Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been tasked with setting up a VPN connection from CentOS 6.1 (2.6.32-131.21.1.el6.x86_64) & Openswan (Openswan: Linux Openswan U2.6.32/K2.6.32-131.21.1.el6.x86_64 (netkey)) to a Cisco ASA. Unfortunately I don't have any experience with VPNs or Openswan but after a lot of Googling I have come up with an ipsec.conf file based upon the requirements of the Cisco ASA (below). I still can't get the tunnel to come up after many hours of trying, if anyone can point me in the right direction from the below information it would be very much appreciated, if any further information is require please let me know what you need & I will supply it?
TIA, Jason
Cisco ASA policy requirements:
IKE Policy
Message Encryption algorithm: AES256
Data Integrity: SHA
DH-Group: Group 2 (1024 bit)
Peer Authentication Method: Pre shared key
IKE Lifetime: 8 hours (28,800 seconds)
IPSec paramaters
Mechanism for payload encryption: ESP
ESP Transform: AES256
Data Integrity: SHA
Security Association (SA) Lifetime: 1 hours (3,600 seconds)
Perfect Forward Secrecy (PFS): Enabled (Group 2 Keys)
Also to avoid conflict with the ASA side private LAN, they will only accept IP traffic across a VPN where the source host is presented as a public address. This has been done & the Linux box IP address is a private IP connected directly.
Ipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
#nat_traversal=yes
#virtual_private=
#oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0
#interfaces="ipsec0=eth0"
conn connect
type=tunnel
authby=secret
left=<Linux public IP>/32
leftnexthop=%defaultroute
right=<ASA public IP>/32
rightnexthop=%defaultroute
Keyexchange=ike
ike=aes256-sha1-modp1024
phase2alg=aes256-sha1
The secrets.conf file is:
<ASA IP address> <Linux IP address> : PSK “<PSK as received>”
Here is an excerpt from the Openswan log file after attempting to bring the tunnel up:
Dec 11 17:30:01 <HOSTNAME> pluto[4123]: shutting down interface lo/lo ::1:500
Dec 11 17:30:01 <HOSTNAME> pluto[4123]: shutting down interface lo/lo 127.0.0.1:500
Dec 11 17:30:01 <HOSTNAME> pluto[4123]: shutting down interface eth0/eth0 <Linux IP>:500
Dec 11 17:30:03 <HOSTNAME> ipsec__plutorun: Starting Pluto subsystem...
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: nss directory plutomain: /etc/ipsec.d
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: NSS Initialized
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:4627
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: LEAK_DETECTIVE support [disabled]
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: OCF support for IKE [disabled]
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: SAref support [disabled]: Protocol not available
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: SAbind support [disabled]: Protocol not available
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: NSS support [enabled]
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: HAVE_STATSD notification support not compiled in
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Setting NAT-Traversal port-4500 floating to off
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: port floating activation criteria nat_t=0/port_float=1
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: NAT-Traversal support [disabled]
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: starting up 3 cryptographic helpers
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: started helper (thread) pid=140072313808640 (fd:10)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: started helper (thread) pid=140072303318784 (fd:12)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: started helper (thread) pid=140072292828928 (fd:14)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Using Linux 2.6 IPsec interface code on 2.6.32-131.21.1.el6.x86_64 (experimental code)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/cacerts': /
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/aacerts': /
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/crls'
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: | selinux support is enabled.
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: listening for IKE messages
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: adding interface eth0/eth0 <Linux IP>:500
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: adding interface lo/lo 127.0.0.1:500
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: adding interface lo/lo ::1:500
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: loading secrets from "/etc/ipsec.secrets"
It's great that so many of you have taken the time to look at my problem so thanks for that. I've spent a few hours tonight trying to get the tunnel up & have made a bit more progress. I have changed the config file (as below) & although the tunnel still doesn't come up after looking at the log file it looks like phase 1 has worked, I've included the log file (as below) so if anyone can help move me to the next step please let me know, any help is really appreciated.
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: adding interface eth0/eth0 <Linux IP>:500
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: adding interface lo/lo 127.0.0.1:500
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: adding interface lo/lo ::1:500
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: loading secrets from "/etc/ipsec.secrets"
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: initiating Main Mode
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Vendor ID payload [Cisco-Unity]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Vendor ID payload [XAUTH]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring unknown Vendor ID payload [fe6889c39ec2923641caefcf37bd3c7f]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Vendor ID payload [Dead Peer Detection]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: Main mode peer ID is ID_IPV4_ADDR: '<Cisco IP>'
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:5ffc39d0 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received and ignored informational message
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Delete SA payload: deleting ISAKMP State #1
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: packet from <Cisco IP>:500: received and ignored informational message
Jazsnap,
On the ASA side, in general I disable PFS; it causes problems even with devices that otherwise play well with ASA, like SonicWall. Setting up a tunnel from an ASA to OpensWAN has always been more difficult for me than having a SonicWall or a PIX or ASA as a peer. Try turning off Perfect Forward Secrecy.
Thanks for the advice agentbuzz, unfortunately I don't have any control over the Cisco end but they have confirmed that PFS is definitely being used. I'm thinking that the below line may hold some clues but I'm not too sure how to interpret it, everything seems to be in order but not sure about +UP or +IKEv2ALLOW? Also could the order of the commands in the config file have any bearing?
Try changing IKE and SA lifetimes to same values? Can't remember a lot from CCNA and CCNP courses I had but I still recall something about key lifetimes should be the same. Not sure if that helps because IKE and SA ain't the same, but worth a shot?
Thanks for all the help & I now have this tunnel working, the problem was because I was missing the right subnet from the ipsec.conf file, as soon as that was added the tunnel came up at the first attempt. Apparently as the Cisco side didn't see the subnet it couldn't match our incoming connection & finish off phase 2 authentication. Here is the working ipsec.conf file for anyone who is interested:
config setup
interfaces=%defaultroute
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
#plutodebug=all
protostack=netkey
nat_traversal=no
# Enable this if you see "failed to find any available worker"
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.