FreeS/WAN or OpenSwan and Cisco PIX VPN

xrayspx's picture
Fixed Tags:

Config guide for FreeS/WAN and OpenSwan to Cisco PIX VPN

I've noticed some search engine activity hitting my resume looking for FreeS/WAN to PIX information, since I happen to mention both on there. I am currently running such a VPN, and decided I should tell people how I did it. It's easy.

First, let me say that I don't know how to make the PIX work with DHCP peers by default, I've seen it mentioned, I've never bothered to deal with it since my IP changes so rarely anyway. When my IP changes, I log in via the Nortel Contivity (with Win32 client from my wife's machine) to add my new IP to the PIX. Aside from that unpleasentness, it works great, is stable, and provides bi-directional access to my whole home network, which is a plus.

For the sake of argument, and since I'm sanitizing here, I've decided to make The Internet, my home internal LAN is going to be and the office is going to be, just cause I can.

Here's the FreeS/WAN side:

conn office
left= # this is the home machine, "outside" interface
leftnexthop= # this is the outside interface default gateway
# Do a "route" and look for where traffic for
# "" goes and use that, alternatively,
# do a traceroute to anywhere and use the first hop.
right= # Outside (internet facing) interface of my target PIX
rightnexthop= # again, the default gateway of the PIX
rightid=@pixname.domainname #(for instance This threw me for
# a minute. But yeah, it's whatever the name of the
#PIX is and whatever you define as the domain on the

Now the ipsec.secrets @pixname.domainname : PSK "passwordhere"
#again "@pixname.domainname" is defined in your pix config, it's whatever you tell it.

Now the PIX side, same rules apply. Note that it's very important to have the access-list in FIRST. When you add the Crypto Map, the first line is "match address aclname, if it does not find an ACL of that name, you might end up having to drive to where ever your PIX is and physically turn it off and back on. Not that I speak from experience or anything.

access-list ChrisHome permit ip

crypto ipsec transform-set FreeSwan esp-3des esp-md5-hmac

crypto map Company-VPN 50 match address ChrisHome
crypto map Company-VPN 50 set pfs group2
crypto map Company-VPN 50 set peer
crypto map Company-VPN 50 set transform-set FreeSwan

isakmp enable outside
isakmp key passwordhere address netmask

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash md5

isakmp policy 10 group 2

isakmp policy 10 lifetime 28000