Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN : FreeSwan to Cisco Pix 5.3(1)

Status
Not open for further replies.
cygnetrower1

cygnetrower1

IS-IT--Management
Feb 14, 2002
37
0
0
GB
Does anyone have any experience of setting up a VPN between a pix running 5.3(1) and Freeswan on Linux.

the error occurs at phase 2 after the sa has been authenticated on the linux sidethey receive the message
ISAKMP Message has an unknown value: 6

 
Sort by date Sort by votes
We've got several mandrake machines running freeswan connected to a PIX firewall running 5.1(5). Our configurations are as follows:

PIX side:
access-list 126 permit ip 192.9.200.0 255.255.252.0 192.168.1.0 255.255.255.0
crypto ipsec transform-set myset esp-des esp-sha-hmac
crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
crypto ipsec transform-set myset2 esp-3des esp-sha-hmac
crypto ipsec transform-set myset3 esp-des esp-md5-hmac
isakmp key testtesttesttest address 1.2.3.4 netmask 255.255.255.255
crypto map theMap 24 ipsec-isakmp
crypto map theMap 24 match address 126
crypto map theMap 24 set peer 1.2.3.4
crypto map theMap 24 set transform-set myset1 myset2 myset3 myset

route outside 192.168.1.0 255.255.255.0 9.8.7.6 1

(1.2.3.4 is remote (Linux) outside IP, 9.8.7.6 is local gateway address)

On the mandrake side, we have ipsec.conf with:
conn dadz-workz
left=1.2.3.4
leftsubnet=192.168.1.0/24
leftnexthop=5.6.7.8
right=13.12.11.10
rightsubnet=192.9.200.0/255.255.252.0
rightnexthop=9.8.7.6
authby=secret
pfs=no
auto=add

where 1.2.3.4 is linux outside, 5.6.7.8 is linux gateway, 9.8.7.6 is PIX gateway and 13.12.11.10 is PIX outside address.

We also have the following rules added to the iptables firewall on the linux side:

iptables -A INPUT -s 13.12.11.10 -d 1.2.3.4 -j ACCEPT
iptables -A INPUT -s 192.9.200.0/22 -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s 192.9.200.0/22 -d 192.168.1.0/24 -j ACCEPT

and modified the MASQUERADE rule to read:

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 192.0.0.0/8 -j MASQUERADE

where once again 13.12.11.10 is the PIX outside address and 1.2.3.4 is the linux outside address.

when testing the VPN from the linux machine with a ping, it is necessary to specify the interface, ie.
ping -I 192.168.0.1 192.9.200.10
to ping 192.9.200.10 from the linux machine.

Hope this helps.
Shaodius
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

donald lepariku
  • Locked
  • Question
Error: 694, Severity: 24, State: 10 An attempt was made to read logical page '153', virtpage '616' f 1
Replies
3
Views
116
spamjim
spamjim
kasperelectronics
  • Locked
  • Question
Desktop streaming from a server to low power front end device e.g. RasPi
Replies
0
Views
52
kasperelectronics
kasperelectronics
Edwin Reyes
  • Locked
  • Question
High CPU utilization Linux Server due to mysql
Replies
1
Views
66
spamjim
spamjim
waydown
  • Locked
  • Question
Unable to connect to server
Replies
4
Views
87
RhythmAce
RhythmAce
montyzummer
  • Locked
  • Question
Backup Linux DIR to windows via NFS
Replies
4
Views
78
kjv1611
kjv1611

Part and Inventory Search

Sponsor

Back
Top