# VPN: Connecting Gentoo to Cisco PIX Firewall

## OdinsDream

My company uses a Cisco PIX 506E Firewall, which includes a VPN server of some kind.

Is there a way to connect Gentoo to this VPN, using Open-Source (or at least, free) software? The windows users are given a Cisco client to install that allows them to connect remotely.

Any tips are greatly appreciated.

----------

## Toke

What you're looking for is FreeSwan, which is in portage.  You'll need a kernel with IPSEC patches installed first.  I'm using pfeifer-sources.  Under the kernel config go to Networking Options and scoll down.  You'll see a bunch of options to add under IPSEC, depending on the setup of your Cisco VPN. Once you have your new kernel in place, you can emerge freeswan.  Then edit /etc/ipsec/ipsec.conf and /etc/ipsec/ipsec.secrets (this is where you'd add a preshared key, if you're using one) to add the particulars of your VPN.  

There's a lot of possible configurations, you'll need to either have access to the cisco or have access to someone who does.  First to find out exactly how it's configured, and second the log files can come in very handy if it doesn't work right off.  There's some good info in your local log file as well.  I just got my VPN running through a Sonicwall.  Try googling freeswan -  Cisco PIX 506E Firewall and you should be able to find some helpful configs.  I found one for my setup that was almost exactly the same.  Just had to chage the IP's.

Once you're set type:

```
ipsec setup start
```

and see if it works.  One thing I had to do was issue

```
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
```

before it would work.  Also note that freeswan doesn't support DES, only 3DES.  And I believe that the connection in ipsec.conf needs to be named the same as it is on the cisco, but I'm not positive about that.  If it would help, I'll post my ipsec.conf.

   -John

----------

## kashani

Cisco VPN software supports Windows, Mac X, Solaris, and Linux. You just need someone with a CCO account to download it from Cisco's site for you. We've got a few of our clients using it, haven't heard of any problems though I think all of them are using Redhat.

kashani

----------

## OdinsDream

 *kashani wrote:*   

> Cisco VPN software supports Windows, Mac X, Solaris, and Linux. You just need someone with a CCO account to download it from Cisco's site for you. We've got a few of our clients using it, haven't heard of any problems though I think all of them are using Redhat.
> 
> kashani

 

The software I did find was freely downloadable. It came with very sparse directions, and seemed to be made for redhat (what with rc.d scripts, and such)

I'll check on the CCO account here. Surely we have one...

----------

## kashani

Here's the link for the one we use.

http://www.cisco.com/kobayashi/sw-center/vpn/client/

and the software itself is named vpnclient-linux-4.0.1.A-k9.tar.gz

kashani

----------

## fergus

The cisco cpn client 4.0 works fine with gentoo.  I currently use it to connect to work and have no issues.  It does use redhat style init scripts but they seem to work fine with the gentoo init system.

----------

## OdinsDream

 *kashani wrote:*   

> Here's the link for the one we use.
> 
> http://www.cisco.com/kobayashi/sw-center/vpn/client/
> 
> and the software itself is named vpnclient-linux-4.0.1.A-k9.tar.gz
> ...

 

Do you have the file available? I attempted to register, and continue to get the Authorization Required message. I'm not sure why.

----------

## OdinsDream

 *Toke wrote:*   

> 
> 
> ...
> 
>   If it would help, I'll post my ipsec.conf.
> ...

 

Please do, I'd appreciate it!

----------

## Toke

Sure, here it is (Live IP's masked)

```

config setup 

   # THIS SETTING MUST BE CORRECT or almost nothing will work; 

   # %defaultroute is okay for most simple cases. 

   interfaces=%defaultroute 

   # Debug-logging controls:  "none" for (almost) none, "all" for lots. 

   klipsdebug=all 

   plutodebug=all 

   # Use auto= parameters in conn descriptions to control startup actions. 

   plutoload=%search 

   plutostart=%search 

   # Close down old connection when new one using same ID shows up. 

   uniqueids=yes 

    

 

conn FreeSwan 

   type=tunnel 

    auto=start 

   auth=esp 

    authby=secret 

    pfs=yes 

    keyingtries=1 

    left=192.168.9.100 

    leftnexthop=192.168.9.1  

    leftsubnet=192.168.9.100/32 

    right=a.b.c.d <-the address of the firewall

    rightnexthop=a.b.c.e <- the address of the firewalls default gateway

    rightsubnet=192.168.1.0/24 

    rightid=a.b.c.d  <-the address of the firewall

    esp=3des-hmac-md5 

    keyexchange=ike

```

and here's the route

```

My gentoo box (192.168.9.100)

         |

My router (192.168.9.1)

         |

Internet

         |

firewall (a.b.c.d)

         |

Work subnet (192.168.1.0)

```

 Note that the subnets need to be different!  Since I have access to the firewall, I set up my own connection on that side.  I haven't used the cisco client, but I'd think that if you can get it, it would probably be a little easier to configure.  Sonicwalls have a windows client, but no linux one yet.  All you have to do is export a config file from the sonic wall, import it into the cilent, and it works.  Can't be much easier.

  I hope this helps you.  Good Luck!

     -John

----------

