Howto Cisco Pix
Contents
Introduction
This guide provides information that can be used to configure a Cisco PIX device running firmware version 6.x to support IPsec VPN client connectivity. If you have a PIX device running firmware version 7.x, please consult the HowtoCiscoAsa. The Shrew Soft VPN Client has been tested with Cisco products to ensure interoperability.
Overview
The configuration example described below will allow an IPsec VPN client to communicate with a single remote private network. The client uses the pull configuration method to acquire the following parameters automatically from the gateway.
- IP Address
- IP Netmask
- DNS Servers
- DNS Default Domain Suffix
- DNS Split Network Domain List
- Remote Network Topology
Gateway Configuration
This example assumes you have knowledge of the Cisco PIX gateway command line configuration interface. For more information, please consult your Cisco product documentation.
Interfaces
Two network interfaces are configured. The outside interface has a static public IP address of 1.1.1.2 which faces the internet. The inside interface has a static private IP address that faces the internal private network. The default gateway is configured as 1.1.1.2 via the outside interface.
nameif ethernet0 outside security0 nameif ethernet1 inside security100 ip address outside 1.1.1.2 255.255.255.224 ip address inside 172.17.0.6 255.255.0.0 route outside 0.0.0.0 0.0.0.0 1.1.1.1 1
Access List
An access lists must be configured to define the IPSec policies. This is expressed with the source matching the local private network(s) and the destination matching the remote client network address pool. A single single local network of 172.17.0.0/16 and an address pool of 172.18.0.0/24 is defined.
access-list in2out permit ip 172.17.0.0 255.255.0.0 172.18.0.0 255.255.255.0
Address Pool
The IP address pool must be configured. Clients will be assigned private network addresses from a class C pool of 172.18.0.0/24.
ip local pool clientpool 172.18.0.2-172.18.0.11 mask 255.255.255.0
User Authentication
User authentication must be configured to support IKE extended authentication ( XAuth ). In this example, we use define user accounts locally on the PIX. It is possible to pass this authentication to a radius or an LDAP account server using the Cisco AAA authentication mechanism. For more information, please consult your cisco product documentation.
aaa-server LOCAL protocol local username bill password XXX encrypted privilege 2 username bob password XXX encrypted privilege 2
ISAKMP Parameters
The ISAKMP protocol must be enabled on the outside ( public ) interface and an ISAKMP policy must be configured. NAT Traversal is also enabled to allow clients to communicate effectively when their peer address is being translated. The keep alive packet rate is set to 20 seconds.
isakmp enable outside isakmp identity address isakmp nat-traversal 20 isakmp log 25 isakmp policy 1 authentication pre-share isakmp policy 1 encryption aes-256 isakmp policy 1 hash md5 isakmp policy 1 group 2 isakmp policy 1 lifetime 86400
IPsec Parameters
A transform set and dynamic IPsec crypto map must be configured to support client VPN connections. The dynamic crypto map is then assigned to a standard crypto map and bound to the outside ( public ) interface. Local user authentication is also enabled.
crypto ipsec transform-set trset2 esp-aes-256 esp-md5-hmac crypto dynamic-map ipsec_map 1 set transform-set trset2 crypto map outside_map 65535 ipsec-isakmp dynamic ipsec_map crypto map outside_map client authentication LOCAL crypto map outside_map interface outside
VPN Group
A VPN group must be defined to provide the client with dynamic configuration information. The client uses the VPN group name as its FQDN identity value and the VPN group password as its pre-shared key value.
vpngroup remoteClient address-pool clientpool vpngroup remoteClient dns-server 172.17.0.2 vpngroup remoteClient default-domain abc.com vpngroup remoteClient split-tunnel in2out vpngroup remoteClient split-dns abc.com vpngroup remoteClient idle-time 1800 vpngroup remoteClient password mypresharedkey
Client Configuration
The client configuration in this example is straight forward. Open the Access Manager application and create a new site configuration. Configure the settings listed below in the following tabs.
General Tab
The Remote Host section must be configured. This Host Name or IP Address is defined as 10.1.1.2 to match the PIX outside ( public ) interface address. The Auto Configuration mode should be set to ike config pull.
Phase 1 Tab
The Proposal section must be configured. The Exchange Type is set to aggressive and the DH Exchange is set to group 2 to match the PIX ISAKMP policy definition.
Authentication Tab
The client authentication settings must be configured. The Authentication Method is defined as Mutual PSK + XAuth.
Local Identity Tab
The Local Identity parameters are defined as Key Identifier with a Key ID String of "remoteClient" to match the PIX VPN group name.
Remote Identity Tab
The Remote Identity parameters are set to IP Address with the Use a discovered remote host address option checked to match the PIX ISAKMP identity parameter.
Credentials Tab
The Credentials Pre Shared Key is defined as "mypresharedkey" to match the PIX VPN group password.
Known Issues
Cisco gateways support a proprietary form of hybrid authentication which does not conform to RFC draft standards. At this time the Shrew Soft VPN Client does not support this authentication mode. We hope to add support for this in the future.
Resources
Example PIX configuration Example Client configuration
Credits
Most of the information in this guide was submitted by Marc Goldburg.