[Openswan Users] again with pix

Agent Smith news8080 at yahoo.com
Thu Oct 6 11:04:44 CEST 2005 

add this to pix

isakmp identity address

then restart the tunnel

--- lean <piccololean at yahoo.it> wrote:

> The scenario is: my pc with openswan with a public
> IP xxx.xxx.xxx (over 
> ppp0) and a subnet 192.168.0.0 on my eth0 interface;
> the pix on another 
> site with a private ip natted to public ip
> yyy.yyy.yyy.yyy and a subnet 
> 10.0.0.0 on his inside interface.
> 
> ipsec.conf:
> 
> version 2.0
> 
> config setup
>         interfaces="ipsec0=ppp0"
>         klipsdebug=none
>         #plutodebug=none
>         #plutoload=%search
>         #plutostart=%search
>         uniqueids=yes
>         nat_traversal=yes
> 
> conn %default
>         keyingtries=0
>         disablearrivalcheck=no
>         authby=secret
> 
> conn pix
>         #type = tunnel
>         left=xxx.xxx.xxx.xxx
>         leftsubnet=192.168.0.0/24
>         leftprotoport=17/0
>         #leftnexthop=%defaultroute
>         right=yyy.yyy.yyy.yyy
>         rightsubnet=10.0.0.0/24
>         rightid="@this.is.false.com"
>         rightprotoport=17/0
>         authby=secret
>         #esp=3des-md5-hmac
>         #keyexchange = ike
>         pfs=no
>         auto=add
> 
> the pix conf:
> pixfirewall(config)# sh conf
> : Saved
> : Written by enable_15 at 09:51:42.159 UTC Wed Oct 5
> 2005
> PIX Version 6.3(1)
> interface ethernet0 100full
> interface ethernet1 100full
> interface ethernet2 auto shutdown
> nameif ethernet0 outside security0
> nameif ethernet1 inside security100
> nameif ethernet2 intf2 security4
> enable password kd4q8INnfTMGlrxA encrypted
> passwd 2KFQnbNIdI.2KYOU encrypted
> hostname pixfirewall
> domain-name ciscopix.com
> fixup protocol ftp 21
> fixup protocol h323 h225 1720
> fixup protocol h323 ras 1718-1719
> fixup protocol http 80
> fixup protocol ils 389
> fixup protocol rsh 514
> fixup protocol rtsp 554
> fixup protocol sip 5060
> fixup protocol sip udp 5060
> fixup protocol skinny 2000
> fixup protocol smtp 25
> fixup protocol sqlnet 1521
> names
> access-list 100 permit ip 10.0.0.0 255.255.255.0
> 192.168.0.0 255.255.255.0
> access-list openswan permit ip 10.0.0.0
> 255.255.255.0 192.168.0.0 
> 255.255.255.0
> pager lines 24
> mtu outside 1500
> mtu inside 1500
> mtu intf2 1500
> ip address outside 172.17.32.13 255.255.128.0
> ip address inside 10.0.0.1 255.255.255.0
> no ip address intf2
> ip audit info action alarm
> ip audit attack action alarm
> pdm logging informational 100
> pdm history enable
> arp timeout 14400
> global (outside) 1 interface
> nat (inside) 0 access-list 100
> nat (inside) 1 10.0.0.0 255.255.255.0 0 0
> route outside 0.0.0.0 0.0.0.0 172.17.0.1 1
> timeout xlate 3:00:00
> timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
> rpc 0:10:00 h225 
> 1:00:00
> timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
> sip_media 0:02:00
> timeout uauth 0:05:00 absolute
> aaa-server TACACS+ protocol tacacs+
> aaa-server RADIUS protocol radius
> aaa-server LOCAL protocol local
> http server enable
> http 0.0.0.0 0.0.0.0 outside
> http 0.0.0.0 0.0.0.0 inside
> no snmp-server location
> no snmp-server contact
> snmp-server community public
> no snmp-server enable traps
> floodguard enable
> sysopt connection permit-ipsec
> service resetinbound
> crypto ipsec transform-set myset esp-3des
> esp-md5-hmac
> crypto map mymap 10 ipsec-isakmp
> crypto map mymap 10 match address openswan
> crypto map mymap 10 set peer xxx.xxx.xxx
> crypto map mymap 10 set transform-set myset
> crypto map mymap interface outside
> isakmp enable outside
> isakmp key ******** address xxx.xxx.xxx netmask
> 255.255.255.255 no-xauth 
> no-config-mode
> isakmp nat-traversal 10
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption 3des
> isakmp policy 10 hash sha
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 28800
> telnet timeout 5
> ssh 0.0.0.0 0.0.0.0 outside
> ssh 0.0.0.0 0.0.0.0 inside
> ssh timeout 60
> console timeout 0
> dhcpd address 10.0.0.2-10.0.0.30 inside
> dhcpd lease 3600
> dhcpd ping_timeout 750
> dhcpd enable inside
> username lelio password 130yZZ3y12bbgj6d encrypted
> privilege 2
> terminal width 80
> Cryptochecksum:6418d0ad0f58ae55469cf13168b83785
> 



		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com

More information about the Users mailing list