HomeAboutMailing ListList Chatter /0/0

Strongswan ipsec tunnel to Cisco ASA (Was Need a ASA for testing purposes)

2018-12-22 by: David White
From: David White 
I've been tasked with setting up a new tunnel between a Linux server and a
Cisco ASA. I manage the server. I do *not* mange, nor have any visibility,
into the ASA. It is located at a hospital.

We're migrating a website that is currently connected to the hospital's VPN
through a pfSense firewall. The goal with the migration is to do away with
pfSense entirely, and configure the VPN tunnel on the Linux server itself,
using Strongswan (https://strongswan.org/projects/strongswan).

After a few weeks of comparing configs and testing, we still haven't been
able to successfully establish the connection. We're able to get past Phase
1, but Phase 2 of the ipsec tunnel continues to fail.

The guys at the hospital don't really have detailed log information, nor do
I. We both agree that it is some obscure config mismatch that we haven't
been able to identify. No amount of reviewing the following URL has helped:

So.... that's what I'm dealing with. I finally got to the point where I
decided I need local Cisco hardware to test with, get things working, and
then contact the hospital to let them know what changes they need to make
on their end, if any.

On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman  wrote:

> On 12/21/2018 2:27 PM, David White wrote:
> > What's the cheapest option you've got that will allow me to run some
> > tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> > kung-fu skills?
> What do you want to test?  I can probably answer the questions that are
> prodding you to conduct tests.  Also, move onto IKEv2, it's much more
> secure, especially on those old platforms, IKEv1 on those old things are
> totally busted.  That was before Equation Group drop.  Now they are
> swiss cheese.
> Happy Holidays!
> -Dave

=============================================================== From: David White ------------------------------------------------------ ... and in this case, I'm not calling the shots. The hospital has dictated all of the encryption settings and type of ipsec. But I'm indeed surprised they are going with ikev1, especially because they shared with me that this particular connection is being built into a *new* VPN gateway / Cisco ASA. The website that we are migrating is currently connected (again, through pfSense) to an older Cisco ASA that they are retiring.

=============================================================== From: Stephen Kraus ------------------------------------------------------ Why migrate away from pfsense? Its generally more capable than the ASA and comes cheaper and easier to config.

=============================================================== From: David White ------------------------------------------------------ Long story. I don't manage the old server, nor do I have any visibility into the pfSense config. I'm the "new web hosting vendor" for my client, which is a marketing company up in Virginia, which in turn has the hospital as their client. I gave them the option of deploying pfSense and using hardware, but that would have been quite a bit more expensive for them than to go with StrongSwan, as it would have required I deploy my own local hardware into a datacenter here in Chattanooga -- and all of the liabilities, complexities, etc... that come with that. The VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....) On Fri, Dec 21, 2018 at 8:41 PM Stephen Kraus wrote:

=============================================================== From: Stephen Kraus ------------------------------------------------------ It doesn't have to be hardware. I use pfsense as a virtual router/VPN/gateway in my sandbox at the office.

=============================================================== From: David White ------------------------------------------------------ Right. But as I said, the VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....) So we can't actually run pfSense in the VPS provider's environment. On Fri, Dec 21, 2018 at 8:47 PM Stephen Kraus wrote:

=============================================================== From: David White ------------------------------------------------------ ... that said, after how much work I've put into this, I'm really kicking myself, because I've spent far more time building and troubleshooting this VPN connection for it to still not work. And I'll agree 100% -- pfSense is certainly easier and more flexible to use. Based on the research and documentation I reviewed prior to this project, though, I felt fairly confident that I could do it pretty easily with StrongSwan.

=============================================================== From: Stephen Kraus ------------------------------------------------------ Just because I'm bored, and didn't know if you read this through yet (I'm sure you did) https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

