Re: OpenBSD - Cisco IPSEC
On Fri, 10 Mar 2006, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo Ehlo More info is required. Cisco is a company that grows via acquisition, therefore they have several different VPN solutions. Also, I did a quick search on Google for Cisco and OpenBSD ipsec and there are over 95k English hits. The very first response is OpenBSD IPSEC with cisco - HOWTO. diana
Re: OpenBSD - Cisco IPSEC
On Fri, Mar 10, 2006 at 08:12:59AM -0500, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). depending on whether this is relevant to your needs or not, vpnc from ports(/security) works well for me. the 0.3.3 one does some cute xauth stuff (i guess?) and pulls down routes automagically. seems like work went into the vpnc-script. i am using vpnc just to access work-vpn, tho, and not for something such as setting up a permanant tunnel between two gateways. -- jared [ openbsd 3.9-beta GENERIC ( jan 30 ) // i386 ]
Re: OpenBSD - Cisco IPSEC
On 3/10/06, jared r r spiegel [EMAIL PROTECTED] wrote: i am using vpnc just to access work-vpn, tho, and not for something such as setting up a permanant tunnel between two gateways. AFAIK vpnc does not support rekeying yet, and that sucks :-)
Re: OpenBSD - Cisco IPSEC
On Fri, 10 Mar 2006, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo Paolo, As others have said we need more details. I have setup isakmpd and IPSEC in tunnel mode with Cisco PIX's, as well as Cisco 3000 series VPN concentrators (which is really from Altiga Networks). Getting the tunnel established between these devices is never a problem, especially if you define out every section in isakmpd.conf and only offer a single encryption/hash algorithm in your proposals. The biggest problem I have had is rekeying. I have had a lot of issues with tunnels getting out of sync, where my side keeps using XXX SA/SPI, while the other said moves on to another one or the reverse of that. Cisco devices I have seen default their lifetime's to 86400 seconds for IKE and 28800 seconds for IPSEC. This is of course different from isakmpd so you will want to keep that in mind. I would highly recommend you read all the info listed here. https://www.icsalabs.com/icsa/main.php?pid=fggfgd iCSA does interoperability testing between various IPSEC implementations and they cover several Cisco products. As well as in their paper: IPSEC VPN Advanced Troubleshooting - they state that an excellent tools for debugging interoperability problems in the field is OpenBSD's isakmpd. A lot of information on the specific cisco device you want to talk to may be available at http://www.cisco.com/univercd I am also curious as to the successes and failures other people have had with cisco devices and rekeying, especially cisco 3005, cisco 3030 concentrators. -Matt-
Re: OpenBSD - Cisco IPSEC
Hi Diana I did a different search in google and received a lot of irrelevant hits :-( I looked up the mailing list archives but didn't find anything concrete on the subject. I agree that more information is needed but I kept it to the 2nd round of the emails on this subject because 1: I didn't have it at the time. 2: I didn't know exactly what kind of information other's would be interested (and overloading emails with numbers makes others less likely to respond to the email). Now to the subject at hand: The OpenBSD side is simple: OpenBSD 3.8-stable (and 3.9 when it comes out). Since I didn't have time to develop a policy I'm following the other location's policy. The Cisco they have is a 3745 concentrator. The encryption algorithm is 3DES. Hash algorithm is SHA1. DH group 2 (for phase 1) and phase 2 is esp-3des esp-sha-hmac. TIA Paolo Diana Eichert wrote: On Fri, 10 Mar 2006, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo Ehlo More info is required. Cisco is a company that grows via acquisition, therefore they have several different VPN solutions. Also, I did a quick search on Google for Cisco and OpenBSD ipsec and there are over 95k English hits. The very first response is OpenBSD IPSEC with cisco - HOWTO. diana
Re: OpenBSD - Cisco IPSEC
Hi Matthew Thanx for a great reply (even though I didn't supply information). Here is some more information: The OpenBSD side is simple: OpenBSD 3.8-stable (and 3.9 when it comes out). Since I didn't have time to develop a policy I'm following the other location's policy. The Cisco they have is a 3745 concentrator. The encryption algorithm is 3DES. Hash algorithm is SHA1. DH group 2 (for phase 1) and phase 2 is esp-3des esp-sha-hmac. TIA Paolo Matthew Closson wrote: On Fri, 10 Mar 2006, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo Paolo, As others have said we need more details. I have setup isakmpd and IPSEC in tunnel mode with Cisco PIX's, as well as Cisco 3000 series VPN concentrators (which is really from Altiga Networks). Getting the tunnel established between these devices is never a problem, especially if you define out every section in isakmpd.conf and only offer a single encryption/hash algorithm in your proposals. The biggest problem I have had is rekeying. I have had a lot of issues with tunnels getting out of sync, where my side keeps using XXX SA/SPI, while the other said moves on to another one or the reverse of that. Cisco devices I have seen default their lifetime's to 86400 seconds for IKE and 28800 seconds for IPSEC. This is of course different from isakmpd so you will want to keep that in mind. I would highly recommend you read all the info listed here. https://www.icsalabs.com/icsa/main.php?pid=fggfgd iCSA does interoperability testing between various IPSEC implementations and they cover several Cisco products. As well as in their paper: IPSEC VPN Advanced Troubleshooting - they state that an excellent tools for debugging interoperability problems in the field is OpenBSD's isakmpd. A lot of information on the specific cisco device you want to talk to may be available at http://www.cisco.com/univercd I am also curious as to the successes and failures other people have had with cisco devices and rekeying, especially cisco 3005, cisco 3030 concentrators. -Matt-
Re: OpenBSD - Cisco IPSEC
Paolo Supino wrote: I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? In one scenario, I have an OpenBSD box in a remote office doing IPSEC with isakmpd with a Cisco router in a headquarter office. This has been running flawlessly for years.
