Linksys (Cisco) <=> OpenBSD VPN config

Wed, 08 Feb 2006 00:25:39 -0800 

Hi All,

I've put in a few hours of effort, and I've been unable to get my Linksys
WAG54G DSL router/wireless/VPN thinger (running Linux & FreeS/WAN apparently)
to talk to my OpenBSD 3.5 system via IPSec. I've tried both automatic and
manual keying, to no avail..  I believe there are several models of this
device that have approximately the same interface.

I've looked around, but haven't found any nice instructions for doing this.
I've also checked the mailing list.  I see hints that it is possible, but no
good step-by-step guides, and getting it to work is non-trivial.  There are
no useful hints in the Linksys log.

Has anyone done this, and if so, could you please clue me in?

On the Linksys side I used:

IPSec PassThrough: (Tried both)
Local Secure Group: Subnet ..
Remote Secure Group: Subnet ..
Encryption: 3DES
Authentication: SHA

Key Management: Manual
Encryption Key: 123456789012345678901234
Authentication Key: 12345678901234567890

So then on the OpenBSD end, those correspond to:

Encryption Key: 3132333435363738393a3132333435363738393a31323334
Authentication Key: 3132333435363738393a3132333435363738393a

Right?  Because on the Linksys web interface, each character is a byte, and
on the OpenBSD side, each pair of hex characters is a byte.

Inbound SPI: 0x 101
Outbound SPI: 0x 100

I tried swapping the SPIs.  Didn't help.

The OpenBSD side comes directly from the vpn(8) man page:

/sbin/ipsecadm new esp -src $GATEWAY_B -dst $GATEWAY_A \
 -forcetunnel -spi 100 -enc 3des -auth sha1 \
 -keyfile enc_key -authkeyfile auth_key

/sbin/ipsecadm new esp -src $GATEWAY_A -dst $GATEWAY_B \
 -forcetunnel -spi 101 -enc 3des -auth sha1 \
 -keyfile enc_key -authkeyfile auth_key

ipsecadm flow -out -require -proto esp \
  -src $GATEWAY_A -dst $GATEWAY_B \
  -addr $NETWORK_A $NETWORK_B
ipsecadm flow -in -require -proto esp \
  -src $GATEWAY_A -dst $GATEWAY_B \
  -addr $NETWORK_B $NETWORK_A

# want to talk straight from one router to the other, so..

ipsecadm flow -out -require -proto esp \
  -src $GATEWAY_A -dst $GATEWAY_B \
  -addr ${GATEWAY_A}/32 $NETWORK_B
ipsecadm flow -in -require -proto esp \
  -src $GATEWAY_A -dst $GATEWAY_B \
  -addr $NETWORK_B ${GATEWAY_A}/32

ipsecadm flow -out -require -proto esp \
  -src $GATEWAY_A -dst $GATEWAY_B \
  -addr ${GATEWAY_A}/32 ${GATEWAY_B}/32
ipsecadm flow -in -require -proto esp \
  -src $GATEWAY_A -dst $GATEWAY_B \
  -addr ${GATEWAY_B}/32 ${GATEWAY_A}/32

Thanks,

Jack

Reply via email to