RedHat Linux Cisco ASA IPSEC VPN

I’ve previously mentioned the really great syscfg integrated IPSEC on RedHat Linux here but thought I’d now show a real world example of a Cisco ASA and a RedHat machine talking since it is not totally obvious and it is not something I seen specifically documented anywhere using Google.

A quick recap: RedHat now lets you build IPSEC VPNs using just simple ifcfg-eth0 style config files. 

I’ll quickly show both sides of the config to build a site to site VPN, Site A is a Linux machine with a real IP address while Site B is a Cisco ASA with a private network behind it, the Linux machine has this in /etc/sysconfig/network-scripts/ifcfg-ipsec1:

TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK SRCGW=1.2.3.4 DSTGW=2.3.4.5 SRCNET=1.2.3.4/32 DSTNET=10.1.1.0/24 DST=2.3.4.5 AH_PROTO=none

TYPE=IPSEC ONBOOT=yes IKE_METHOD=PSK SRCGW=1.2.3.4 DSTGW=2.3.4.5 SRCNET=1.2.3.4/32 DSTNET=10.1.1.0/24 DST=2.3.4.5 AH_PROTO=none

The pre-shared key is in /etc/sysconfig/network-scripts/keys-ipsec1 as per the RedHat documentation.

The Cisco ASA does not support AH so the big deal here is to disable AH which turns out to be the magic knob to tweak here to make it work.

In this case the Linux Server on Site A has the IP address 1.2.3.4 while the ASA is running on 2.3.4.5, the private network at Site B is 10.1.1.0/24.

On the Cisco the relevant lines of config are:

object-group network siteb_to_sitea_local_hosts description Site B to Site A VPN Local hosts network-object 10.1.1.0 255.255.255.0 object-group network siteb_to_sitea_remote_hosts description Site B to Site A VPN Remote Hosts network-object 1.2.3.4 255.255.255.255 access-list siteb_to_sitea_vpn extended permit ip object-group siteb_to_sitea_local_hosts object-group siteb_to_sitea_remote_hosts   access-list inside_nat_bypass extended permit ip object-group siteb_to_sitea_local_hosts  object-group siteb_to_sitea_remote_hosts   nat (inside) 0 access-list inside_nat_bypass   crypto map outside_map 20 match address siteb_to_sitea_vpn crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 1.2.3.4 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 20 set security-association lifetime seconds 3600 crypto map outside_map 20 set security-association lifetime kilobytes 4608000 crypto map outside_map interface outside crypto isakmp enable outside   crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac   crypto isakmp policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 28800   tunnel-group 1.2.3.4 type ipsec-l2l tunnel-group 1.2.3.4 ipsec-attributes pre-shared-key secret

object-group network siteb_to_sitea_local_hosts description Site B to Site A VPN Local hosts network-object 10.1.1.0 255.255.255.0 object-group network siteb_to_sitea_remote_hosts description Site B to Site A VPN Remote Hosts network-object 1.2.3.4 255.255.255.255 access-list siteb_to_sitea_vpn extended permit ip object-group siteb_to_sitea_local_hosts object-group siteb_to_sitea_remote_hosts access-list inside_nat_bypass extended permit ip object-group siteb_to_sitea_local_hosts  object-group siteb_to_sitea_remote_hosts nat (inside) 0 access-list inside_nat_bypass crypto map outside_map 20 match address siteb_to_sitea_vpn crypto map outside_map 20 set pfs crypto map outside_map 20 set peer 1.2.3.4 crypto map outside_map 20 set transform-set ESP-3DES-SHA crypto map outside_map 20 set security-association lifetime seconds 3600 crypto map outside_map 20 set security-association lifetime kilobytes 4608000 crypto map outside_map interface outside crypto isakmp enable outside crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto isakmp policy 20 authentication pre-share encryption 3des hash sha group 2 lifetime 28800 tunnel-group 1.2.3.4 type ipsec-l2l tunnel-group 1.2.3.4 ipsec-attributes pre-shared-key secret

Using these specific phase 1 and phase 2 parameters – timings, pfs, crypto etc – means that it will match up with the default out-the-box parameters as per /etc/racoon/racoon.conf thereby minimizing the amount of tweaking needed on the RedHat machine

All that is needed now is to start the VPN using /etc/sysconfig/network-scripts/ifup ifcfg-ipsec1 and you should be able to communicate between your nodes.