1.1.1.1), transform set to be used (monovpnset, defined above), and that packets matching the access list "monovpn" created above should traverse this VPN connection.

Last step is to tell the PIX to not use NAT on the packets using this VPN connection and route them instead.

First we'll see if anything is currently routed.

pixfirewall# sh nat
nat (inside) 0 access-list no-nat

Look for "nat (interface) 0 ..." commands. The above means any traffic matching access list "no-nat" will routed, not translated. In this instance, we are adding to a current access list (if you use a DMZ, you likely have something similar to this set up).

access-list no-nat permit ip 10.0.0.1 255.255.255.0 10.0.1.0 255.255.255.0
access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0

If you do not have a "nat (interface) 0 ..." command in your "sh nat" output, you can use the above two lines to create a "no-nat" access list. You then have to apply it with the "nat (interface-name) 0 access-list no-nat" command (replacing "interface-name" with the name of your LAN interface).

14.1.2. SmallWall Configuration

Log into the SmallWall web GUI, and under VPN, click IPSec.

If the "Enable IPSec" box is not checked, check it and click Save.

Click the + button to add a VPN tunnel. On the "Edit tunnel" screen, fill in as follows:

Leave "Disable this tunnel" box unchecked.
Interface "WAN"
Local subnet: Type: "LAN subnet"
Remote subnet: 10.0.0.0 /24 (fill in the subnet of the network behind the PIX here, rather than the made-up 10.0.0.0/24)
Remote gateway: public IP address of PIX
Description: add one to describe the connection (e.g. "PIX VPN")

Phase 1
Negotiation mode: Aggressive
My identifier: "My IP Address"
Encryption algorithm: 3DES
Hash algorithm: MD5
DH key group: 2
Lifetime: 86400
Pre-shared key: qwertyuiop (enter exactly what you defined as your pre-shared key on the PIX earlier)

Phase 2
Protocol: ESP
Encryption algorithms: only 3DES checked
Hash algorithms: only MD5 checked
PFS key group: 2
Lifetime: 86400

Note

You may experience the connection dropping frequently with this configuration. If this happens, set the PFS key group in phase 2 to "off".

Note

If you don't specify a key lifetime in the SmallWall config, the tunnel will work, but appear to go insane after a while. Supposedly Cisco's will negotiate a key lifetime, but I have not seen this work in my experience. This is also true of a Cisco VPN Concentrator. (anonymous wiki contribution)