Recently, I came across a scenario wherein someone wanted to configure a site-to-site VPN between a Cisco ASA (or Cisco router, etc.) and an Ubuntu server. A remote-access VPN will be ideal between a host and a router/firewall but where the host has other hosts behind it (e.g. acting as a router/default gateway), then you will want to configure a site-to-site VPN between that host and the router/firewall.
In this article, I will show you how to configure for such a scenario using the lab setup shown below:
In my case, the Cisco ASA and client PCs (VPCS) are running in GNS3 while the system I’m using for Ubuntu 14.04 is a virtual machine running in VirtualBox. The virtual machine is configured with 2 network adapters: one connects to the ASA and the other connects to a test PC. The GNS3 topology is as shown below:
To enable routing on the Ubuntu system, I have used the following command: echo 1 > /proc/sys/net/ipv4/ip_forward. This command enables routing on the fly and is not permanent. For a permanent solution, refer to this article.
Note: If you need to run that command as a super user, use the following command instead: sudo bash -c ‘echo 1 > /proc/sys/net/ipv4/ip_forward’
I will also add a route for the 10.0.0.0/24 subnet pointing to the ASA:
route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.0.2.2
What we want to achieve in this lab is to create a VPN tunnel between the Cisco ASA and the Ubuntu system to protect traffic between the 10.0.0.0/24 and 192.168.56.0/24 subnets.
The configuration on the Cisco ASA is pretty straightforward as shown below. You can refer to this article to learn more about configuing VPN on the Cisco ASA.
interface GigabitEthernet0 nameif outside security-level 0 ip address 192.0.2.2 255.255.255.0 ! interface GigabitEthernet1 nameif inside security-level 100 ip address 10.0.0.1 255.255.255.0 ! access-list VPN_ACL extended permit ip 10.0.0.0 255.255.255.0 192.168.56.0 255.255.255.0 route outside 192.168.56.0 255.255.255.0 192.0.2.1 1 ! crypto ipsec ikev1 transform-set MYSET esp-aes-256 esp-sha-hmac ! crypto map MYMAP 10 match address VPN_ACL crypto map MYMAP 10 set peer 192.0.2.1 crypto map MYMAP 10 set ikev1 transform-set MYSET crypto map MYMAP interface outside ! crypto ikev1 enable outside crypto ikev1 policy 10 authentication pre-share encryption aes-192 hash sha group 2 lifetime 86400 ! tunnel-group 192.0.2.1 type ipsec-l2l tunnel-group 192.0.2.1 ipsec-attributes ikev1 pre-shared-key cisco123
To enable IPsec on the Ubuntu system, we will install Openswan using the following command: apt-get install openswan. Depending on your user permission, you may have to use the sudo command, i.e. sudo apt-get install openswan.
Note: While installing Openswan, you will be asked if you want to create a digital certificate that can be used for authentication. For this article, we will be using pre-shared keys but you may go ahead and create a digital certificate for your own practice.
With Openswan installed, there are two files that are important to us:
/etc/ipsec.conf: This is where we configure our VPN settings such as IKE phase 1 and 2 settings, local and remote subnets, etc. We can also create sub-configuration files in /etc/ipsec.d/ instead of using this main configuration file.
/etc/ipsec.secrets: This is where we specify pre-shared keys, RSA signatures and pointers to digital certificates.
