FreeBSD to Cisco ASA 5505 VPN Connection

Bill Tillman btillman99 at yahoo.com
Wed Feb 17 23:06:49 UTC 2010 

I have a small dilemma. The boss finally relented and is allowing me to work from home. This is a good deal for him too I just have to convince him. They have a Cisco ASA 5505 VPN router at the office. I have a wonderfully working LAN that uses a FreeBSD-7.2-STABLE server running NATD+IPFW. This in turn connects to a cable modem to my ISP and I couldn't be happier with it. All is well.

Now my employer wants me to use a VPN server on my end to connect to his VPN. Okay cool I think Open VPN would do the trick. WRONG...Open VPN does not work with Cisco ASA 5505 routers. In fact, Open VPN doesn't work with alot of Cisco equipment. So much for trying to connect my router directly to their router. But I do have a small Cisco/Linksys RV042 VPN router which does talk to their Cisco router. So we tried hooking this up. First behind my router because I felt it would be safer there and I only need it for a VOIP phone they gave me. That's all this exercise was about was to allow the phone to work securely for their Asterisk system. I know there are other ways to do this but the techs don't want to mess with the Asterisk server because it will void the support contract and warranty.
Through trial and error I finally got this small router to work but I had to put in on the outside of my FreeBSD router. No big deal really, seems to be safe as it has a firewall and the only thing connected to it besides my other FreeBSD router which is tight as a drum, is the VOIP phone which works quite well.
The tech told me that I need to forward ports 500 and 4500 with my FreeBSD router to the small VPN router inside my LAN. That's simple enought but then he tells me I need to redirect all EPS and all AH traffic as well. I guess this is where FreeBSD+NATD+IPFW hits the wall when working with Cisco or is it? I gotta believe this can work but I don't know how the heck to do it and the tech at our IT consultant is totally lost when it comes to anything besides Cisco equipment.
Has anyone got a suggestion on how to do a port redirect with natd to pickup these EPS and AH packets. I added some new lines to my /etc/natd.conf file and the AH part seemed ok but the console screen immediately said what the heck is EPS. And worse it did not work. Only when I put the VPN router outside of my existing router does this setup work. I really want to keep this thing inside my LAN or even better would be how do I get my existing router to work as a VPN on it's own?

More information about the freebsd-questions mailing list