vt100

Home   Documentation   Impressum   Links

Cisco 1600 IPSEC 56 to Freeswan 1.99 Single DES (1DES Patch) IPSec Tunnel

Disclaimer

This information is provided as is with no warranty. If you burn your kitchen sink don't blame me. Copyright (c) 2002 vt100.at

Introduction

This is a small howto set up a vpn with a cisco 1600 / IOS 11.3 IPSEC 56 and Freeswan 1.99.

Prerequisites

The patch also works together with the x.509 modifications. The hunks are succeeding with a small offset. Get it from the freeswan homepage.

Sample Network

			Cisco			Freeswan
192.168.14.0/24 === 192.168.14.1/1.1.1.1 ---- 2.2.2.2/10.1.1.1 === 10.0.0.0/8

Cisco Config

boring things cutted out...

ip nat inside source list 104 interface Ethernet1 overload
!
crypto isakmp policy 1
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key our_shared_key address 2.2.2.2
!
!
crypto ipsec transform-set t1 esp-des esp-md5-hmac 
crypto ipsec transform-set t2 esp-des 
crypto ipsec transform-set t3 esp-des esp-sha-hmac 
!
 !
 crypto map peer 1 ipsec-isakmp  
 set peer 2.2.2.2
 set transform-set t1 t2 t3 
 set pfs group2
 match address 102
!
interface Ethernet1
 ip nat outside
 crypto map peer
!
access-list 102 permit ip 192.168.14.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 104 deny   ip 192.168.14.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 104 permit ip 192.168.14.0 0.0.0.255 any

Freeswan Config


# basic configuration
config setup
	interfaces=%defaultroute
	plutodebug=all
	klipsdebug=none
	plutoload="rw"

conn rw
	right=1.1.1.1
	rightsubnet=192.168.14.0/24
	type=tunnel
	left=2.2.2.2
	leftsubnet=10.0.0.0/8
	auth=esp
	esp=des-sha1-96
	keyexchange=ike
	keylife=8h
	pfs=yes	
	auto=add

Links

These links were helpful:

http://www.freeswan.ca
http://wrightnet.dhs.org/Public/docs/FreeSWan%20and%20PIX%20506%20IPSEC%20tunnel.htm

Conclusions

Make sure you don't NAT packets to the other private network. See the cisco access-list 104, the deny does the magic.
With iptables you can use the RETURN target in the nat POSTROUTING chain (we insert on first position to make sure it goes before the SNAT rule):

linux# iptables -I POSTROUTING 1 -s 192.168.14.0/24 -d 10.0.0.0/8 -j RETURN

Single DES is not secure. But it should keep away kiddies, it's better than null esp and the 1600 series is not capable of 3DES encryption.


Copyright © 2013 vt100.at. All rights reserved.

leitbruch