Let’s take a look at the /etc/ipsec.conf file (yours may look different):
# /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual: ipsec.conf.5 version 2.0 # conforms to second version of ipsec.conf specification # basic configuration config setup # Do not set debug options to debug configuration issues! # plutodebug / klipsdebug = "all", "none" or a combation from below: # "raw crypt parsing emitting control klips pfkey natt x509 dpd private" # eg: # plutodebug="control parsing" # Again: only enable plutodebug or klipsdebug when asked by a developer # # enable to get logs per-peer # plutoopts="--perpeerlog" # # Enable core dumps (might require system changes, like ulimit -C) # This is required for abrtd to work properly # Note: incorrect SElinux policies might prevent pluto writing the core dumpdir=/var/run/pluto/ # # NAT-TRAVERSAL support, see README.NAT-Traversal nat_traversal=yes # exclude networks used on server side by adding %v4:!a.b.c.0/24 # It seems that T-Mobile in the US and Rogers/Fido in Canada are # using 25/8 as "private" address space on their 3G network. # This range has not been announced via BGP (at least upto 2010-12-21) virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:184.108.40.206/8,%v6:fd00::/8,%v6:fe80::/10 # OE is now off by default. Uncomment and change to on, to enable. oe=off # which IPsec stack to use. auto will try netkey, then klips then mast protostack=auto # Use this to log to a file, or disable logging on embedded systems (like openwrt) #plutostderrlog=/dev/null # Add connections here # sample VPN connection # for more examples, see /etc/ipsec.d/examples/ #conn sample # # Left security gateway, subnet behind it, nexthop toward right. # left=10.0.0.1 # leftsubnet=172.16.0.0/24 # leftnexthop=10.22.33.44 # # Right security gateway, subnet behind it, nexthop toward left. # right=10.12.12.1 # rightsubnet=192.168.0.0/24 # rightnexthop=10.101.102.103 # # To authorize this connection, but not actually start it, # # at startup, uncomment this. # #auto=add
For a complete description of the different items, please refer to the man page for ipsec.conf. The only thing I will do in this file is to add the following line:
This line may already be present in your own configuration file so all you have to do is uncomment it, i.e. remove the “#”. The purpose of this line is so that we can create separate configuration files in the /etc/ipsec.d/ folder.
Now I will create and edit a file for our VPN connection to the Cisco ASA using the following command: gedit /etc/ipsec.d/L2L_with_ASA.conf
Note: I prefer using gedit to edit text files because it’s similar to Notepad. You can use any text editor of your choice.
Let me briefly highlight the options we will be using in the configuration file:
conn : Any arbitrary name to define the connection profile.
authby: Authentication between the two VPN peers. It could either be secret (for PSK) or rsasig (for RSA digital signatures).
left: The public/outside IP address of the local VPN peer.
leftsubnet: The local subnet to be protected. If multiple subnets need to be protected, use leftsubnets instead.
right: The public/outside IP address of the remote VPN peer.
rightsubnet: The remote subnet to be protected. If multiple subnets need to be protected, use rightsubnets instead.
ike: IKE phase 1 (ISAKMP) policy. The format is “cipher-hash;modpgroup, cipher-hash;modpgroup, …” meaning you can specify multiple policies separated by a comma. The “modpgroup” is the Diffie-Hellman group specified in its modular exponential format, e.g. DH group 2 is modpgroup1024. You can refer to this link for the different DH groups and the number of bits used by each group.
phase2alg: IKE phase 2 algorithms to be accepted. For ESP, the format is similar to the one for ike (“cipher-hash;modpgroup, cipher-hash;modpgroup, …”) but for AH, it’s just “hash;modpgroup, hash;modpgroup, …”. The “modpgroup” in this case is for Perfect Forward Secrecy (PFS) so you don’t have to specify it. Keep in mind that PFS is enabled by default so you can turn it off using “pfs=no” on its own line in the configuration file.
Note that I have left out some options because they have default values. For example, the default connection type is tunnel mode. Also, the default IKE phase 2 protocol is ESP.
My /etc/ipsec.d/L2L_with_ASA.conf file looks like this:
conn L2L_with_ASA authby=secret auto=start left=192.0.2.1 leftsubnet=192.168.56.0/24 right=192.0.2.2 rightsubnet=10.0.0.0/24 ike=aes192-sha1;modp1024 phase2alg=aes256-sha1 pfs=no
Next, we will configure our PSK by adding it to the /etc/ipsec.secrets file. The format is : PSK “passphrase”. Therefore, my own configuration will be:
192.0.2.1 192.0.2.2: PSK "cisco123"
Having made and saved our changes, we can restart the IPsec service on the Ubuntu system:
service ipsec stop service ipsec start
Since we specified “auto=start”, the Ubuntu system will try to initiate the VPN connection automatically. We can check the IKE SAs on the Cisco ASA to confirm that the tunnel is up:
Since the PCs have their respective VPN servers as their default gateway, then we can ping between the two PCs:
We can confirm that these packets went through the tunnel by looking at the IPsec SAs on the Cisco ASA:
There you have it: IPsec site-to-site VPN between a Cisco ASA and a system running Ubuntu 14.04 using pre-shared keys. I hope you have found this article insightful.
Linux IPSec site to site VPN (Virtual Private Network) configuration using Openswan: http://www.slashroot.in/linux-ipsec-site-site-vpnvirtual-private-network-configuration-using-openswan