LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-28-2008, 06:00 AM   #1
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 127

Rep: Reputation: 20
How to create a site2site with OpenSwan and Cisco ASA 5510


Hi there.
Maybe there are some other threads about this but I haven't found the right one yet. What I'm working on is connecting two sites. One is behind Cisco ASA 5510 and the other is behind Linux (Fedora Core 6) and I thought about using OpenSwan on that side.

The scenario is like this:
Site A - Cisco 5510
subnet 192.168.1.0/24

Site B - Linux
subnet 192.168.2.0/24

The intranet traffic should go through the tunnel. All other traffic should go directly to the internet.

I don't mind spending some time trying to figure this out but I think it is much wiser to ask around here, this is the place where all the experts are :-). I've got answers from you guys before and it really did help me then so I'm counting on you to point me in the right direction.

Regards,
Burkni
 
Old 03-29-2008, 10:23 PM   #2
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
do you have the configs already?

http://lists.virus.org/users-openswa.../msg00011.html
http://lists.openswan.org/pipermail/...ch/014174.html

hope this helps
 
Old 04-04-2008, 07:34 AM   #3
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 127

Original Poster
Rep: Reputation: 20
Site2Site Cisco and OpenSwan

Hi there and thanks for the reply.
I now have managed to get Phase1 and Phase2 established. On the Cisco side I can see that the tunnel is up. However I can't get access from pc's on the OpenSwan side to servers on Cisco side. When I ping I don't see the packets arrive at the Cisco side. Therefore I'm guessing it's a iptables solution. I have tried to put some lines there but still no luck. If you have anything you can share with me or point (again) in the right direction I would be very thankful.
Another hint. I tried tcpdump at the same time I pinged server on the cisco side from a pc on the OpenSwan side and the tcpdump showed that the packet where destined (destinated?) to the outside IP on the Cisco. Doesn't that tell us that the traffic isn't going through the tunnel or it's natted when it shouldn't be?

Regards,
Odinn Burkni

Last edited by OdinnBurkni; 04-04-2008 at 07:39 AM.
 
Old 04-04-2008, 09:08 AM   #4
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
did you set up a static route?


man route
 
Old 04-04-2008, 01:48 PM   #5
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 127

Original Poster
Rep: Reputation: 20
Route added

Thank you for a quick reply.
I can see a route to site A on the Linux box:
192.168.1.0 xx.xx.xx.xx 255.255.255.0 UG 0 0 0 eth0
where xx.xx.xx.xx is my next hop, same as leftnexthop. Shouldn't it point to the ipsec tunnel?
 
Old 04-05-2008, 04:15 AM   #6
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 127

Original Poster
Rep: Reputation: 20
Wink What I've got so far

Hello.
The connection between Cisco and OpenSwan seems to work, at least I can see that the tunnel is up both on the Linux box and on the Cisco. OK. The tunnel is up but I can't ping from the OpenSwan to the Cisco site.
As I reported last time I can see a route on the Linux box to the Cisco site but it shows that the default GW is my leftnexthop. I guess the GW for that ought to be the ipsec0?
Anyway, every help is great. I'm sure all I need to do is make a route that points the right way. Maybe I'm wrong, that has happened before... ;-) Maybe it's a iptables config. Whatever it is, I need help. If I have to make a route then please tell me how.

Thank you for all the help.
 
Old 04-30-2008, 04:17 AM   #7
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 127

Original Poster
Rep: Reputation: 20
Unhappy Please help me....

This is what I've got:
service ipsec status
IPsec running - pluto pid: 3735
pluto pid 3735
1 tunnels up
So the tunnel seems to be up. When I do ifconfig I only se my physical interfaces, I don't see ipsec0 interface which I thought I should see because of the line in ipsec.conf:
version 2.0
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
uniqueids=yes
nat_traversal=no
include /etc/ipsec.d/*.conf

Here is my config file under /etc/ipsec.d/mytunnel.conf:
conn MyTunnel
authby=secret
pfs=no
auto=add
keyingtries=3
disablearrivalcheck=no
#IKE params
keyexchange=ike
ikelifetime=240m
#IPsec Params
type=tunnel
auth=esp
compress=no
keylife=60m
# Left security gateway, subnet behind it, next hop toward right.
left=the ip on eth0
leftsubnet=192.168.15.0/24
leftnexthop=My next hop
# Right security gateway, subnet behind it, next hop toward left.
right=IP of the other side
rightsubnet=192.168.25.0/24
rightnexthop=The other side's next hop
rightsourceip=192.168.25.3

I changed the IP addresses but the tunnel gets established so that doesn't seem to be the problem. The problem, I think, is that there is no virtual interface named ipsec0. Maybe that doesn't matter???
I really need some help here. I'm sure this is something small and stupid thing I'm missing or overdoing here because I'm a newbie but I can't figure this one out myself.....
I don't mind reading, have been going through various man pages and wiki's but don't see anything that might help, maybe I'm not looking for the right thing or there's something in the early steps I did wrong?

Please guide me...

Best regards,
Odinn Burkni
 
Old 04-30-2008, 08:41 AM   #8
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 127

Original Poster
Rep: Reputation: 20
Question Update...

Well.
I have connection from Cisco site to Linux site. E.g. when I'm at work I can access my home network from work. However, I cannot at the same time access my work network from home.
Any ideas???

Regards,
Confusious
 
Old 04-30-2008, 09:14 AM   #9
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
sounds like it might be a route issue

are you tunneling all traffic or split-tunnel?
 
Old 04-30-2008, 05:46 PM   #10
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 127

Original Poster
Rep: Reputation: 20
Cisco to Linux

Hello Slimm and thank you for a quick reply.
I'm doing split tunneling. What I want is to let only the 192.168.25.0/24 traffic go through the tunnel.
Yes, I would believe it is a routing problem but then how could I get traffic from Cisco site today and at the same time no traffic from Linux site? What I mean is when I was at work I could access my fileserver at home through this tunnel but when I tried to ping from that fileserver to my workplace I got no response... ...strange...

Thanks again for your reply, hope I'll hear more from you.

Regards,
Odinn Burkni
 
Old 05-01-2008, 09:07 AM   #11
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 430

Rep: Reputation: 67
run the route command on the linux box.

i am guessing that you will have to add a route

route [-v] [-A family] add [-net|-host] target [netmask
Nm] [gw Gw] [metric N] [mss M] [window W] [irtt I]
[reject] [mod] [dyn] [reinstate] [[dev] If]


so something like


network subnet gateway
route add --net x.x.x.x 255.255.x.x x.x.x.x


and when the tunnel is not up

route del --net x.x.x.x 255.255.x.x x.x.x.x
 
Old 05-06-2008, 06:57 PM   #12
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 127

Original Poster
Rep: Reputation: 20
Finally working

Hi all.
Finally I got this working. Not sure what did the trick but it's working. Here are my ipsec files:
ipsec.conf
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
nat_traversal=yes

include /etc/ipsec.d/*.conf

and my config script located under /etc/ipsec.d/
conn myTunnel
authby=secret
pfs=no
auto=start
keyingtries=3
disablearrivalcheck=no
#IKE params
keyexchange=ike
ikelifetime=240m
#IPsec Params
type=tunnel
auth=esp
compress=no
keylife=60m
# Left security gateway, subnet behind it, next hop toward right.
left=mypublicIP
leftsubnet=192.168.1.0/24
leftnexthop=MyNextHop
# Right security gateway, subnet behind it, next hop toward left.
right=TheCiscoIP
rightsubnet=192.168.7.0/24
rightnexthop=mypublicIP
rightsourceip=192.168.7.3

