IPSec
Matthias Apitz
guru at unixarea.de
Sat Feb 22 08:41:33 UTC 2014
El día Saturday, February 22, 2014 a las 11:51:23AM +0330, Farzin Falahati escribió:
> hello all,
>
> i wanna create an ipsec tunnel between my FreeBSD and a Cisco router. i
> have FreeBSD 9.2 with ipsec-tools 0.8.0. is it possible? you know i
> struggle to do it in FreeBSD 8.2 but unfortunately i can't do that. now i
> migrate to FreeBSD 9.2 and i heard that ipsec is changed to be more
> standard in it. so is it possible to create an ipsec tunnel between
> freebsd9.2 and a Cisco router or not?
Hello,
I've checked my old files from around 2007/2008 and I was using
something like:
# vpnc --no-detach --gateway xxx.xxx.xxx.xxx --id ipsec --username xxxxxx
and some configuration file like (see attached notes).
the 'secret' must have been extracted from the a crypted value which your Cisco
admin generated for the access; there was/is some C-written tool to do
the extraction.
I'm attaching my notes from how to configure this;
I do not use it anymore, so I can't help with tests.
HIH
matthias
--
Sent from my FreeBSD netbook
Matthias Apitz, <guru at unixarea.de>, http://www.unixarea.de/ f: +49-170-4527211
UNIX since V7 on PDP-11, UNIX on mainframe since ESER 1055 (IBM /370)
UNIX on x86 since SVR4.2 UnixWare 2.1.2, FreeBSD since 2.2.5
-------------- next part --------------
$Id: vpnc.txt,v 1.5 2007/06/11 14:07:41 guru Exp $
messages from "make install":
===> Installing for vpnc-0.3.3_1
/bin/mkdir -p /usr/local/share/doc/vpnc
...
This port has installed the following files which may act as network
servers and may therefore pose a remote security risk to the system.
/usr/local/sbin/vpnc
This port has installed the following startup scripts which may cause
these network services to be started at boot time.
/usr/local/etc/rc.d/vpnc.sh.sample
If there are vulnerabilities in these programs there may be a security
risk to the system. FreeBSD makes no guarantee about the security of
ports included in the Ports Collection. Please type 'make deinstall'
to deinstall the port if this is a concern.
For more information, and contact details about the security
status of this software, see the following webpage:
http://www.unix-ag.uni-kl.de/~massar/vpnc/
to config:
/usr/local/etc/vpnc.conf:
IPSec gateway xxx.xxx.xxx.xxx
IPSec ID aaaaaaaaaa
IPSec secret bbbbbbbbbb
Xauth username xxxxxxxx
Xauth password xxxxxxxx
some comments about how it works:
- the gateway is contacted first on UDP 500 and later on 4500 as
proposed by the server;
- the 'aaaaaaaaaa' (IPSec ID) is Cisco's 'GroupName' value;
- the 'bbbbbbbbbb' (IPSec secret) is Cisco's 'enc_GroupPwd' but in
clear text; there is a tool to recalculate the clear text GroupPwd
which is written in C in may be fetched from:
http://www.unix-ag.uni-kl.de/~massar/soft/cisco-decrypt.c
(local copy is in ~guru/sysSrc/cisco-decrypt.c) and may be compiled
with:
$ gcc -o cisco-decrypt -I/usr/local/include cisco-decrypt.c -L/usr/local/lib -lgcrypt
you lauch it just as root with:
# vpnc --no-detach
# vpnc --no-detach --debug 3 --udp(?)
routings, /etc/resolv.conf are set/reset on up and down via a call
to a script /usr/local/sbin/vpnc-script
in our case /etc/resolv.conf gets changed to:
#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact
domain blabla.de
nameserver xxx.xxx.xxx.xxx
the routings to the various networks the Concentrator knows
are also set and unset by the above script if the Concentrator
provided 'split-network settings'; they are passed as environment
variables to /usr/local/sbin/vpnc-script
that's all
More information about the freebsd-questions
mailing list