Table of Contents
SmallWall can connect to any third party VPN device that supports standard IPsec site to site VPN's, which includes most any VPN device and firewall with IPsec VPN support.
This chapter will provide instructions on connecting SmallWall with a number of third party IPsec devices.
Below you will find sample configurations for the following devices.
Cisco PIX Firewall
The following describes how to configure a site to site IPsec VPN tunnel between a PIX Firewall and SmallWall.
This is a very old software version for a very old firewall. That ASA is configured via the WebGUI, and is much easier.
First we need to make sure the PIX has 3DES enabled.
pixfirewall# sh ver Cisco PIX Firewall Version 6.3(3) Cisco PIX Device Manager Version 2.0(2) Compiled on Wed 13-Aug-03 13:55 by morlee pixfirewall up 157 days 5 hours Hardware: PIX-515E, 32 MB RAM, CPU Pentium II 433 MHz Flash E28F128J3 @ 0x300, 16MB BIOS Flash AM29F400B @ 0xfffd8000, 32KB 0: ethernet0: address is 000b.4605.d319, irq 10 1: ethernet1: address is 000b.4605.d31a, irq 11 2: ethernet2: address is 0002.b3b3.2e54, irq 11 Licensed Features: Failover: Disabled VPN-DES: Enabled VPN-3DES-AES: Enabled
If the "VPN-3DES-AES" line above does not show "Enabled", you need to install the PIX 3DES key. This is now available free from Cisco for all PIX firewalls. Do NOT use DES for a VPN if you want it to be cryptographically secure. DES is only slightly better than transmitting in clear text.
Since the Pix was retired, 3DES has also been found to be broken. Bust some older hardware only supports 3DES, so it is still provided.
Next we'll see if any VPN configurations are in place on the PIX.
pixfirewall# sh isakmp policy Default protection suite encryption algorithm: DES - Data Encryption Standard (56 bit keys). hash algorithm: Secure Hash Standard authentication method: Rivest-Shamir-Adleman Signature Diffie-Hellman group: #1 (768 bit) lifetime: 86400 seconds, no volume limit
If you only see the default policy, there are no VPN's configured. This document cannot be followed verbatim if you have current VPN's (though you should be able to figure it out, just be careful not to break your existing VPN's with any duplicate names).
Allow IPSec connections to the PIX
pixfirewall(config)# sysopt connection permit-ipsec
Enable ISAKMP on the outside interface (where "outside" is the name of the internet-facing interface)
pixfirewall(config)# isakmp enable outside
isakmp policy command on PIX
pixfirewall(config)# isakmp policy ? Usage: isakmp policy %lt;priority> authen %lt;pre-share|rsa-sig> isakmp policy %lt;priority> encrypt %lt;aes|aes-192|aes-256|des|3des> isakmp policy %lt;priority> hash %lt;md5|sha> isakmp policy %lt;priority> group %lt;1|2|5> isakmp policy %lt;priority> lifetime %lt;seconds>
Now we need to configure the ISAKMP policy on the PIX. Enter the following commands in configure mode:
isakmp policy 10 authen pre-share isakmp policy 10 encrypt 3des isakmp policy 10 hash md5 isakmp policy 10 group 2 isakmp policy 10 lifetime 86400
This policy uses pre-shared keys as authenticator, 3DES encryption, md5 hashing, group 2, and 86400 second lifetime.
Now we need to define the pre-shared key for this connection. (220.127.116.11 = public IP address of SmallWall, qwertyuiop is the shared key, randomly generate something to use for your configuration)
isakmp key qwertyuiop address 18.104.22.168 netmask 255.255.255.255
Now we need to create an access list defining what traffic can cross this tunnel.
access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list monovpn permit ip 10.0.0.0 255.255.255.0 10.0.1.0 255.255.255.0
Define transform set for this connection called "monovpnset"
crypto ipsec transform-set monovpnset esp-3des esp-md5-hmac
Define security association lifetime
crypto ipsec security-association lifetime seconds 86400 kilobytes 50000
Now to set up the actual connection, the crypto map "monovpnmap". (where 22.214.171.124 is the public IP address of the SmallWall device)
crypto map monovpnmap 10 ipsec-isakmp crypto map monovpnmap 10 set peer 126.96.36.199 crypto map monovpnmap 10 set transform-set monovpnset crypto map monovpnmap 10 match address monovpn
These lines specify type of VPN (ipsec-isakmp), peer IP address (188.8.131.52), transform set to be used (monovpnset, defined above), and that packets matching the access list "monovpn" created above should traverse this VPN connection.
Last step is to tell the PIX to not use NAT on the packets using this VPN connection and route them instead.
First we'll see if anything is currently routed.
pixfirewall# sh nat nat (inside) 0 access-list no-nat
Look for "nat (interface) 0 ..." commands. The above means any traffic matching access list "no-nat" will routed, not translated. In this instance, we are adding to a current access list (if you use a DMZ, you likely have something similar to this set up).
access-list no-nat permit ip 10.0.0.1 255.255.255.0 10.0.1.0 255.255.255.0 access-list no-nat permit ip 10.0.1.0 255.255.255.0 10.0.0.0 255.255.255.0
If you do not have a "nat (interface) 0 ..." command in your "sh nat" output, you can use the above two lines to create a "no-nat" access list. You then have to apply it with the "nat (interface-name) 0 access-list no-nat" command (replacing "interface-name" with the name of your LAN interface).
Log into the SmallWall web GUI, and under VPN, click IPSec.
If the "Enable IPSec" box is not checked, check it and click Save.
Click the + button to add a VPN tunnel. On the "Edit tunnel" screen, fill in as follows:
Leave "Disable this tunnel" box unchecked.
Local subnet: Type: "LAN subnet"
Remote subnet: 10.0.0.0 /24 (fill in the subnet of the network behind the PIX here, rather than the made-up 10.0.0.0/24)
Remote gateway: public IP address of PIX
Description: add one to describe the connection (e.g. "PIX VPN")
Negotiation mode: Aggressive
My identifier: "My IP Address"
Encryption algorithm: 3DES
Hash algorithm: MD5
DH key group: 2
Pre-shared key: qwertyuiop (enter exactly what you defined as your pre-shared key on the PIX earlier)
Encryption algorithms: only 3DES checked
Hash algorithms: only MD5 checked
PFS key group: 2
You may experience the connection dropping frequently with this configuration. If this happens, set the PFS key group in phase 2 to "off".
If you don't specify a key lifetime in the SmallWall config, the tunnel will work, but appear to go insane after a while. Supposedly Cisco's will negotiate a key lifetime, but I have not seen this work in my experience. This is also true of a Cisco VPN Concentrator. (anonymous wiki contribution)