[Openswan Users] again with pix

lean piccololean at yahoo.it
Thu Oct 6 20:18:08 CEST 2005


I've done... but the problem persist. Maybe I have to restart the pix 
too...?

Agent Smith wrote:

>add this to pix
>
>isakmp identity address
>
>then restart the tunnel
>
>--- lean <piccololean at yahoo.it> wrote:
>
>  
>
>>The scenario is: my pc with openswan with a public
>>IP xxx.xxx.xxx (over 
>>ppp0) and a subnet 192.168.0.0 on my eth0 interface;
>>the pix on another 
>>site with a private ip natted to public ip
>>yyy.yyy.yyy.yyy and a subnet 
>>10.0.0.0 on his inside interface.
>>
>>ipsec.conf:
>>
>>version 2.0
>>
>>config setup
>>        interfaces="ipsec0=ppp0"
>>        klipsdebug=none
>>        #plutodebug=none
>>        #plutoload=%search
>>        #plutostart=%search
>>        uniqueids=yes
>>        nat_traversal=yes
>>
>>conn %default
>>        keyingtries=0
>>        disablearrivalcheck=no
>>        authby=secret
>>
>>conn pix
>>        #type = tunnel
>>        left=xxx.xxx.xxx.xxx
>>        leftsubnet=192.168.0.0/24
>>        leftprotoport=17/0
>>        #leftnexthop=%defaultroute
>>        right=yyy.yyy.yyy.yyy
>>        rightsubnet=10.0.0.0/24
>>        rightid="@this.is.false.com"
>>        rightprotoport=17/0
>>        authby=secret
>>        #esp=3des-md5-hmac
>>        #keyexchange = ike
>>        pfs=no
>>        auto=add
>>
>>the pix conf:
>>pixfirewall(config)# sh conf
>>: Saved
>>: Written by enable_15 at 09:51:42.159 UTC Wed Oct 5
>>2005
>>PIX Version 6.3(1)
>>interface ethernet0 100full
>>interface ethernet1 100full
>>interface ethernet2 auto shutdown
>>nameif ethernet0 outside security0
>>nameif ethernet1 inside security100
>>nameif ethernet2 intf2 security4
>>enable password kd4q8INnfTMGlrxA encrypted
>>passwd 2KFQnbNIdI.2KYOU encrypted
>>hostname pixfirewall
>>domain-name ciscopix.com
>>fixup protocol ftp 21
>>fixup protocol h323 h225 1720
>>fixup protocol h323 ras 1718-1719
>>fixup protocol http 80
>>fixup protocol ils 389
>>fixup protocol rsh 514
>>fixup protocol rtsp 554
>>fixup protocol sip 5060
>>fixup protocol sip udp 5060
>>fixup protocol skinny 2000
>>fixup protocol smtp 25
>>fixup protocol sqlnet 1521
>>names
>>access-list 100 permit ip 10.0.0.0 255.255.255.0
>>192.168.0.0 255.255.255.0
>>access-list openswan permit ip 10.0.0.0
>>255.255.255.0 192.168.0.0 
>>255.255.255.0
>>pager lines 24
>>mtu outside 1500
>>mtu inside 1500
>>mtu intf2 1500
>>ip address outside 172.17.32.13 255.255.128.0
>>ip address inside 10.0.0.1 255.255.255.0
>>no ip address intf2
>>ip audit info action alarm
>>ip audit attack action alarm
>>pdm logging informational 100
>>pdm history enable
>>arp timeout 14400
>>global (outside) 1 interface
>>nat (inside) 0 access-list 100
>>nat (inside) 1 10.0.0.0 255.255.255.0 0 0
>>route outside 0.0.0.0 0.0.0.0 172.17.0.1 1
>>timeout xlate 3:00:00
>>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00
>>rpc 0:10:00 h225 
>>1:00:00
>>timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00
>>sip_media 0:02:00
>>timeout uauth 0:05:00 absolute
>>aaa-server TACACS+ protocol tacacs+
>>aaa-server RADIUS protocol radius
>>aaa-server LOCAL protocol local
>>http server enable
>>http 0.0.0.0 0.0.0.0 outside
>>http 0.0.0.0 0.0.0.0 inside
>>no snmp-server location
>>no snmp-server contact
>>snmp-server community public
>>no snmp-server enable traps
>>floodguard enable
>>sysopt connection permit-ipsec
>>service resetinbound
>>crypto ipsec transform-set myset esp-3des
>>esp-md5-hmac
>>crypto map mymap 10 ipsec-isakmp
>>crypto map mymap 10 match address openswan
>>crypto map mymap 10 set peer xxx.xxx.xxx
>>crypto map mymap 10 set transform-set myset
>>crypto map mymap interface outside
>>isakmp enable outside
>>isakmp key ******** address xxx.xxx.xxx netmask
>>255.255.255.255 no-xauth 
>>no-config-mode
>>isakmp nat-traversal 10
>>isakmp policy 10 authentication pre-share
>>isakmp policy 10 encryption 3des
>>isakmp policy 10 hash sha
>>isakmp policy 10 group 2
>>isakmp policy 10 lifetime 28800
>>telnet timeout 5
>>ssh 0.0.0.0 0.0.0.0 outside
>>ssh 0.0.0.0 0.0.0.0 inside
>>ssh timeout 60
>>console timeout 0
>>dhcpd address 10.0.0.2-10.0.0.30 inside
>>dhcpd lease 3600
>>dhcpd ping_timeout 750
>>dhcpd enable inside
>>username lelio password 130yZZ3y12bbgj6d encrypted
>>privilege 2
>>terminal width 80
>>Cryptochecksum:6418d0ad0f58ae55469cf13168b83785
>>
>>    
>>
>
>
>
>		
>__________________________________ 
>Yahoo! Mail - PC Magazine Editors' Choice 2005 
>http://mail.yahoo.com
>
>  
>



More information about the Users mailing list