Configure a Site-to-Site VPN Tunnel with ASA and Strongswan

Configure a Site-to-Site VPN Tunnel with ASA and Strongswan

– 👌

an introduction

This document describes how to configure a Site-to-Site (LAN-to-LAN) IPSec Internet Exchange Version 1 (IKEv1) tunnel over a CLI, between Cisco Adaptive Security Appliance (ASA) and a strongSwan server.

Basic requirements

requirements

Cisco recommends that you have knowledge of these topics:

• Cisco ASA
• Linux basic commands
• IPSec General Concepts

Ingredients used

The information in this document is based on the following versions:

• Cisco ASAv 9.12 (3) 9 . Works
• Ubuntu 20.04 Powerful Swan U5.8.2

The information in this document was generated from devices in a specific laboratory environment. All devices used in this document started with a cleared (default) configuration. If your network is active, make sure you understand the potential impact of any command.

initialization

This section describes how to complete the ASA and strongSwan configurations.

Scenario

In this setup, PC1 in LAN-A wants to connect to PC2 in LAN-B. This traffic must be encrypted and transmitted through an IKEv1 tunnel between the ASA and the stongSwan server. Both peers will authenticate each other using a pre-shared key (PSK).

network diagram

Noticeable: Ensure that there is a connection to both the internal and external networks, especially to the remote peer used in order to create a site-to-site VPN tunnel. You can use the ping test to check the underlying connection.

ASA تكوين configuration

! Configure ASA interfaces
!
Gigabit Ethernet 0/0 . interface
nameif inside
Security level 100
IP address 192.168.1.211 255.255.255.0
!
Gigabit Ethernet 0/1 . interface
nameif out
Security level 0
IP address 50.50.50.50 255.255.255.0
!
Configure the Access Control List (ACL) for the VPN traffic that interests you
!
LAN Object Collection Network
Network object 192.168.1.0 255.255.255.0
!
remote network network group object
Network object 192.168.2.0 255.255.255.0
!
asa-strongswan-vpn extended access list ip authorization group local network object group remote network object
!
! Enable IKEv1 on the “External” interface
!
ikev1 encryption enabled outside
!
! Configure how ASA defines a peer
!
isakmp . identity address encryption
!
! Configure IKEv1 policy
!
ikev1 encryption policy 10
Verify before sharing
encoder aes-256
Hash Sha
group 5
age 3600
!
! Configure IKEv1 Conversion Kit
!
ipsec encoder ikev1 conversion set tset esp-aes-256 esp-sha-hmac
!
! Configure an encoder map and apply it to the external interface
!
crypto map outside_map 10 matching address asa-strongswan-vpn
crypto map outside_map 10 set peer 12.12.12.12
crypto map outside_map 10 set ikev1 transform-set tset
Security Association Lifetime mapping out of_map 10 cipher mapping 28800
Encoder interface map outside_map external
!
! Tunnel group configuration (LAN-to-LAN connection profile)!
!
12.12.12.12 Tunnel Assembly of Type IPSEC-L2L
Tunnel set 12.12.12.12 IPSec features
ikev1 cisco preshared key
!

Noticeable: An IKEv1 policy match exists when both policies of the peers contain the same values ​​for the Authentication, Encryption, Hash, and Diffie-Hellman parameters. For IKEv1, the remote peer policy must also specify a lifetime less than or equal to the lifetime in the policy sent by the initiator. If the ages do not match, the ASA uses a shorter lifetime. Also, if you do not specify a value for a particular policy parameter, the default value will be applied.

Noticeable: The ACL for VPN traffic uses the source and destination IP addresses after Network Address Translation (NAT).

NAT exemption (optional):

Normally, NAT should not be performed on VPN traffic. In order to exclude this traffic, you must create an identity NAT rule. The identity’s NAT rule translates the address into the same address.

Nat (inside, outside) constant source local network local network fixed destination network remote network no-proxy-arp route-lookup

strongSwan تكوين configuration

In Ubuntu, you can modify these two files with configuration parameters to use in the IPsec tunnel. You can use your favorite editor to edit them.

/etc/ipsec.conf

/etc/ipsec.secrets

# /etc/ipsec.conf – strongSwan IPsec config file

# basic configuration

Configuration setting
Strictcrlpolicy = No
Uniqueids = yes
charondebug = “all”

# VPN for ASA

kon vpn to asa
authorship = secret
left = %defaultroute
left = 12.12.12.12
leftsubnet = 192.168.2.0 / 24
Right = 50.50.50.50
Right = 50.50.50.50
Network Rights = 192.168.1.0 / 24
ike = aes256-sha1-modp1536
esp = aes256-sha1
keyingtries = % forever
left = psk
rightauth = psk
keyexchange = ikev1
ikelifetime = 1 hour
Age = 8 hours
dpddelay = 30
dpdtimeout = 120
dpdaction = restart
auto = start

# Setting configuration Defines general configuration parameters.
# Privacy policy – Specifies whether a new CRL must be provided for RSA-based peer authentication
Signatures for success.
# Unique – Specifies if a particular participant ID should be kept unique, with any new IKE_SA using an ID
It is considered to replace all the old ones that use this identifier.
# an insect – Specifies how much charon correction output should be logged.
#conn – Determines the connection.
#authby – Specifies how peers should authenticate; Acceptable values ​​are secret, psk, pubkey, rsasig, or ecdsasig.
# the left – Specifies the IP address of the strongSwan interface that participates in the tunnel.
#lefid – Determines the identity payload for the powerful Swan.
# LOFTSUB – Defines the private subnet behind strongSwan, expressed as a network/network mask.
# right – Specifies the public IP address of the VPN peer.
# right – Determines the identity payload of the VPN peer.
# rights – Identifies the private subnet behind the VPN peer, and is expressed as the network/network mask.
# ike – Defines IKE / ISAKMP SA encryption / authentication algorithms. You can add a comma separated list.
# esp – Defines ESP encryption/authentication algorithms. You can add a comma separated list.
# keyingtries – Specifies the number of attempts to be made to negotiate a connection.
# major exchange – Specifies the method of key exchange, whether it is IKEv1 or IKEv2.
# ikelifetime – Specifies the duration of the established Phase 1 connection.
# life times – Specifies the duration of the established 2-phase connection.
# dpddelay – Specifies the time interval during which R_U_THERE messages/information exchanges are sent to the peer.
It is sent only if no other traffic is received.
# dpdtimeout – Specifies the timeout interval, after which all peer connections are deleted in the inactive state.
# dpdaction – Specifies the action to take when the DPD times out. It takes three values ​​as parameters: ClearAnd hanging, And Restart.
With Clear The connection was closed without any further actions taken, hanging It installs a trap policy, which stuck
Traffic matching and tries to renegotiate the on-demand connection and Restart Immediately lead to a bid
To renegotiate the connection. default is Nobody This disables the active transmission of DPD messages.
# automatic – Specifies the operation, if any, that should be performed automatically when IPsec starts (Start holds a connection and fetches
it immediately).

/etc/ipsec.secrets – This file contains shared secrets or RSA private keys for authentication.

# An RSA private key for this host, authenticating it to any other host that knows the public part.

12.12.12 50.50.50.50: PSK “cisco”

Useful commands (strongswan)

start/stop/status:

$ sudo ipsec up

$ sudo ipsec up vpn-to-asa

Generate QUICK_MODE Request 656867907 [ HASH SA No ID ID ]
Send package: from 12.12.12.12[500] to 50.50.50.50[500] (204 bytes)
Package received: from 50.50.50.50[500] to 12.12.12.12[500] (188 bytes)
RESPONSE QUICK_MODE ANALYZE 656867907 [ HASH SA No ID ID N((24576)) ]
Specific width: ESP: AES_CBC_256 / HMAC_SHA1_96 / NO_EXT_SEQ
CHILD_SA vpn-to-asa reopen detection 2
CHILD_SA vpn-to-asa 3 generated using SPIs c9080c93_i 3f570a23_o and TS 192.168.2.0/24 === 192.168.1.0/24
The “vpn-to-asa” connection has been successfully established

$ sudo ipsec down

$ sudo ipsec down vpn-to-asa

Generate QUICK_MODE Request 656867907 [ HASH SA No ID ID ]
Send package: from 12.12.12.12[500] to 50.50.50.50[500] (204 bytes)
Package received: from 50.50.50.50[500] to 12.12.12.12[500] (188 bytes)
RESPONSE QUICK_MODE ANALYZE 656867907 [ HASH SA No ID ID N((24576)) ]
Specific width: ESP: AES_CBC_256 / HMAC_SHA1_96 / NO_EXT_SEQ
CHILD_SA vpn-to-asa reopen detection 2
CHILD_SA vpn-to-asa 3 generated using SPIs c9080c93_i 3f570a23_o and TS 192.168.2.0/24 === 192.168.1.0/24
The “vpn-to-asa” connection has been successfully established
anurag @strongswan214: ~$ sudo ipsec down vpn-to-asa
Close CHILD_SA vpn-to-asa 3 using SPIs c9080c93_i (0 bytes) 3f570a23_o (0 bytes) and TS 192.168.2.0/24 === 192.168.1.0/24
Send DELETE for ESP CHILD_SA with SPI c9080c93
Create Request INFORMATIONAL_V1 3465984663 [ HASH D ]
Send package: from 12.12.12.12[500] to 50.50.50.50[500] (76 bytes)
Delete IKE_SA vpn-to-asa[2] between 12.12.12.12[12.12.12.12]… 50.50.50.50[50.50.50.50]
Send DELETE for IKE_SA vpn-to-asa[2]
Generate Request INFORMATIONAL_V1 2614622058 [ HASH D ]
Send package: from 12.12.12.12[500] to 50.50.50.50[500] (92 bytes)
IKE_SA [2] It closed successfully

restart sudo ipsec

strongSwan IPsec is now discontinued…
Start strongSwan 5.8.2 IPsec [starter]…

$sudo ipsec . case

Security associations (1 up, 0 connected):
vpn-to-asa[1]: Created 35 seconds ago, 12.12.12.12[12.12.12.12]… 50.50.50.50[50.50.50.50]
vpn-to-asa 1: REKEYED, TUNNEL, reqid 1, expires in 7 hours
vpn-to-asa 1: 192.168.2.0/24 === 192.168.1.0/24
vpn-to-asa 2: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0d93265_i 599b4d60_o
vpn-to-asa 2: 192.168.2.0/24 === 192.168.1.0/24

sudo ipsec statusall

Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-37-generic, x86_64):
Running time: 2 minutes, since June 27 07:15:14 2020
malloc: sbrk 2703360, mmap 0, user 694432, free 2008928
worker threads: 11 of 16 idle, 5/0/0/0 running, working queue: 0/0/0/0, scheduled: 3
Loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation restrictions pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbuk-net attr solution link global settings
Listen to IP addresses:
12.12.12.12
192.168.2.122
links:
vpn-to-asa: %any… 50.50.50.50 IKEv1, dpddelay = 30s
vpn-to-asa: local: [12.12.12.12] Uses preshared key authentication
vpn-to-asa: remote: [50.50.50.50] Uses preshared key authentication
vpn-to-asa: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL, dpdaction = restart
Security associations (1 up, 0 connected):
vpn-to-asa[1]: Founded 2 minutes ago, 12.12.12.12[12.12.12.12]… 50.50.50.50[50.50.50.50]
vpn-to-asa[1]: IKEv1 SPIs: 57e24d839bf05f95_i*6a4824492f289747_r Pre-shared key re-authentication in 40 minutes
vpn-to-asa[1]: IKE Suggestion: AES_CBC_256 / HMAC_SHA1_96 / PRF_HMAC_SHA1 / MODP_1536
vpn-to-asa 2: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0d93265_i 599b4d60_o
vpn-to-asa 2: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying within 7 hours
vpn-to-asa 2: 192.168.2.0/24 === 192.168.1.0/24

Get IPsec Tunnel Policies and Status:

sudo ip xfrm state $

src 12.12.12.12 dst 50.50.50.50
proto esp spi 0x599b4d60 reqid 1 mode tunnel
return window 0 flag af-unspec
auth-trunc hmac (sha1) 0x52c84359280868491a37e966384e4c6db05384c8 96
enc cbc (aes) 0x99e00f0989fec6baa7bd4ea1c7fbefdf37f04153e721a060568629e603e23e7a
Anti-restart context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 50.50.50.50 dst 12.12.12.12
proto esp spi 0xc0d93265 reqid 1 mode tunnel
Restart window 32 flag af-unspec
auth-trunc hmac (sha1) 0x374d9654436a4c4fe973a54da044d8814184861e 96
enc cbc (aes) …
[ad_1]
Don’t forget to share this post with friends !