Help connecting to Cisco ASA with Openswan?

Jazsnap · 12-11-2011, 10:40 AM

Hi,

I've been tasked with setting up a VPN connection from CentOS 6.1 (2.6.32-131.21.1.el6.x86_64) & Openswan (Openswan: Linux Openswan U2.6.32/K2.6.32-131.21.1.el6.x86_64 (netkey)) to a Cisco ASA. Unfortunately I don't have any experience with VPNs or Openswan but after a lot of Googling I have come up with an ipsec.conf file based upon the requirements of the Cisco ASA (below). I still can't get the tunnel to come up after many hours of trying, if anyone can point me in the right direction from the below information it would be very much appreciated, if any further information is require please let me know what you need & I will supply it?

TIA, Jason

Cisco ASA policy requirements:

IKE Policy
Message Encryption algorithm: AES256
Data Integrity: SHA
DH-Group: Group 2 (1024 bit)
Peer Authentication Method: Pre shared key
IKE Lifetime: 8 hours (28,800 seconds)

IPSec paramaters
Mechanism for payload encryption: ESP
ESP Transform: AES256
Data Integrity: SHA
Security Association (SA) Lifetime: 1 hours (3,600 seconds)
Perfect Forward Secrecy (PFS): Enabled (Group 2 Keys)

Also to avoid conflict with the ASA side private LAN, they will only accept IP traffic across a VPN where the source host is presented as a public address. This has been done & the Linux box IP address is a private IP connected directly.

Ipsec.conf

version 2.0 # conforms to second version of ipsec.conf specification

config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
#nat_traversal=yes
#virtual_private=
#oe=off
# Enable this if you see "failed to find any available worker"
# nhelpers=0

#interfaces="ipsec0=eth0"

conn connect
type=tunnel
authby=secret
left=<Linux public IP>/32
leftnexthop=%defaultroute
right=<ASA public IP>/32
rightnexthop=%defaultroute
Keyexchange=ike
ike=aes256-sha1-modp1024
phase2alg=aes256-sha1

The secrets.conf file is:

<ASA IP address> <Linux IP address> : PSK “<PSK as received>”

Also I have added firewall rules:

iptables -I INPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 500 --dport 500 -j ACCEPT
iptables -I INPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
iptables -I OUTPUT -p udp --sport 4500 --dport 4500 -j ACCEPT
iptables -I INPUT -p 50 -j ACCEPT
iptables -I OUTPUT -p 50 -j ACCEPT

Here is an excerpt from the Openswan log file after attempting to bring the tunnel up:

Dec 11 17:30:01 <HOSTNAME> pluto[4123]: shutting down interface lo/lo ::1:500
Dec 11 17:30:01 <HOSTNAME> pluto[4123]: shutting down interface lo/lo 127.0.0.1:500
Dec 11 17:30:01 <HOSTNAME> pluto[4123]: shutting down interface eth0/eth0 <Linux IP>:500
Dec 11 17:30:03 <HOSTNAME> ipsec__plutorun: Starting Pluto subsystem...
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: nss directory plutomain: /etc/ipsec.d
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: NSS Initialized
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:4627
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: LEAK_DETECTIVE support [disabled]
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: OCF support for IKE [disabled]
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: SAref support [disabled]: Protocol not available
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: SAbind support [disabled]: Protocol not available
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: NSS support [enabled]
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: HAVE_STATSD notification support not compiled in
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Setting NAT-Traversal port-4500 floating to off
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: port floating activation criteria nat_t=0/port_float=1
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: NAT-Traversal support [disabled]
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: starting up 3 cryptographic helpers
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: started helper (thread) pid=140072313808640 (fd:10)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: started helper (thread) pid=140072303318784 (fd:12)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: started helper (thread) pid=140072292828928 (fd:14)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Using Linux 2.6 IPsec interface code on 2.6.32-131.21.1.el6.x86_64 (experimental code)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_add(): ERROR: Algorithm already exists
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/cacerts': /
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/aacerts': /
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: Could not change to directory '/etc/ipsec.d/crls'
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: | selinux support is enabled.
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: listening for IKE messages
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: adding interface eth0/eth0 <Linux IP>:500
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: adding interface lo/lo 127.0.0.1:500
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: adding interface lo/lo ::1:500
Dec 11 17:30:03 <HOSTNAME> pluto[4627]: loading secrets from "/etc/ipsec.secrets"

Jazsnap · 12-12-2011, 04:59 PM

Hi again,

It's great that so many of you have taken the time to look at my problem so thanks for that. I've spent a few hours tonight trying to get the tunnel up & have made a bit more progress. I have changed the config file (as below) & although the tunnel still doesn't come up after looking at the log file it looks like phase 1 has worked, I've included the log file (as below) so if anyone can help move me to the next step please let me know, any help is really appreciated.

