IPSEC site-to-site Openswan to Cisco ASA
- by Jim
I recieved a list of commands that were run on the right side of the VPN tunnel which is where the Cisco ASA resides. On my side, I have a linux based firewall running debian with openswan installed. I am having an issue with getting to Phase 2 of the VPN negotiation.
Here is the Cisco Information I was sent: {my_public_ip} = left side of connection
tunnel-group {my_public_ip} type ipsec-l2l
tunnel-group {my_public_ip} ipsec-attributes
pre-shared-key fakefake
crypto map vpn1 1 match add customer-ipsec
crypto map vpn1 1 set peer {my_public_ip}
crypto map vpn1 1 set transform-set aes-256-sha
crypto map vpn1 interface outside
static (outside,inside) 10.2.1.200 {my_public_ip} netmask 255.255.255.255
crypto ipsec transform-set aes-256-sha esp-aes-256 esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map vpn1 1 match address customer-ipsec
crypto map vpn1 1 set peer {my_public_ip}
crypto map vpn1 1 set transform-set aes-256-sha
crypto map vpn1 interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
Myside ipsec.conf
config setup
klipsdebug=none
plutodebug=none
protostack=netkey
#nat_traversal=yes
conn cisco #name of VPN connection
type=tunnel
authby=secret
#left side (myside)
left={myPublicIP}
leftsubnet=172.16.250.0/24 #net subnet on left sdie to assign to right side
leftnexthop=%defaultroute
#right security gateway (ASA side)
right={CiscoASA_publicIP} #cisco ASA
rightsubnet=10.2.1.0/24
rightnexthop=%defaultroute
#crypo stuff
keyexchange=ike
ikelifetime=86400s
auth=esp
pfs=no
compress=no
auto=start
ipsec.secrets file
{CiscoASA_publicIP} {myPublicIP}: PSK "fakefake"
When I start ipsec from the left side/my side I don't recieve any errors, however when I run the ipsec auto --status command:
000 "cisco": 172.16.250.0/24==={left_public_ip}<{left_public_ip}>[+S=C]---{left_public_ip_gateway}...{left_public_ip_gateway}--{right_public_ip}<{right_public_ip}>[+S=C]===10.2.1.0/24; prospective erouted; eroute owner: #0
000 "cisco": myip=unset; hisip=unset;
000 "cisco": ike_life: 86400s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "cisco": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24; interface: eth0;
000 "cisco": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "cisco":500 STATE_MAIN_I1 (sent MI1, expecting MR1); EVENT_RETRANSMIT in 10s; nodpd; idle; import:admin initiate
000 #2: pending Phase 2 for "cisco" replacing #0
Now I'm new to setting up an site-to-site IPSEC tunnel so the status informatino I am unsure what it means. All I know is it sits at this "pending Phase 2" and I can't ping the other side,
Another question I have is, if I do a route -n, should I see anything relating to this connection?
Also, I read a few artilcle where configs contained the interface="ipsec0=eth0", is this an interface that I have to create on the linux debian firewall on my side?
Appreciate your time to look at this.
