VPN Site-to-Site Openswan x ASA (Cisco)

 

Ladies and gentleman, today I am going to demonstrate how to integrate technologies from different platforms. It is possible to use Cisco to integrate with Windows and Linux using protocol such as LDAP. In this case the communication between Linux and ASA (Adaptive Security Appliances) is straight. We will only need to check the cryptography configuration and that it, the connection is established.

 

For this procedure it is been used CentOS 5.3 Linux distribution.

 

 

1. Installing Openswan.

 

The installation processs is very easy because can be done via yum:

 

# yum install openswan

After the installation we initiate the service:

 

# ipsec setup start

2. Configuring Openwan

Openswan has basically two configurations that needs to be changed: ipsec.conf, with the IP configurations, cryptography and ipsec.secrets, with the source and destination IPs and authentication password.

 

2.1. Configuring ipsec.conf

# vi /etc/ipsec.conf

# /etc/ipsec.conf - Openswan IPsec configuration file

#

# Manual: ipsec.conf.5

#

# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration

config setup

# Debug-logging controls: "none" for (almost) none, "all" for lots.

# klipsdebug=none

# plutodebug="control parsing"

# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

interfaces=%defaultroute

klipsdebug=none

plutodebug=none

#protostack=netkey

#nat_traversal=yes

#virtual_private=

#oe=off

# Enable this if you see "failed to find any available worker"

#nhelpers=0

conn cisco # Here is the Name of the VPN connection.

type= tunnel

authby= secret

# Left security Linux, (Linux side)

left= 201.30.XXX.XXX #REAL IP LINUX SERVER

leftsubnet= 192.168.199.0/24 #Net address assigned to the other side

leftnexthop= 201.30.XXX.XXX #Real IP Gateway

# Right security gateway, (ASA SIDE)

right= 201.30.XXX.XXX # ASA IP

rightsubnet= 10.100.0.0/16 # Net address assigned to the other side

rightnexthop= 201.30.XXX.XXX #Real IP Gateway

# Type of cryptogrphy used on the VPN Tunnel

esp= 3des-md5-96

keyexchange= ike

pfs= no

auto= start

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.

#include /etc/ipsec.d/*.conf

:x

Save and exit

 

PS: the file ipsec.conf must be very well indentified.

 

2.1. Configuring ipsec.conf

# vi /etc/ipsec.secrets

201.30.XXX.XXX(Lado do ASA) 201.30.XXX.XXX(Lado do Linux): PSK "jfn*7@vP3987X#zl0&jsbc63aQe3" (pre-shared key)

:x

Save and exit

 

 

Configuring Cisco ASA VPN

In this case i have used the wizard from the ASDM ASA interface.

1. Opening the ASA VPN configuration assistant:

2. Choosing VPN type:

3. Configuring IP and Pre-Shared Key

• Peer IP Address = Linux Server IP
• Pre-Shared Key = The same the we set on Linux server (it needs to be identical otherwise it is no going to work)
• Tunnel Group Name =  VPN Tunnel Name

4. Type of cryptography

The same one that we set on the Linux server(it needs to be identical otherwise it is no going to work).

 

5. Configuring IPSec Rule

The same configuration as the step before.

6. The networks will be accessed by the two sides:

• Local Networks = network from the ASA side
• Remote Networks = network from the Linux Side

7. Configuration

8. We will need now access the firewall so we set the access rules (ACL's)

9. Configuring ACL's

After the Cisco ASA configuration we need to go back to the linux server and start the VPN Tunnel:

 

# ipsec setup start

 

All right!! Our VPN Site-to-Site Linux and Cisco ASA is ready to go!