IPSec, FreeBSD vs FW1

28 April, 2005 (21:05) | Work

Yesterday, someone at the office asked me to build a VPN connection to/with one of our suppliers. Since we have a working IPSec-setup, this shouldn’t be much of a problem. But, ofcourse, the ‘other side’ is using Checkpoint FW1. Always in for a nightmare, I started googling and trying some stuff. After a few hours of bashing, it turned out that icmp was being filtered by the other side (sigh!). This morning we did some more testing, and eventually it worked ;) Turned out to be quite easy:

ipsec.conf

spdadd 172.16.0.0/16 10.20.10.0/24 any -P out ipsec esp/tunnel/213.204.195.23-213.204.223.40/require;
spdadd 10.20.10.0/24 172.16.0.0/16 any -P in ipsec esp/tunnel/213.204.223.40-213.204.195.23/require;

racoon.conf
(relevant stuff)

remote 213.204.223.40
{
exchange_mode main;
nonce_size 16;
lifetime time 10 min; # sec,min,hour
initial_contact on;
proposal_check obey; # obey, strict or claim

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2 ;
}
}

sainfo address 172.16.0.0/16 any address 10.20.10.0/24 any
{
pfs_group 1;
lifetime time 10 min;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}

Write a comment