VPN Site-to-Site Openswan x ASA (Cisco)

 

Ladies and gentleman, today I am going to demonstrate how to integrate technologies from different platforms. It is possible to use Cisco to integrate with Windows and Linux using protocol such as LDAP. In this case the communication between Linux and ASA (Adaptive Security Appliances) is straight. We will only need to check the cryptography configuration and that it, the connection is established.

 

For this procedure it is been used CentOS 5.3 Linux distribution.

 

 

1. Installing Openswan.

 

The installation processs is very easy because can be done via yum:

 

# yum install openswan

After the installation we initiate the service:

 

# ipsec setup start

2. Configuring Openwan

Openswan has basically two configurations that needs to be changed: ipsec.conf, with the IP configurations, cryptography and ipsec.secrets, with the source and destination IPs and authentication password.

 

2.1. Configuring ipsec.conf

# vi /etc/ipsec.conf

# /etc/ipsec.conf – Openswan IPsec configuration file

#

# Manual: ipsec.conf.5

#

# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

# Debug-logging controls: “none” for (almost) none, “all” for lots.

# klipsdebug=none

# plutodebug=”control parsing”

# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

interfaces=�faultroute

klipsdebug=none

plutodebug=none

#protostack=netkey

#nat_traversal=yes

#virtual_private=

#oe=off

# Enable this if you see “failed to find any available worker”

#nhelpers=0

conn cisco # Here is the Name of the VPN connection.

type= tunnel

authby= secret

# Left security Linux, (Linux side)

left= 201.30.XXX.XXX #REAL IP LINUX SERVER

leftsubnet= 192.168.199.0/24 #Net address assigned to the other side

leftnexthop= 201.30.XXX.XXX #Real IP Gateway

# Right security gateway, (ASA SIDE)

right= 201.30.XXX.XXX # ASA IP

rightsubnet= 10.100.0.0/16 # Net address assigned to the other side

rightnexthop= 201.30.XXX.XXX #Real IP Gateway

# Type of cryptogrphy used on the VPN Tunnel

esp= 3des-md5-96

keyexchange= ike

pfs= no

auto= start

#You may put your configuration (.conf) file in the “/etc/ipsec.d/” and uncomment this.

#include /etc/ipsec.d/*.conf

:x

Save and exit

 

PS: the file ipsec.conf must be very well indentified.

 

2.1. Configuring ipsec.conf

# vi /etc/ipsec.secrets

201.30.XXX.XXX(Lado do ASA) 201.30.XXX.XXX(Lado do Linux): PSK “jfn*7@vP3987X#zl0&jsbc63aQe3″ (pre-shared key)

:x

Save and exit

 

Be the First to Comment!