August 4, 2005

Cisco PIX to Strongswan

I say Strongswan, but really FreeS/WAN, OpenSwan, no difference I suspect.

I’ve had this problem with Cisco people telling me “well, just put hosts X, Y, and Z in your access list,” when *S/WAN just gives me a single left/rightsubnet parameter. My fears were realized: this means they want a separate connection description in ipsec.conf for each access list entry.

I’m thinking the PIX configuration looks something like (excerpt):

access-list 100 permit ip 10.0.0.1 255.255.255.0 192.168.0.100 255.255.255.0
access-list 100 permit ip 10.0.0.1 255.255.255.0 192.168.0.101 255.255.255.0
access-list 100 permit ip 10.0.0.2 255.255.255.0 192.168.0.100 255.255.255.0
access-list 100 permit ip 10.0.0.2 255.255.255.0 192.168.0.101 255.255.255.0
crypto map mymap 10 match address 100

Which, to me, says “10.0.0.1 and 10.0.0.2 can access 192.168.0.100 and 192.168.0.101.” So your ipsec.conf might look something like:

conn pix-1-1
    also=pix-1
    also=you-1
    auto=start

conn pix-1-2
    also=pix-1
    also=you-2
    auto=start

conn pix-2-1
    also=pix-2
    also=you-1
    auto=start

conn pix-2-2
    also=pix-2
    also=you-2
    auto=start

conn pix-1
    also=pix
    rightsubnet=192.168.0.100/32

conn pix-2
    also=pix
    rightsubnet=192.168.0.101/32

conn you-1
    leftsubnet=10.0.0.1/32

conn you-2
    leftsubnet=10.0.0.2/32

conn pix
    authby=secret
    left=1.2.3.4
    leftnexthop=%defaultroute
    right=5.6.7.8
    rightid=@the.pix.id
    rightnexthop=%defaultroute
    keylife=86400
    pfs=no

Needless to say, this is not a fun-looking configuration. It is long, and can’t possibly scale well.

Some notes:

  • *S/WAN is the left, PIX is the right. This might need to be the case anytime you want to talk to a PIX.
  • At least you only have to have the actual IP addresses listed once. I’m thinking I can make this go better with policies.
  • authby=secret because I’ve never had a PIX admin give me anything other than a PSK.
  • rightid is apparently in some “RSA key”? Per the PIX admin I was talking to. I doubt this, in retrospect, but it is important to use the right ID when talking to the PIX. Don’t forget to list this ID in /etc/ipsec.secrets for the key you’ll be using.
  • Around the same time I started seeing messages about the wrote ID being sent by the PIX (not the IP, as is the default without something like rightid), I also started getting key lifetime errors. The person I was working with said his was explicitly set to one day (86400 seconds). Don’t know if this is a default or not.
  • No PFS on PIX, at least not by default.

Comments are closed.