Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN : FreeSwan to Cisco Pix 5.3(1)

Status
Not open for further replies.
cygnetrower1

cygnetrower1

IS-IT--Management
Joined
Feb 14, 2002
Messages
37
Location
GB
Does anyone have any experience of setting up a VPN between a pix running 5.3(1) and Freeswan on Linux.

the error occurs at phase 2 after the sa has been authenticated on the linux sidethey receive the message
ISAKMP Message has an unknown value: 6

 
Sort by date Sort by votes
We've got several mandrake machines running freeswan connected to a PIX firewall running 5.1(5). Our configurations are as follows:

PIX side:
access-list 126 permit ip 192.9.200.0 255.255.252.0 192.168.1.0 255.255.255.0
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
crypto ipsec transform-set myset3 esp-des esp-md5-hmac
isakmp key testtesttesttest address 1.2.3.4 netmask 255.255.255.255
crypto map theMap 24 ipsec-isakmp
crypto map theMap 24 match address 126
crypto map theMap 24 set peer 1.2.3.4
crypto map theMap 24 set transform-set myset1 myset2 myset3 myset

route outside 192.168.1.0 255.255.255.0 9.8.7.6 1

(1.2.3.4 is remote (Linux) outside IP, 9.8.7.6 is local gateway address)

On the mandrake side, we have ipsec.conf with:
conn dadz-workz
left=1.2.3.4
leftsubnet=192.168.1.0/24
leftnexthop=5.6.7.8
right=13.12.11.10
rightsubnet=192.9.200.0/255.255.252.0
rightnexthop=9.8.7.6
authby=secret
pfs=no
auto=add

where 1.2.3.4 is linux outside, 5.6.7.8 is linux gateway, 9.8.7.6 is PIX gateway and 13.12.11.10 is PIX outside address.

We also have the following rules added to the iptables firewall on the linux side:

iptables -A INPUT -s 13.12.11.10 -d 1.2.3.4 -j ACCEPT
iptables -A INPUT -s 192.9.200.0/22 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.9.200.0/22 -d 192.168.1.0/24 -j ACCEPT

and modified the MASQUERADE rule to read:

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.0.0.0/8 -j MASQUERADE

where once again 13.12.11.10 is the PIX outside address and 1.2.3.4 is the linux outside address.

when testing the VPN from the linux machine with a ping, it is necessary to specify the interface, ie.
ping -I 192.168.0.1 192.9.200.10
to ping 192.9.200.10 from the linux machine.

Hope this helps.
Shaodius
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

donald lepariku
  • Locked
  • Question Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f
Replies
3
Views
824
spamjim
spamjim
kasperelectronics
  • Locked
  • Question Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
465
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
486
spamjim
spamjim
waydown
  • Locked
  • Question Question
Unable to connect to server
Replies
4
Views
559
RhythmAce
RhythmAce
montyzummer
  • Locked
  • Question Question
Backup Linux DIR to windows via NFS
Replies
4
Views
737
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top