VPN Site-to-Site Openswan And ASA Cisco

Posted on by Aghassi

I am going to demonstrate the communication between CentOS 7 Linux distribution and ASA (Adaptive Security Appliances) is straight. We will only need to check the cryptography configuration and that it, the connection is established.

1. Installing Openswan

The installation processs is very easy because can be done via yum:

# yum install lsof openswan

After the installation we initiate the service:

# ipsec setup start

2. Configuring Openwan

Openswan has basically two configurations that needs to be changed: ipsec.conf , with the IP configurations, cryptography and ipsec.secrets , with the source and destination IPs and authentication password.

2.1. Configuring ipsec.conf

# vim /etc/ipsec.conf

 

# /etc/ipsec.conf – Openswan IPsec configuration file

#

# Manual: ipsec.conf.5

#

# Please place your own config files in /etc/ipsec.d/ ending in .conf version 2.0 

# conforms to second version of ipsec.conf specification

# basic configuration

config setup

    # Debug-logging controls: "none" for (almost) none, "all" for lots.

    # klipsdebug=none

    # plutodebug="control parsing"

    # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey

    interfaces=%faultroute

    klipsdebug=none

    plutodebug=none

    #protostack=netkey

    #nat_traversal=yes

    #virtual_private=

    #oe=off

    # Enable this if you see "failed to find any available worker"

    #nhelpers=0

conn cisco # Here is the Name of the VPN connection.

   type= tunnel

   authby= secret

   # Left security Linux, (Linux side)

   left= 201.30.XXX.XXX #REAL IP LINUX SERVER

   leftsubnet= 192.168.199.0/24 #Net address assigned to the other side

   leftnexthop= 201.30.XXX.XXX #Real IP Gateway

   # Right security gateway, (ASA side)

   right= 201.30.XXX.XXX # ASA IP

   rightsubnet= 10.100.0.0/16 # Net address assigned to the other side

   rightnexthop= 201.30.XXX.XXX #Real IP Gateway

   # Type of cryptogrphy used on the VPN Tunnel

   esp= 3des-md5-96

   keyexchange= ike

   pfs= no

   auto= start

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.

#include /etc/ipsec.d/*.conf

Save and exit

PS: the file ipsec.conf must be very well indentified.

2.2. Configuring ipsec.secrets

# vim /etc/ipsec.secrets

 

201.30.XXX.XXX(Lado do ASA) 201.30.XXX.XXX(Lado do Linux): PSK "jfn*7@vP3987X#zl0&jsbc63aQe3" (pre-shared key)