Share this post on:

Introduction

Following configuration creates VPN tunnel with Cisco ASA and Linux IPSec daemon – Strongswan. Route based VPNs are much better choice than policy based tunnels as we simply route our interesting traffic towards the VTI interface without any complicated crypto-maps.

Setup

  • Centos 8 – 64bit (CentOS Linux release 8.2.2004)
  • Cisco ASA 5525-X 9.14
  • Strongswan (Linux strongSwan U5.8.2/K4.18.0-193.19.1.el8_2.x86_64)
  • Quagga (FRRouting (version 7.0)

Step 1: IPSec tunnel

I’m using older method of strongswan configuration – ipsec.conf. It can be migrated to newer method of configuration – swanctl.conf

[root@centos ~]# vi /etc/strongswan/ipsec.conf

Note that traffic selectors are set to 0.0.0.0/0 on both ends. We mark that traffic and it will be later used to match VTI interfaces. Be careful; not marking the traffic at this point will cause all traffic going over the other end of the tunnel and most likely will cause loosing access to the server (VPN policy takes precedence over routing table!).

conn vti
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=51.75.162.65
leftsubnet=0.0.0.0/0
right=81.132.175.242
rightsubnet=0.0.0.0/0
ike=aes256-sha1-modp1024!
esp=aes256-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
mark=12

Step 2: Create VTI interface

Create VTI interfaces and mark them with same value as specified in ipsec.conf (12)

ip tunnel add vti102 local 51.75.162.65 remote 81.132.175.242 mode vti key 12
ip link set up dev vti102
ip addr add 192.168.102.2/30 remote 192.168.102.1/30 dev vti102

Step 3: Enable routing and add firewall rules

Edit /etc/sysctl.conf as following:

net.ipv4.ip_forward = 1
net.ipv4.conf.vti102.disable_policy = 1
net.ipv4.conf.vti102.rp_filter = 0

Apply the changes:

sysctl -p /etc/sysctl.conf

Allow all outgoing and incoming connections on VTI. Also, make sure connections are stateful:

iptables -A OUTPUT -o eth0 -j ACCEPT
iptables -A OUTPUT -o vti102 -j ACCEPT
iptables -A INPUT -i vti102 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

Step 4: Configure Quagga and enable BGP

In Centos 8, Quagga is now called frr. To enable bgp, edit /etc/frr/daemon file and change following lines:

zebra=yes
bgpd=yes

Once changes are saved and frr service is started, we can now log in to the zebbra deamon with ‘vtysh’ command. Once in the shell, we can configure basic BGP

[root@centos ~]# vtysh
router bgp 65001
neighbor 192.168.102.1 remote-as 65000
!
address-family ipv4 unicast
network 0.0.0.0/0
network 10.192.168.0/24
redistribute static
exit-address-family
!

All is done on the Linux side, let’s jump to the Cisco ASA.

Step 5: Cisco ASA VTI configuration

Configure IPSec profile that will be used for the VTI.

crypto ipsec profile Azure_ipsec_profile
set ikev2 ipsec-proposal AES256

Configure VTI interface with ipsec profile.

interface Tunnel3
nameif linux-vti
ip address 192.168.102.1 255.255.255.252
tunnel source interface outside
tunnel destination 51.75.162.65
tunnel mode ipsec ipv4
tunnel protection ipsec profile Azure_ipsec_profile

Configure BGP:

router bgp 65000
bgp log-neighbor-changes
bgp graceful-restart
bgp router-id 169.1.1.2
address-family ipv4 unicast
neighbor 192.168.102.2 remote-as 65001
neighbor 192.168.102.2 activate
network 192.168.1.194 mask 255.255.255.255
redistribute connected
no auto-summary
no synchronization
exit-address-family

After few minutes, tunnel interface should be up as well as BGP neighbourship, now we’re ready to advertise all our networks as needed.

Debugging:

First, let’s check if tunnels are coming up on both ends.

Linux side:

[root@centos ~]#
[root@centos ~]# strongswan status
Security Associations (1 up, 0 connecting):
vti[66]: ESTABLISHED 22 minutes ago, 51.75.162.65[51.75.162.65]…81.132.175.242[81.132.175.242]
vti{170}: INSTALLED, TUNNEL, reqid 40, ESP SPIs: cf59cad4_i 2c37155a_o
vti{170}: 0.0.0.0/0 === 0.0.0.0/0

Cisco ASA side (phase 1)

Tunnel-id Local Remote Status Role
2223379155 81.132.175.242/500 51.75.162.65/500 READY INITIATOR
Encr: AES-CBC, keysize: 256, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/1301 sec
Child sa: local selector 0.0.0.0/0 - 255.255.255.255/65535
remote selector 0.0.0.0/0 - 255.255.255.255/65535
ESP spi in/out: 0x2c37155a/0xcf59cad4

Cisco ASA side (phase 2)

asa-greatdenham-fw# sh crypto ipsec sa peer 51.75.162.65
peer address: 51.75.162.65
Crypto map tag: __vti-crypto-map-13-0-3, seq num: 65280, local addr: 81.132.175.242

Leave a Comment

Your email address will not be published. Required fields are marked *