Interoperating with Other Vendors
Here is the corresponding PIX configuration:
! normal pix configuration
nameif ethernet0 outside security0 nameif ethernet1 inside security100 enable password YourEnablePassWord passwd YourPassword
hostname pix domain-name pix.openswan.org
!
ip address outside CiscoIP 255.255.255.0 ip address inside 10.0.2.254 255.255.255.0 global (outside) 1 interface
!
access-list NO-NAT permit ip 10.0.2.0 255.255.255.0 10.0.1.0 255.255.255.0 access-list OPENSWAN-VPN permit ip 10.0.2.0 255.255.255.0 10.0.1.0
255.255.255.0
!NAT everything except traffic on the NO-NAT access list, such as IPsec traffic
nat (inside) 0 access-list NO-NAT
nat (inside) 1 10.0.2.0 255.255.255.0 0 0
!our default gateway
route outside 0.0.0.0 0.0.0.0 DefaultGatewayIP 1
!Permit IPSEC connections sysopt connection permit-ipsec
!Create a transformation set called 'myset'
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!Create a crypto map called 'mymap', to match the access list OPENSWAN-VPN.
!Peer it with public IP of the Openswan machine, and pick its IPSEC option
!set 'myset'
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address OPENSWAN-VPN crypto map mymap 10 set peer OpenswanIP
crypto map mymap 10 set pfs group2
crypto map mymap 10 set transform-set myset crypto map mymap interface outside
! Enable ISAKMP/IKE without XAUTH and ModeConfig isakmp enable outside
isakmp key YourSecret address OpenswanIP netmask 255.255.255.255 no-xauth no-config-mode
isakmp identity address isakmp nat-traversal 20
isakmp policy 5 authentication pre-share isakmp policy 5 encryption 3des
isakmp policy 5 hash sha isakmp policy 5 group 2
isakmp policy 5 lifetime 86400
The PIX 501 only has one interface. You can only have one crypto map per interface. If you need to set up multiple IPsec connections, you should add them as different priorities to the same crypto map.
Nortel Contivity
The Nortel Contivity is a popular VPN product for managing large numbers of end users on the MS Windows platform. It supports various authentication options, including X.509 Digital Certificates (for example, Entrust), as well as the XAUTH IKE extension (and the IETF Draft that has since expired). Openswan is known to work using X.509 Digital Certificates, but as this requires the Nortel Contivity administrator to purchase and set up an Entrust Certificate Authority, many Contivity administrators do not do this.
212
Chapter 9
The Contivity supports XAUTH, but since Openswan has only recently included XAUTH support, this has not seen much testing yet. It is very likely that some proprietary extensions to the IKE protocol have been made by Nortel that would cause XAUTH interop to fail.
Most interoperability setups between the Nortel Contivity and Openswan therefore use pre-shared keys (aka PSK, or PSS). The ipsec.conf is straightforward. You can enable PFS with pfs=yes. Compression might give some problems, so the safe way is to disable it using compress=no. Since we are using pre-shared keys, we are using authby=secret. If you are using static public IPs, you can leave out any leftid= or rightid= and use IP addresses in the ipsec.secrets file.
Nortel Contivity firmware older than 4.06_120 does not support DH group 2. Some versions also do not support 3DES. Verify your firmware supports these modes and upgrade the firmware otherwise.
Before you can define the remote subnet to connect to, you will need to add a definition for the local network.
In the Contivity's web interface, select Profiles | Networks, then enter a name for your local LAN,
CorporateLAN for example:
Fill in the network number (the lowest IP address in your range) and the netmask. Click Add and then Close. To configure the parameters for the remote end, we need to configure a branch office. Select Profiles | Branch Office | Edit Group.
213
Interoperating with Other Vendors
Disable the Nailed Up feature until you have a working configuration. Set the Idle Timeout to 00:00:00 to prevent the IPsec connection from getting closed. Disable 40 and 56 bit DES encryption and enable the 3DES option.
You can disable the AH options as well, if you are not using any L2TP with the Contivity. Make sure to enable Perfect Forward Secrecy, and to disable RIP, unless you already deploy RIP on your routers.
214
Chapter 9
Go back to Profiles | Branch Office and select Define New Branch Office. Name the connection and select the Group Name and Peer-to-Peer for Connection Type. Click OK. Peer-to-peer here relates the direction allowed for the tunnel. Peer-to-peer means this side can both initiate and respond to IPsec connections.
Click on Define Branch Office Connection. Fill out the Endpoint Addresses by selecting your external IP from the drop-down menu for Local. Enter the IP address of the Openswan Gateway for Remote. Enter your pre-shared key in the Text Pre-Shared Key box. Scroll down to the bottom of the page and click Continue.
Now pick the network you just defined from the drop-down menu for the Local Accessible Networks, and click Add under Remote.
Fill in the IP address of your Openswan gateway and set the subnet mask to 255.255.255.255. Click on Ok and you will return to the previous page. Scroll down to the bottom, and click Ok again.
If everything is filled out correctly, you should be back at the Branch Office page and you should see the new connection. If you click Profiles | Branch Office, and then click on the Test button next to your tunnel, the Contivity will attempt to establish the tunnel.
215