Left is my public IP and in rightnexthop I put my public IP also. I saw that in a config I found somewhere.
Then I needed some secrets file
# PSK
myhomeIP TheCiscoIP: PSK "samekeyathome"
I also put these lines in my iptables.conf file
iptables -t filter -N FORWARDS
iptables -t filter -A FORWARDS -d 192.168.7.0/24 -i eth1 -o ipsec0 -j ACCEPT
iptables -t filter -A FORWARDS -d 192.168.7.0/24 -i ipsec0 -o eth1 -j ACCEPT
iptables -t filter -A OUTPUT -d 192.168.7.0/24 -o ipsec0 -j ACCEPT

and this line before other nat postrouting lines:
iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.7.0/24 -j ACCEPT

I made a file where ifcfg-eth files are and named it ifcfg-ipsec0 and here it is:
TYPE=IPsec
ONBOOT=yes
IKE_METHOD=PSK
SRCGW=192.168.1.254
DSTGW=192.168.7.3
SRCNET=192.168.1.0/24
DSTNET=192.168.7.0/24
DST=TheCiscoIP

Then at the Cisco site I made this configuration, I think that's all I did, if not I'll post it later.

access-list Inside_nat0_outbound extended permit ip 192.168.7.0 255.255.255.0 192.168.1.0 255.255.255.0
nat (Inside) 0 access-list Inside_nat0_outbound

access-list MyHomeTunnel extended permit ip 192.168.7.0 255.255.255.0 192.168.1.0 255.255.255.0

crypto map Site2site 10 match address MyHomeTunnel
crypto map Site2site 10 set peer mypublicIP
crypto map Site2site 10 set transform-set ESP-3DES-SHA
crypto map Site2site 10 set security-association lifetime seconds 28800

tunnel-group myhomeIP type ipsec-l2l
tunnel-group myhomeIP ipsec-attributes
pre-shared-key samekeyathome


Thank you all for your input and tips I've got, that did help me a lot.

Regards,
One very happy

Last edited by OdinnBurkni; 05-06-2008 at 07:15 PM.
 
Old 08-13-2008, 06:20 PM   #13
bfrancom
LQ Newbie
 
Registered: Aug 2008
Posts: 3

Rep: Reputation: 0
Quote:
Originally Posted by OdinnBurkni View Post
Then at the Cisco site I made this configuration, I think that's all I did, if not I'll post it later.
Can you verify your cisco config and post, please?

Trying to setup an ASA 5505 w/ openswan.
Thanks.
 
Old 08-22-2008, 09:33 AM   #14
OdinnBurkni
Member
 
Registered: Feb 2007
Location: Iceland
Distribution: Fedora 14, CentOS, FreeNAS
Posts: 127

Original Poster
Rep: Reputation: 20
Cisco to Linux

Hello.
Are you using ASDM or do you config the ASA box in CLI mode?
I'm making another tunnel now. Having hard time finding out what I did.
I'll try to document what I do this time.

Regards,
Burkni.
 
Old 09-02-2008, 04:55 PM   #15
bfrancom
LQ Newbie
 
Registered: Aug 2008
Posts: 3

Rep: Reputation: 0
Re: How to create a site2site with OpenSwan and Cisco ASA 5510

Quote:
Originally Posted by OdinnBurkni View Post
Hello.
Are you using ASDM or do you config the ASA box in CLI mode?
I'm using the ASDM. I actually got it up now, quite easily using ASDM. But, now I'm up against some routing issues. I can not ping to either LAN.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Interview with Asa Dotzler of Mozilla jeremy Interviews 10 10-02-2008 02:51 AM
Openswan/Cisco PIX: NATting a VPN Tunnel SnotRocket Linux - Networking 1 01-28-2007 09:13 PM
php: connecting to ASA fails (with php_sybase) eantoranz Programming 0 08-25-2006 09:49 AM
VPN site2site with Microsoft server mmarinho Linux - Networking 4 08-12-2005 07:22 AM
Next Interview - Asa from Mozilla jeremy LQ Suggestions & Feedback 5 07-27-2003 01:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration