How to establish site to site vpn - Linux machine and cisco asa

How to establish site to site vpn - Linux machine and cisco asa?

Hi,

I am trying to establish vpn between my linux server and cisco asa at client side.

I installed openswan on my cent os.

Linux Server

Code:

eth0 - 182.2.29.10 [ I have public IP]
Gateway - 182.2.29.1 [ and gw]
eth1 - 192.9.200.75 [ Internal Lan i/f]


I have simple IPtables Like
WAN="eth0"
LAN="eth1"
iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to 182.2.29.10
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $LAN -j ACCEPT
iptables -A INPUT -i $WAN -j ACCEPT

iptables -A FORWARD -i lo -j ACCEPT
iptables -A FORWARD -i $LAN -j ACCEPT
iptables -A FORWARD -i $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -s 192.9.200.0/255.255.255.0 -j ACCEPT
iptables -A FORWARD -d 192.9.200.0/255.255.255.0 -j ACCEPT

iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

-------------------------------
Client side Cisco ASA - Device
Provided details :

BD gateway ip is 212.2.7.15 [ Public IP]
Source IP :- 192.168.91.224
ESP-3DES-SHA1
Lifetime is 86400 seconds (Phase-1) & 3600 seconds (Phase-2)
Authentication is pre-shared


I need advise on configuring ipsec.conf and ipsec.secrets and what IP tables rules I need to add / modify.

Thanks

Best
Ashok

Hi,

Since I suppose you are going to use your CentOS box as the main gateway, you might also want to specify the following settings in /etc/sysctl.conf


# Controls IP packet forwarding
net.ipv4.ip_forward = 1
#Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.secure_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.secure_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0

And then run: sysctl -p to apply changes.

For OpenSwan configuration, in your scenario, we are going to assume "right side" to be the CentOS box, and "left side" to be the Cisco ASA. So your /etc/ipsec.conf should look like this:

config setup
dumpdir=/var/run/pluto/
nat_traversal=no
oe=off
protostack=netkey
virtual_private=%v4:/24,%v4:/24
plutostderrlog=/dev/null
force_keepalive=yes
keep_alive=30

conn my_connection_from_linux_to_cisco_asa
authby=secret
left=
leftid=
leftsubnet=
leftnexthop=
right=
rightid=
rightsubnet=
rightnexthop=
type=tunnel
ike=3des-md5
phase2=esp
keyingtries=3
rekey=no
keyexchange=ike
ikelifetime=86400s
pfs=yes
forceencaps=no
auto=start

Your /etc/ipsec.secrets should look something like this:

: PSK "sgfFGGFSdsfdsfsTRTRtgdfGs"

And your IP tables, at the very minimum should have the following rules:

*mangle:
PREROUTING ACCEPT [1:1]
:INPUT ACCEPT [1:1]
:FORWARD ACCEPT [1:1]
:OUTPUT ACCEPT [1:1]
:POSTROUTING ACCEPT [1:1]
COMMIT
*filter
: INPUT ACCEPT [1:1]
:FORWARD ACCEPT [1:1]
:OUTPUT ACCEPT [1:1]
-A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 4500 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
-A INPUT -p esp -j ACCEPT-A INPUT -s /32 -i eth0 -j ACCEPT
-A INPUT -s /24 -i eth0 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -p esp -j ACCEPT
COMMIT
*na t
:PREROUTING ACCEPT [1:1]
:OUTPUT ACCEPT [1:1]
:POSTROUTING ACCEPT [1:1]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT

Configure your Cisco ASA, and then on your CentOS box run:

ipsec auto --add my_connection_from_linux_to_cisco_asa
ipsec auto --up my_connection_from_linux_to_cisco_asa

or, if you don't have any other tunnels setup, simply run: ipsec setup restart

and it should say 1 tunnel(s) up. You should now be able to ping the private IP of the Cisco ASA from your Linux box.