=============================================================== From: Dave Brockman ------------------------------------------------------ Give me: Right side protected network, left side protected network. Phase I encryption, Phase I HMAC, PFS Group (if any) Phase II encryption, Phase II HMAC, PFS Group (if any) and I'll give you the config. This is 100% bullshit. IPSEC is a standard, and almost all vendors can get a working IKEv1 interop configuration working. I will bet $100 there is nothing obscure about your configuration. Hopefully AES128/SHA1-HMAC, PFS Group 5. My guess is 3DES/MD5/no PFS, or group 2 on IPSEC only, nothing on IKE. What you need from the remote side is this: (ASA 8.25) IKEv1 Policy crypto isakmp policy XX authentication pre-share encryption XX hash XXX group X lifetime 86400 or (ASA 8.3+) crypto ikev1 policy xx authentication pre-share encryption xxx hash xxx group x lifetime 86400 crypto ipsec transform-set [VAR] [hmac-algo] or crypto ipsec ikev1 transform-set [VAR] [encryption-algo] [hmac-algo] I need to know if you have a static or dynamic IP address on the StrongSwan side to give you the rest of the ASA config. My guess is that you are missing the NAT BYPASS config on the StrongSwan side. Cheers, -Dave d r /117258-config-l2l.html o ome that are ch more s are w they are

=============================================================== From: David White ------------------------------------------------------ I'll research the NAT Bypass suggestion. Thank you. I did try the "forceencaps" option several times over the past few days (see https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection), but that didn't make a difference. I believe that DH group 5 is used in both phase 1 and phase 2. *Here's the hospital's config (I'm going to sanitize IP addresses, although in the below config, I don't see their public IP anywhere):* ! crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac ! object network host_developCENTS-server_10.255.x.x host description This address is used by developCENTS on their server located on their side of a site-to-site vpn tunnel. object-group network nog_developCENTS_ext description developCENTS manages EPIC Training website which uses LDAP for users to login network-object object host_developCENTS-server_10.255.x.x object-group network nog_developCENTS_int description developCENTS manages Training website which uses LDAP for users to login network-object object host_dc-wmc-nat_192.77.x.x ! access-list outside_cryptomap_24 line 1 extended permit ip object-group nog_developCENTS_int object-group nog_developCENTS_ext group-policy GroupPolicy_developCENTS internal group-policy GroupPolicy_developCENTS attributes vpn-tunnel-protocol ikev1 exit tunnel-group 138.197.x.x type ipsec-l2l tunnel-group 138.197.x.x general-attributes default-group-policy GroupPolicy_developCENTS tunnel-group 138.197.x.x ipsec-attributes ikev1 pre-shared-key ********** isakmp keepalive threshold 10 retry 2 crypto map outside_map1 22 match address outside_cryptomap_24 crypto map outside_map1 22 set peer 138.197.x.x crypto map outside_map1 22 set pfs group5 crypto map outside_map1 22 set ikev1 transform-set ESP-AES-256-SHA *And here's my config:* conn %default # P1 Lifetime is 86400 seconds ikelifetime=1440m #P2 Lifetime is 28800 seconds keylife=480m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn vh keyexchange=ikev1 authby=secret # P1 Lifetime is 86400 seconds ikelifetime=1440m #P2 Lifetime is 28800 seconds keylife=480m type=tunnel left=138.197.x.x leftsubnet=10.255.x.x/32 leftid=138.197.x.x right=192.77.x.x rightsubnet=192.177.x.x/32 rightid=192.77.x.x auto=start ike=aes256-sha1-modp1536 esp=aes256-sha1 keyexchange=ikev1 # forceencaps=yes leftfirewall=yes

=============================================================== From: David White ------------------------------------------------------ Well this is interesting: (Not the interesting part, but an FYI for context: This webserver is running cPanel (Yuck -- client insists they need it though, and they're paying for it, so whatever) One of my troubleshooting steps I was going to do today was to build out an ipsec tunnel between this server and a 2nd StrongSwan instance on a different server somewhere. As I'm in the original StrongSwan server (again, running cpanel - Yuck), I noticed that although I had built the virtual network (in the above config, the 10.255.x.x/32 address) inside of cPanel, that IP is nowhere to be found in /etc/sysconfig/network-scripts/ifcfg-eth0. That may be the issue. Need to research that further...

=============================================================== From: David White ------------------------------------------------------ That IP address shows up when I run "ip addr", but it isn't in the /etc/sysconfig/network-scripts/ifcfg-eth0 file. Never seen that before... But the fact the IP address exists when I run "ip addr" leads me to believe that Strongswan can in fact know about that IP address and use it.

=============================================================== From: David White ------------------------------------------------------ I successfully established a VPN tunnel between two Strongswan instances, so that's encouraging, anyway -- and it rules out the possibility that I've missed something dumb in my own firewall. :)