IPSEC site-to-site Openswan to Cisco ASA

Posted by Jim on Server Fault See other posts from Server Fault or by Jim
Published on 2012-10-19T16:59:21Z Indexed on 2012/10/19 17:03 UTC
Read the original article Hit count: 537

Filed under:
|
|
|
|

I recieved a list of commands that were run on the right side of the VPN tunnel which is where the Cisco ASA resides. On my side, I have a linux based firewall running debian with openswan installed. I am having an issue with getting to Phase 2 of the VPN negotiation.

Here is the Cisco Information I was sent: {my_public_ip} = left side of connection

tunnel-group  {my_public_ip} type ipsec-l2l
tunnel-group  {my_public_ip} ipsec-attributes
 pre-shared-key fakefake

crypto map vpn1 1 match add customer-ipsec
crypto map vpn1 1 set peer  {my_public_ip}
crypto map vpn1 1 set transform-set aes-256-sha
crypto map vpn1 interface outside

static (outside,inside) 10.2.1.200  {my_public_ip} netmask 255.255.255.255 

crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map vpn1 1 match address customer-ipsec
crypto map vpn1 1 set peer {my_public_ip}
crypto map vpn1 1 set transform-set aes-256-sha
crypto map vpn1 interface outside

crypto isakmp enable outside

crypto isakmp policy 1
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400 

Myside ipsec.conf config setup klipsdebug=none plutodebug=none protostack=netkey #nat_traversal=yes

conn cisco #name of VPN connection
        type=tunnel
        authby=secret
        #left side (myside)
        left={myPublicIP}
        leftsubnet=172.16.250.0/24 #net subnet on left sdie to assign to right side
        leftnexthop=%defaultroute

        #right security gateway (ASA side)
        right={CiscoASA_publicIP} #cisco ASA
        rightsubnet=10.2.1.0/24
        rightnexthop=%defaultroute

        #crypo stuff
        keyexchange=ike
        ikelifetime=86400s
        auth=esp
        pfs=no

        compress=no
        auto=start      

ipsec.secrets file

{CiscoASA_publicIP} {myPublicIP}: PSK "fakefake"

When I start ipsec from the left side/my side I don't recieve any errors, however when I run the ipsec auto --status command:

000 "cisco": 172.16.250.0/24==={left_public_ip}<{left_public_ip}>[+S=C]---{left_public_ip_gateway}...{left_public_ip_gateway}--{right_public_ip}<{right_public_ip}>[+S=C]===10.2.1.0/24; prospective erouted; eroute owner: #0
000 "cisco":     myip=unset; hisip=unset;
000 "cisco":   ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "cisco":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0; 
000 "cisco":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000  
000 #2: "cisco":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 10s; nodpd; idle; import:admin initiate
000 #2: pending Phase 2 for "cisco" replacing #0

Now I'm new to setting up an site-to-site IPSEC tunnel so the status informatino I am unsure what it means. All I know is it sits at this "pending Phase 2" and I can't ping the other side,

Another question I have is, if I do a route -n, should I see anything relating to this connection?

Also, I read a few artilcle where configs contained the interface="ipsec0=eth0", is this an interface that I have to create on the linux debian firewall on my side?

Appreciate your time to look at this.

© Server Fault or respective owner

Related posts about iptables

Related posts about cisco