TIA, Jase
------------------------------------------
ipsec.conf

# basic configuration
config setup
protostack=netkey
nat_traversal=no

conn snt
pfs=yes
auto=start
keyingtries=1
#ikeparams
Keyexchange=ike
ikelifetime=480m
type=tunnel
auth=esp
authby=secret
keylife=60m
#Left security gateway, subnet behind it, next hop
left=<Linux IP>
right=<Cisco IP>
rightnexthop=<Linux IP>
ike=aes256-sha1-modp1024
phase2alg=aes256-sha1
------------------------------------------
Log file:

Dec 12 23:47:31 <HOSTNAME> pluto[20985]: adding interface eth0/eth0 <Linux IP>:500
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: adding interface lo/lo 127.0.0.1:500
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: adding interface lo/lo ::1:500
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: loading secrets from "/etc/ipsec.secrets"
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: initiating Main Mode
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Vendor ID payload [Cisco-Unity]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Vendor ID payload [XAUTH]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring unknown Vendor ID payload [fe6889c39ec2923641caefcf37bd3c7f]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Vendor ID payload [Dead Peer Detection]
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: Main mode peer ID is ID_IPV4_ADDR: '<Cisco IP>'
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1024}
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:5ffc39d0 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received and ignored informational message
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: "snt" #1: received Delete SA payload: deleting ISAKMP State #1
Dec 12 23:47:31 <HOSTNAME> pluto[20985]: packet from <Cisco IP>:500: received and ignored informational message

agentbuzz · 12-13-2011, 09:11 AM

Jazsnap,
On the ASA side, in general I disable PFS; it causes problems even with devices that otherwise play well with ASA, like SonicWall. Setting up a tunnel from an ASA to OpensWAN has always been more difficult for me than having a SonicWall or a PIX or ASA as a peer. Try turning off Perfect Forward Secrecy.

Jazsnap · 12-14-2011, 03:43 AM

Thanks for the advice agentbuzz, unfortunately I don't have any control over the Cisco end but they have confirmed that PFS is definitely being used. I'm thinking that the below line may hold some clues but I'm not too sure how to interpret it, everything seems to be in order but not sure about +UP or +IKEv2ALLOW? Also could the order of the commands in the config file have any bearing?

initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:5ffc39d0 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}

Regards,
Jason

tva · 12-14-2011, 07:14 PM

Try changing IKE and SA lifetimes to same values? Can't remember a lot from CCNA and CCNP courses I had but I still recall something about key lifetimes should be the same. Not sure if that helps because IKE and SA ain't the same, but worth a shot?

Jazsnap · 12-18-2011, 02:31 PM

Thanks for all the help & I now have this tunnel working, the problem was because I was missing the right subnet from the ipsec.conf file, as soon as that was added the tunnel came up at the first attempt. Apparently as the Cisco side didn't see the subnet it couldn't match our incoming connection & finish off phase 2 authentication. Here is the working ipsec.conf file for anyone who is interested:

config setup
interfaces=%defaultroute
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
#plutodebug=all
protostack=netkey
nat_traversal=no
# Enable this if you see "failed to find any available worker"

conn test
type=tunnel
#Left security gateway, subnet behind it, next hop
left=<Linux IP>
leftsubnet=<Linux subnet>/24
right=<Cisco IP>
rightsubnet=<Cisco subnet>/24
keyingtries=1
pfs=yes
#ikeparams
keyexchange=ike
ikelifetime=480m
#ipsecparams
phase2=esp
authby=secret
keylife=60m
auto=start
ike=aes256-sha1-modp1024
phase2alg=aes256-sha1