Connecting to Cisco VPN device

[rihad]

Hi, folks. I'll probably need to connect our FreeBSD (not a router) to a Cisco device to form a VPN connection between them. Please point me in the right direction as this is a completely new topic for me (simplest software to use, what configuration FreeBSD base/kernel needs, etc):

VPN device Cisco ASA 5510 - 8.2(1)

Peer IP-address their.external.ip.address

Key managment (IKE/ISAKMP)

Encryption Schemes Defined IKE
Pre-shared Secret Key preshared key will be transmitted via SMS
Key Negotiation Encryption Method 3DES
Hash Method SHA
Support Aggressive Mode MAIN
Support Key Exchange DH-2
Extended Authentication Yes
NAT-Traversal No
Use Settings Tunnel

Encryption Schemes Defined (IPSec)

Transform ESP
Encryption Algorithm 3DES
Data Integrity MD5
Perfect Forward Secrecy (PFS) No

Timers

Renegotiate IKE SA timer 86400
Renegotiate IPSEC SA timer 28800

Encryption Domain

Subnet IP Address 172.16.2.11/32

Port 8080

What is subnet IP address in this case?

 

[SirDice]

The handbook: 15.9 VPN over IPsec

 

[rihad]

The handbook: 15.9 VPN over IPsec

Thanks a lot. A more involved solution than I had hoped for, I was hoping a simple 100% software solution exists. Well, thanks!

 

[gkontos]

What is subnet IP address in this case?

It is their internal IP address that they are exposing over the VPN. Some times called encryption domain. There is a nice guide that you can use as a reference.

 

[HenkeZan]

I use VPNC to connect to our Cisco based IPSec solution.

/Henrik

 

[gkontos]

I use VPNC to connect to our Cisco based IPSec solution.

/Henrik

The requirements are for a site-to-site connection. Cisco clients do not work that way.

 

[rihad]

It is their internal IP address that they are exposing over the VPN. Some times called encryption domain. There is a nice guide that you can use as a reference.

Thanks. Does it cover same info as The Handbook? Which should I choose to cover my needs? (point-to-point encryption). I'd like to keep making changes & downtime to a minimum, as the box is in production.

 

[gkontos]

Thanks. Does it cover same info as The Handbook? Which should I choose to cover my needs? (point-to-point encryption). I'd like to keep making changes & downtime to a minimum, as the box is in production.

Basically you compile your KERNEL, install security/ipsec-tools, configure racoon, adjust your firewall and test the tunnel.

You need to understand a bit about VPN technology, that's where the handbook comes in and you can use the guide as a reference. Think of endpoint 2 as their ASA.

Regarding down time, you will need 1 reboot for your new KERNEL.