Results 1 to 2 of 2

Thread: How to establish site to site vpn - Linux machine and cisco asa?

  1. #1

    How to establish site to site vpn - Linux machine and cisco asa?

    Hi,

    I am trying to establish vpn between my linux server and cisco asa at client side.

    I installed openswan on my cent os.

    Linux Server

    Code:

    eth0 - 182.2.29.10 [ I have public IP]
    Gateway - 182.2.29.1 [ and gw]
    eth1 - 192.9.200.75 [ Internal Lan i/f]


    I have simple IPtables Like
    WAN="eth0"
    LAN="eth1"
    iptables -t nat -A POSTROUTING -o $WAN -j SNAT --to 182.2.29.10
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -i $LAN -j ACCEPT
    iptables -A INPUT -i $WAN -j ACCEPT

    iptables -A FORWARD -i lo -j ACCEPT
    iptables -A FORWARD -i $LAN -j ACCEPT
    iptables -A FORWARD -i $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A FORWARD -s 192.9.200.0/255.255.255.0 -j ACCEPT
    iptables -A FORWARD -d 192.9.200.0/255.255.255.0 -j ACCEPT

    iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

    -------------------------------
    Client side Cisco ASA - Device
    Provided details :

    BD gateway ip is 212.2.7.15 [ Public IP]
    Source IP :- 192.168.91.224
    ESP-3DES-SHA1
    Lifetime is 86400 seconds (Phase-1) & 3600 seconds (Phase-2)
    Authentication is pre-shared


    I need advise on configuring ipsec.conf and ipsec.secrets and what IP tables rules I need to add / modify.

    Thanks

    Best
    Ashok

  2. #2
    Newbie
    Join Date
    Feb 2013
    Location
    San Diego, CA
    Posts
    1
    Hi,

    Since I suppose you are going to use your CentOS box as the main gateway, you might also want to specify the following settings in /etc/sysctl.conf


    # Controls IP packet forwarding
    net.ipv4.ip_forward = 1
    #Disable ICMP redirects
    net.ipv4.conf.all.accept_redirects = 0
    net.ipv4.conf.all.secure_redirects = 0
    net.ipv4.conf.all.send_redirects = 0
    net.ipv4.conf.default.accept_redirects = 0
    net.ipv4.conf.default.secure_redirects = 0
    net.ipv4.conf.default.send_redirects = 0
    net.ipv4.conf.lo.accept_redirects = 0
    net.ipv4.conf.lo.secure_redirects = 0
    net.ipv4.conf.lo.send_redirects = 0
    net.ipv4.conf.eth0.accept_redirects = 0
    net.ipv4.conf.eth0.secure_redirects = 0
    net.ipv4.conf.eth0.send_redirects = 0

    And then run: sysctl -p to apply changes.

    For OpenSwan configuration, in your scenario, we are going to assume "right side" to be the CentOS box, and "left side" to be the Cisco ASA. So your /etc/ipsec.conf should look like this:

    config setup
    dumpdir=/var/run/pluto/
    nat_traversal=no
    oe=off
    protostack=netkey
    virtual_private=%v4:<cisco private network>/24,%v4:<centos private network>/24
    plutostderrlog=/dev/null
    force_keepalive=yes
    keep_alive=30

    conn my_connection_from_linux_to_cisco_asa
    authby=secret
    left=<public ip of cisco asa>
    leftid=<public ip of cisco asa>
    leftsubnet=<cisco asa internal interface subnet example: 192.168.1.0/24>
    leftnexthop=<cisco asa internal interface IP example: 192.168.1.254>
    right=<private ip of your linux box>
    rightid=<public IP of the network where your linux box is connected>
    rightsubnet=<linux box private subnet example 172.16.1.0/16>
    rightnexthop=<private IP of your linux box if it's the default gateway>
    type=tunnel
    ike=3des-md5
    phase2=esp
    keyingtries=3
    rekey=no
    keyexchange=ike
    ikelifetime=86400s
    pfs=yes
    forceencaps=no
    auto=start

    Your /etc/ipsec.secrets should look something like this:

    <cisco asa public IP> <linux box public IP> : PSK "sgfFGGFSdsfdsfsTRTRtgdfGs"

    And your IP tables, at the very minimum should have the following rules:

    *mangle:
    PREROUTING ACCEPT [1:1]
    :INPUT ACCEPT [1:1]
    :FORWARD ACCEPT [1:1]
    :OUTPUT ACCEPT [1:1]
    :POSTROUTING ACCEPT [1:1]
    COMMIT
    *filter
    :INPUT ACCEPT [1:1]
    :FORWARD ACCEPT [1:1]
    :OUTPUT ACCEPT [1:1]
    -A INPUT -p udp -m state --state NEW -m udp --dport 500 -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 4500 -j ACCEPT
    -A INPUT -p udp -m state --state NEW -m udp --dport 4500 -j ACCEPT
    -A INPUT -p esp -j ACCEPT-A INPUT -s <cisco asa public IP>/32 -i eth0 -j ACCEPT
    -A INPUT -s <cisco asa internal subnet>/24 -i eth0 -j ACCEPT
    -A OUTPUT -p udp -m udp --sport 500 --dport 500 -j ACCEPT
    -A OUTPUT -p esp -j ACCEPT
    COMMIT
    *nat
    :PREROUTING ACCEPT [1:1]
    :OUTPUT ACCEPT [1:1]
    :POSTROUTING ACCEPT [1:1]
    -A POSTROUTING -o eth0 -j MASQUERADE
    COMMIT

    Configure your Cisco ASA, and then on your CentOS box run:

    ipsec auto --add my_connection_from_linux_to_cisco_asa
    ipsec auto --up my_connection_from_linux_to_cisco_asa

    or, if you don't have any other tunnels setup, simply run: ipsec setup restart

    and it should say 1 tunnel(s) up. You should now be able to ping the private IP of the Cisco ASA from your Linux box.

Similar Threads

  1. Web site works in Linux/Firefox, but Not in XP IE
    By Pantheus in forum Windows - General Topics
    Replies: 4
    Last Post: 06-21-2005, 06:35 AM
  2. *NEW* Redhat Linux Site
    By redhatresources in forum Linux - General Topics
    Replies: 0
    Last Post: 06-08-2005, 05:59 AM
  3. A New Linux Site?
    By Ashcrow in forum General Chat
    Replies: 38
    Last Post: 05-17-2003, 06:01 PM
  4. Good Linux Newbie site
    By 10Dedfish in forum General Chat
    Replies: 5
    Last Post: 01-03-2003, 05:40 AM
  5. A very cool Linux web site
    By cga in forum Linux - General Topics
    Replies: 2
    Last Post: 03-22-2002, 02:04 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •