In this lesson we’ll take a look how to configure an IPsec IKEv2 tunnel between a Cisco ASA Firewall and a Linux strongSwan server.
strongSwan is an IPsec VPN implementation on Linux which supports IKEv1 and IKEv2 and some EAP/mobility extensions. It’s well documented, maintained and supports Linux kernels 3.x and later.
For this example I’m using a Ubuntu 14.04 LTS server. Here’s the topology:
Above we have a small network with 4 devices. On the left side we have our strongSwan server, on the other side a Cisco ASA firewall. I’m using two routers called R1 and R2 as “hosts” so we have something to test the VPN. Let’s start with the strongSwan configuration!
strongSwan is in the default Ubuntu repositories so installing it is very simple. Just use apt-get to fetch and install it:
# apt-get install strongswan
The main configuration is done in the ipsec.conf file. Open your favorite text editor and edit it:
# vim /etc/ipsec.conf
This is what the configuration should look like:
# uniqueids = no
Let’s discuss these parameters so you know what we are dealing with. The first two items (strictcrlpolicy and uniqueids) are uncommented by default and we don’t have to worry about these. The first parameters are under the %default connection which means they apply to all connections unless overruled by a specific connection profile.
- ikelifetime=1440m: This is the IKE Phase 1 (ISAKMP) lifetime. In strongSwan this is configured in minutes. The default value equals 86400 seconds (1 day). This is a common value and also the default on our Cisco ASA Firewall.
- keylife=60m: This is the IKE Phase2 (IPsec) lifetime. Default strongSwan value is 60 minutes which is the same as our Cisco ASA Firewall’s 3600 seconds (1 hour).
- rekeymargin=3m: How long before the SA expiry should strongSwan attempt to negiotate the replacements. This is used so when a SA is about to expire, there is already a new SA so that we don’t have any downtime when the current SA expires. This is a local value, it doesn’t have to match with the other side.
- keyingtries=1: How many attempts should strongSwan make to negotiate a connection (or replacement) before giving up. This is a local value, doesn’t have to match with the other side.
- keyexchange=ikev1: The default is to use IKEv1, we will overule this with another connection profile.
- authby=secret: The default authentication method is to use pre-shared keys.
Now for our site-to-site VPN with the Cisco ASA Firewall we have another connection profile called “ciscoasa” with some more specific parameters:
- left=10.10.10.1: strongSwan sees itself as “left” so this is where we configure the IP address of strongSwan that we want to use for the IPsec VPN.
- leftsubnet=192.168.1.0/24: The subnet behind strongSwan that we want to reach through the VPN.
- leftid=10.10.10.1: how strongSwan should identify itself, this can be an IP address or a FQDN. We’ll use the IP address.
- right=10.10.10.2: the IP address of the Cisco ASA Firewall.
- rightsubnet=192.168.2.0/24: The subnet behind the Cisco ASA Firewall.
- rightid=10.10.10.2: the ID of the Cisco ASA Firewall.
- auto=add: This means that this connection is loaded when the IPSEC daemon starts but the tunnel isn’t built right away. The tunnel will be built as soon as there is traffic that should go through the tunnel. if you set this value to “start” then the tunnel will be built as soon as the daemon is started.
- ike=aes128-sha1-modp1536: The security parameters for IKE Phase 1, in this example we use AES 128-bit, SHA-1 and DH Group 5.
- esp=aes128-sha1: We use ESP, AES 128-bit and SHA-1 for Phase 2.
- keyexchange=ikev2: We want to use IKEv2 for this connection profile.
This completes the connection profile but we still have to configure the pre-shared keys. This is done in the ipsec.secrets file. Open your text editor:
# vim /etc/ipsec.secrets
IKEv2 allows us to use a different pre-shared key for each peer, to keep it simple we’ll use the same key on both sides. Add this to the ipsec.secrets file:
10.10.10.1 : PSK "networklessons"
10.10.10.2 : PSK "networklessons"
This completes the IPsec configuration. There’s still one thing left to do…by default, Ubuntu (or most Linux distributions) will not act as a router…it won’t forward IP packets from one interface to another. To enable this you have to use the following command:
# sysctl -w net.ipv4.ip_forward=1
Forwarding is now activated. If you want to enable this at boot then you should add it to the sysctl.conf file. You can do it like this:
# echo "net.ipv4.ip_forward = 1" | tee -a /etc/sysctl.conf
Everything is now in place for strongSwan. Let’s start the IPsec daemon:
# ipsec start
Starting strongSwan 5.1.2 IPsec [starter]...
Now we can work on the Cisco ASA…
Cisco ASA Configuration
In a previous lesson I covered the configuration of IKEv2 IPsec VPN between two Cisco ASA firewalls so I won’t explain all commands one by one again. First we’ll configure the interfaces:
ASA1(config)# interface e0/0
ASA1(config-if)# no shutdown
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address 192.168.2.254 255.255.255.0
ASA1(config)# interface e0/1
ASA1(config-if)# no shutdown
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address 10.10.10.2 255.255.255.0
Now we can configure the VPN settings. Let’s start with the IKEv2 policy: