{"id":438,"date":"2009-01-26T21:24:15","date_gmt":"2009-01-26T20:24:15","guid":{"rendered":"http:\/\/wp.devco.net\/?p=438"},"modified":"2010-06-20T17:05:54","modified_gmt":"2010-06-20T16:05:54","slug":"redhat_linux_cisco_asa_ipsec_vpn","status":"publish","type":"post","link":"https:\/\/www.devco.net\/archives\/2009\/01\/26\/redhat_linux_cisco_asa_ipsec_vpn.php","title":{"rendered":"RedHat Linux <-> Cisco ASA IPSEC VPN"},"content":{"rendered":"

I’ve previously mentioned the really great syscfg integrated IPSEC on RedHat Linux<\/a> here but thought I’d now show a real world example of a Cisco ASA and a RedHat machine talking since it is not totally obvious and it is not something I seen specifically documented anywhere using Google.<\/p>\n

A quick recap: RedHat now lets you build IPSEC VPNs using just simple ifcfg-eth0<\/i> style config files.  <\/p>\n

I’ll quickly show both sides of the config to build a site to site VPN, Site A is a Linux machine with a real IP address while Site B is a Cisco ASA with a private network behind it, the Linux machine has this in \/etc\/sysconfig\/network-scripts\/ifcfg-ipsec1<\/i>:<\/p>\n

\n
\r\nTYPE=IPSEC\r\nONBOOT=yes\r\nIKE_METHOD=PSK\r\nSRCGW=1.2.3.4\r\nDSTGW=2.3.4.5\r\nSRCNET=1.2.3.4\/32\r\nDSTNET=10.1.1.0\/24\r\nDST=2.3.4.5\r\nAH_PROTO=none\r\n<\/pre>\n<\/blockquote>\n

The pre-shared key is in \/etc\/sysconfig\/network-scripts\/keys-ipsec1<\/i> as per the RedHat documentation.<\/p>\n

The Cisco ASA does not support AH so the big deal here is to disable AH which turns out to be the magic knob to tweak here to make it work.<\/p>\n

In this case the Linux Server on Site A has the IP address 1.2.3.4 while the ASA is running on 2.3.4.5, the private network at Site B is 10.1.1.0\/24.<\/p>\n

On the Cisco the relevant lines of config are:<\/p>\n

\n
\r\nobject-group network siteb_to_sitea_local_hosts\r\n    description Site B to Site A VPN Local hosts\r\n    network-object 10.1.1.0 255.255.255.0\r\nobject-group network siteb_to_sitea_remote_hosts\r\n    description Site B to Site A VPN Remote Hosts\r\n    network-object 1.2.3.4 255.255.255.255\r\n    access-list siteb_to_sitea_vpn extended permit ip object-group siteb_to_sitea_local_hosts object-group siteb_to_sitea_remote_hosts\r\n\r\naccess-list inside_nat_bypass extended permit ip object-group siteb_to_sitea_local_hosts  object-group siteb_to_sitea_remote_hosts\r\n\r\nnat (inside) 0 access-list inside_nat_bypass\r\n\r\ncrypto map outside_map 20 match address siteb_to_sitea_vpn\r\ncrypto map outside_map 20 set pfs\r\ncrypto map outside_map 20 set peer 1.2.3.4\r\ncrypto map outside_map 20 set transform-set ESP-3DES-SHA\r\ncrypto map outside_map 20 set security-association lifetime seconds 3600\r\ncrypto map outside_map 20 set security-association lifetime kilobytes 4608000\r\ncrypto map outside_map interface outside\r\ncrypto isakmp enable outside\r\n\r\ncrypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac \r\n\r\ncrypto isakmp policy 20\r\n    authentication pre-share\r\n    encryption 3des\r\n    hash sha\r\n    group 2\r\n    lifetime 28800\r\n\r\ntunnel-group 1.2.3.4 type ipsec-l2l\r\ntunnel-group 1.2.3.4 ipsec-attributes\r\n    pre-shared-key secret\r\n<\/pre>\n<\/blockquote>\n

Using these specific phase 1 and phase 2 parameters – timings, pfs, crypto etc – means that it will match up with the default out-the-box parameters as per \/etc\/racoon\/racoon.conf<\/i> thereby minimizing the amount of tweaking needed on the RedHat machine<\/p>\n

All that is needed now is to start the VPN using \/etc\/sysconfig\/network-scripts\/ifup ifcfg-ipsec1<\/i> and you should be able to communicate between your nodes.<\/p>\n","protected":false},"excerpt":{"rendered":"

I’ve previously mentioned the really great syscfg integrated IPSEC on RedHat Linux here but thought I’d now show a real world example of a Cisco ASA and a RedHat machine talking since it is not totally obvious and it is not something I seen specifically documented anywhere using Google. A quick recap: RedHat now lets […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","footnotes":""},"categories":[6,5],"tags":[38,19,26],"_links":{"self":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/438"}],"collection":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/comments?post=438"}],"version-history":[{"count":3,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/438\/revisions"}],"predecessor-version":[{"id":1486,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/posts\/438\/revisions\/1486"}],"wp:attachment":[{"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/media?parent=438"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/categories?post=438"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devco.net\/wp-json\/wp\/v2\/tags?post=438"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}