Building VPN Tunnel between Cisco FreeBSD with Raccon

How we configure VPN tunnel, based on Unix BSD/9.0/10.2 with Racoon and Cisco 2911. Expected result, working tunnel with IPSec between FreeBSD and Cisco 2911 1. What about BSD interface? Before you will read it you can check this vpn ipsec handbook [http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html] and skip below text and make all yourself. Most people didn't like to read something where somebody explain in details why we use this or this or this. This specialist always like use codesnippets. And after copy / paste trying understand why this application / service or something like this is not work. So, it means i will not explain you how it works. I will give you only general keys and show you step by step, what you should use. First you should check your kernel # -ALTQ options ALTQ options ALTQ_CBQ # Class Based Queuing (CBQ) options ALTQ_RED # Random Early Detection (RED) options ALTQ_RIO # RED In/Out options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC) options ALTQ_PRIQ # Priority Queuing (PRIQ) #pf # -Firewall device pf device pflog device pfsync #VPN, IPSec, Crypto option IPSEC device crypto option IPSEC_DEBUG option IPSEC_NAT_T I think you know how to rebuild your kernel. If no, please, read this and this . Remember, if you want x32 platform, use i386 , if x64, you should use amd . Other platforms not interesting for us now. Our general scheme planed with using special GRE interface to building tunnel between BSD and Cisco, and using IPSec for encryption traffic between servers. So what we should did: >ifconfig create gif0 >ifconfig gif0 X.X.X.X Y.Y.Y.Y tunnel >ifconfig gif0 inet A.A.A.A B.B.B.B netmask 255.255.255.252 >ifconfig gif0 mtu 1280 Some explanations: X.X.X.X - public IP of BSD server Y.Y.Y.Y - public IP of Cisco 2911 router A.A.A.A - local IP for vpn interface gif0, BSD side B.B.B.B - local IP for vpn interface (Cisco tunnel), CISCO side Your result should be like this >ifconfig gif0: flags=8051 metric 0 mtu 1280 tunnel inet X.X.X.X --> Y.Y.Y.Y inet A.A.A.A --> B.B.B.B netmask 0xfffffffc nd6 options=29 You can't ping both interfaces before tunnel will not work :) 2. What about Cisco side? First of all you should know, we are using Cisco 2911, and our policy is crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2 lifetime 1800 The next subject is a shared key crypto isakmp key YOUR_PASSWORD address X.X.X.X Some explanations Shared key YOUR_PASSWORD will be used for authenticate your BSD server. Not only encryption Profile crypto ipsec transform-set YOUR_PROFILE_NAME esp-3des esp-md5-hmac mode tunnel YOUR_PROFILE_NAME as you wish, doesn't matter what is the name it will be Some settings for your profile crypto ipsec profile YOUR_PROFILE_NAME set security-association lifetime seconds 86400 set transform-set YOUR_PROFILE_NAME set pfs group2 And now Cisco Tunnel configuration interface Tunnel322 description VPN_TO_BSD ip address B.B.B.B 255.255.255.252 ip mtu 1280 ip tcp adjust-mss 1240 tunnel source GigabitEthernet0/0 tunnel mode ipip tunnel destination X.X.X.X tunnel protection ipsec profile YOUR_PROFILE_NAME As i told before B.B.B.B - local IP on Cisco VPN Tunnel side X.X.X.X - public IP of your BSD server GigabitEthernet0/0 it is my external interface, you can use other. lifetime parameter should be identical for both servers. encr 3des from Cisco side and encryption_algorithm 3des; in your proposal from FreeBSD side should be identical The same for hash algorythm shouldbe the same from Cisco side hash md5 and from FreeBSD side hash_algorithm md5; in your proposal section Firewall rule, if you are using ACL on external/vpn interfaces permit ipinip host X.X.X.X host Y.Y.Y.Y 3. Lets configure Racoon Remember, port for racoon it is ipsec-tool port. After installation from ports >cd /usr/ports >make search name='ipsec-tools' > cd /usr/ports/security/ipsec-tools >make fetch >make all >make install You can find your racoon in /usr/local/etc/racoon And this folder will be empty. First of all you should create raccon.conf file and psk.txt First file will be configuration for racoon and second one will stored our keys for vpn connections. Our config path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file log debug2; #log verbosity setting: set to 'notify' when testing and debugging is complete padding # options are not to be changed { maximum_length 20; randomize off; strict_check off; exclusive_tail off; } timer # timing options. change as needed { counter 5; interval 20 sec; persend 1; phase1 30 sec; phase2 15 sec; } listen # address [port] that racoon will listening on { isakmp X.X.X.X [500]; } remote Y.Y.Y.Y [500] { # cisco can unsupport aggressive mode, it means we use main mode as general exchange_mode main,aggressive; doi ipsec_doi; situation identity_only; my_identifier address X.X.X.X; peers_identifier address Y.Y.Y.Y; lifetime time 1800 sec; passive off; proposal_check obey; generate_policy off; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; lifetime time 1800 sec; dh_group 2; } } # we no need to choose, which network will be routed to interface, so it means we can use anonymous sainfo anonymous { pfs_group 2; lifetime time 86400 sec; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } And it is psk.txt were we stored our shared key. If you lost while read this, we remember you Cisco side: crypto isakmp key YOUR_PASSWORD_HERE address X.X.X.X And in psk.txt YOUR_PASSWORD_HERE should be the same. Y.Y.Y.Y YOU_PASSWORD_HERE 4. What about IPSec We will use IPSec for encryption our traffic in tunnel. What we need fo this in our example. First of all we will create file /etc/ipsec.conf and put to this file specific information about which traffic we will encrypt. flush; spdflush; spdadd X.X.X.X/32 Y.Y.Y.Y/32 ipencap -P out ipsec esp/tunnel/X.X.X.X-Y.Y.Y.Y/require; spdadd Y.Y.Y.Y/32 X.X.X.X/32 ipencap -P in ipsec esp/tunnel/Y.Y.Y.Y-X.X.X.X/require; And it is not at all. Now you should add into your /etc/rc.conf the next For avtostart racoon and ipsec ipsec_enable="YES" ipsec_program="/usr/local/sbin/setkey" ipsec_file="/etc/ipsec.conf" # allows setting up spd policies on boot racoon_enable="YES" racoon_flags="-f /usr/local/etc/racoon/racoon.conf -l /var/log/racoon.log" And this you need to put in this file for avtostart interface cloned_interfaces="gif0" ifconfig_gif0="inet A.A.A.A B.B.B.B netmask 255.255.255.252 tunnel X.X.X.X Y.Y.Y.Y mtu 1280" Now you can reboot your BSD server and after check, it works or not.