IKEv2 Cisco ASA and strongSwan

In this lesson we’ll take a look how to configure an IPsec IKEv2 tunnel between a Cisco ASA Firewall and a Linux strongSwan server.

strongSwan is an IPsec VPN implementation on Linux which supports IKEv1 and IKEv2 and some EAP/mobility extensions. It’s well documented, maintained and supports Linux kernels 3.x and later.

For this example I’m using a Ubuntu 14.04 LTS server. Here’s the topology:

Cisco ASA Strong Swan TopologyAbove we have a small network with 4 devices. On the left side we have our strongSwan server, on the other side a Cisco ASA firewall. I’m using two routers called R1 and R2 as “hosts” so we have something to test the VPN. Let’s start with the strongSwan configuration!

strongSwan Configuration

strongSwan is in the default Ubuntu repositories so installing it is very simple. Just use apt-get to fetch and install it:

# apt-get install strongswan

The main configuration is done in the ipsec.conf file. Open your favorite text editor and edit it:

# vim /etc/ipsec.conf

This is what the configuration should look like:

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn %default

conn ciscoasa

Let’s discuss these parameters so you know what we are dealing with. The first two items (strictcrlpolicy and uniqueids) are uncommented by default and we don’t have to worry about these.  The first parameters are under the %default connection which means they apply to all connections unless overruled by a specific connection profile.

  • ikelifetime=1440m: This is the IKE Phase 1 (ISAKMP) lifetime. In strongSwan this is configured in minutes. The default value equals 86400 seconds (1 day). This is a common value and also the default on our Cisco ASA Firewall.
  • keylife=60m: This is the IKE Phase2 (IPsec) lifetime. Default strongSwan value is 60 minutes which is the same as our Cisco ASA Firewall’s 3600 seconds (1 hour).
  • rekeymargin=3m: How long before the SA expiry should strongSwan attempt to negiotate the replacements. This is used so when a SA is about to expire, there is already a new SA so that we don’t have any downtime when the current SA expires. This is a local value, it doesn’t have to match with the other side.
  • keyingtries=1: How many attempts should strongSwan make to negotiate a connection (or replacement) before giving up. This is a local value, doesn’t have to match with the other side.
  • keyexchange=ikev1: The default is to use IKEv1, we will overule this with another connection profile.
  • authby=secret: The default authentication method is to use pre-shared keys.

Now for our site-to-site VPN with the Cisco ASA Firewall we have another connection profile called “ciscoasa” with some more specific parameters:

    • left= strongSwan sees itself as “left” so this is where we configure the IP address of strongSwan that we want to use for the IPsec VPN.
    • leftsubnet= The subnet behind strongSwan that we want to reach through the VPN.
    • leftid= how strongSwan should identify itself, this can be an IP address or a FQDN. We’ll use the IP address.
    • right= the IP address of the Cisco ASA Firewall.
    • rightsubnet= The subnet behind the Cisco ASA Firewall.
    • rightid= the ID of the Cisco ASA Firewall.
    • auto=add: This means that this connection is loaded when the IPSEC daemon starts but the tunnel isn’t built right away. The tunnel will be built as soon as there is traffic that should go through the tunnel. if you set this value to “start” then the tunnel will be built as soon as the daemon is started.
    • ike=aes128-sha1-modp1536: The security parameters for IKE Phase 1, in this example we use AES 128-bit, SHA-1 and DH Group 5.
    • esp=aes128-sha1: We use ESP, AES 128-bit and SHA-1 for Phase 2.
    • keyexchange=ikev2: We want to use IKEv2 for this connection profile.

This completes the connection profile but we still have to configure the pre-shared keys. This is done in the ipsec.secrets file. Open your text editor:

# vim /etc/ipsec.secrets

IKEv2 allows us to use a different pre-shared key for each peer, to keep it simple we’ll use the same key on both sides. Add this to the ipsec.secrets file: : PSK "networklessons" : PSK "networklessons"

This completes the IPsec configuration. There’s still one thing left to do…by default, Ubuntu (or most Linux distributions) will not act as a router…it won’t forward IP packets from one interface to another. To enable this you have to use the following command:

# sysctl -w net.ipv4.ip_forward=1

Forwarding is now activated. If you want to enable this at boot then you should add it to the sysctl.conf file. You can do it like this:

# echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf

Everything is now in place for strongSwan. Let’s start the IPsec daemon:

# ipsec start
Starting strongSwan 5.1.2 IPsec [starter]...

Now we can work on the Cisco ASA…

Cisco ASA Configuration

In a previous lesson I covered the configuration of IKEv2 IPsec VPN between two Cisco ASA firewalls so I won’t explain all commands one by one again. First we’ll configure the interfaces:

ASA1(config)# interface e0/0
ASA1(config-if)# no shutdown
ASA1(config-if)# nameif INSIDE
ASA1(config-if)# ip address
ASA1(config)# interface e0/1
ASA1(config-if)# no shutdown
ASA1(config-if)# nameif OUTSIDE
ASA1(config-if)# ip address

Now we can configure the VPN settings. Let’s start with the IKEv2 policy:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 735 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

512 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , , , ,

Forum Replies

  1. Thanks rené,

    My present configuration is quite the same but I don’t have (yet) a subnet under the strongswan platform (this may come later).
    So I would like to configure the VPN and test it (ping, scp…) directly with the strongwan plateform and not with its subnet.
    What should I change in your configuration for it ?
    Thanks again.

  2. Hello Nguyen

    strongSwan has some EAP and mobility extensions that can be useful for enterprise networks. However, the reason why you would use strongSwan for such a connection is primarily because it is a software package that has widespread use, and you will see it frequently in corporate networks. For this reason, it is a good idea to understand how to interconnect with it, as you may be called upon to make such a connection. Because it is well documented and maintained, it is likely that you will encounter it in the marketplace.

    Although much of what stro

    ... Continue reading in our forum

  3. Hello Rene,
    I’m trying to configure ipsec ikev2 vpn between cisco ASA(ASA5506-X) and Pfsense but unfortunately unsuccessfully. Doing debug debug crypto ikev2 platform getting next messages:

    IKEv2-PLAT-1: (88): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol
    IKEv2-PLAT-1: (88): Connection is not authorized based on configured attributes
    IKEv2-PLAT-2: (88): connection auth hdl set to -1
    IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable.  Local Type = 0.  Local Address =  Remote Type = 0.  Remote Address = 0.0.0
    ... Continue reading in our forum

7 more replies! Ask a question or join the discussion by visiting our Community Forum