Contributed by merdely on 2008-07-11 from the vroooooom dept.

Mattias Lindgren shares his experience setting up a VPN connection with a Cisco device:

A friend of mine and I wanted to see how easy it would be to set up a reasonably secure IPSec tunnel between OpenBSD and a Cisco router. Inspired by the SecurityFocus article "Zero to IPSec in 4 minutes" , we wanted to see if we could repeat the same feat.

Mattias continues below.

Edit (2008/07/16): Cisco configuration fixed as pointed out in the comments. (merdely)

This evening's contestants consist of a Soekris Net4801 running OpenBSD 4.3 and a Cisco 2621 router running 12.4 code. OpenBSD already has a great framework for working with IPSec, called ipsecctl(8), which we used to simplify the configuration. It reads from ipsec.conf(5) to generate reasonable IPSec flows. The networks are denoted as follows:

OpenBSD private subnet: a.a.a.a/24

Cisco private subnet: b.b.b.b/24

OpenBSD public address: A.A.A.A

Cisco public address: B.B.B.B

I started out by editing my ipsec.conf file on the OpenBSD box and entered the following:

ike esp from a.a.a.a/24 to b.b.b.b/24 \ peer B.B.B.B \ main auth hmac-sha1 enc aes-128 group modp1536 \ quick auth hmac-sha1 enc aes-128 \ srcid A.A.A.A psk "mekmitasdigoat"

The next step is to allow the appropriate traffic through the PF firewall. The following lines were entered:

pass in on $ext_if inet proto udp from B.B.B.B to A.A.A.A port 500 pass in on $ext_if inet proto esp from B.B.B.B to A.A.A.A set skip on enc0

All that remains on OpenBSD is to start up the VPN subsystems with the following commands:

isakmpd -K ipsecctl -f /etc/ipsec.conf

Now, moving over to the Cisco side. The relevant configuration sections looks something like this:

crypto isakmp policy 10 encr aes authentication pre-share group 5 crypto isakmp key mekmitasdigoat address A.A.A.A crypto isakmp keepalive 30 5 crypto ipsec transform-set aes-set esp-aes esp-sha-hmac ! crypto map VPN 15 ipsec-isakmp set peer A.A.A.A set transform-set aes-set match address VPN-to-OpenBSD ! interface FastEthernet0/0 crypto map VPN ip address B.B.B.B ip access-group INET in ! ip access-list extended INET permit esp any any permit udp any any eq isakmp ! ip access-list extended VPN-to-OpenBSD permit ip b.b.b.b 0.0.0.255 a.a.a.a 0.0.0.255

That was all there is to it. VPN came up on the first try. Time spent: 4 minutes 1 seconds, d'oh!