[Chugalug] Need a ASA for testing purposes

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

[Chugalug] Need a ASA for testing purposes

David White-2
Anyone have an old ASA (one of the smaller ones 5505) you'd be interested in selling? I might need one for testing purposes. I don't need anything for a production environment, and so probably don't need any sort of license.

Name your price. 

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Need a ASA for testing purposes

Ed King-2
> Name your price. 

the last time I did that, I got arrested


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Need a ASA for testing purposes

Aaron welch
What kind of ASA? I have a few 55x0 ones.

-Aaron

This was sent from my iPhone, so I apologize for any brevity or spelling errors. Siri also hates the southern accent and autocorrect is on a mission to give me an aneurysm.

On Dec 21, 2018, at 1:19 PM, Ed King <[hidden email]> wrote:

> Name your price. 

the last time I did that, I got arrested

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Need a ASA for testing purposes

David White-2
What's the cheapest option you've got that will allow me to run some tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco kung-fu skills?

On Fri, Dec 21, 2018 at 2:07 PM Aaron welch <[hidden email]> wrote:
What kind of ASA? I have a few 55x0 ones.

-Aaron

This was sent from my iPhone, so I apologize for any brevity or spelling errors. Siri also hates the southern accent and autocorrect is on a mission to give me an aneurysm.

On Dec 21, 2018, at 1:19 PM, Ed King <[hidden email]> wrote:

> Name your price. 

the last time I did that, I got arrested

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Need a ASA for testing purposes

Dave Brockman
On 12/21/2018 2:27 PM, David White wrote:
> What's the cheapest option you've got that will allow me to run some
> tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> kung-fu skills?

What do you want to test?  I can probably answer the questions that are
prodding you to conduct tests.  Also, move onto IKEv2, it's much more
secure, especially on those old platforms, IKEv1 on those old things are
totally busted.  That was before Equation Group drop.  Now they are
swiss cheese.

Happy Holidays!

-Dave



_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

[Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

David White-2
I've been tasked with setting up a new tunnel between a Linux server and a Cisco ASA. I manage the server. I do not mange, nor have any visibility, into the ASA. It is located at a hospital.

We're migrating a website that is currently connected to the hospital's VPN through a pfSense firewall. The goal with the migration is to do away with pfSense entirely, and configure the VPN tunnel on the Linux server itself, using Strongswan (https://strongswan.org/projects/strongswan).

After a few weeks of comparing configs and testing, we still haven't been able to successfully establish the connection. We're able to get past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.

The guys at the hospital don't really have detailed log information, nor do I. We both agree that it is some obscure config mismatch that we haven't been able to identify. No amount of reviewing the following URL has helped: https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

So.... that's what I'm dealing with. I finally got to the point where I decided I need local Cisco hardware to test with, get things working, and then contact the hospital to let them know what changes they need to make on their end, if any.

On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]> wrote:
On 12/21/2018 2:27 PM, David White wrote:
> What's the cheapest option you've got that will allow me to run some
> tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> kung-fu skills?

What do you want to test?  I can probably answer the questions that are
prodding you to conduct tests.  Also, move onto IKEv2, it's much more
secure, especially on those old platforms, IKEv1 on those old things are
totally busted.  That was before Equation Group drop.  Now they are
swiss cheese.

Happy Holidays!

-Dave


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

David White-2
... and in this case, I'm not calling the shots.
The hospital has dictated all of the encryption settings and type of ipsec.

But I'm indeed surprised they are going with ikev1, especially because they shared with me that this particular connection is being built into a new VPN gateway / Cisco ASA. The website that we are migrating is currently connected (again, through pfSense) to an older Cisco ASA that they are retiring.

On Fri, Dec 21, 2018 at 8:17 PM David White <[hidden email]> wrote:
I've been tasked with setting up a new tunnel between a Linux server and a Cisco ASA. I manage the server. I do not mange, nor have any visibility, into the ASA. It is located at a hospital.

We're migrating a website that is currently connected to the hospital's VPN through a pfSense firewall. The goal with the migration is to do away with pfSense entirely, and configure the VPN tunnel on the Linux server itself, using Strongswan (https://strongswan.org/projects/strongswan).

After a few weeks of comparing configs and testing, we still haven't been able to successfully establish the connection. We're able to get past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.

The guys at the hospital don't really have detailed log information, nor do I. We both agree that it is some obscure config mismatch that we haven't been able to identify. No amount of reviewing the following URL has helped: https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

So.... that's what I'm dealing with. I finally got to the point where I decided I need local Cisco hardware to test with, get things working, and then contact the hospital to let them know what changes they need to make on their end, if any.

On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]> wrote:
On 12/21/2018 2:27 PM, David White wrote:
> What's the cheapest option you've got that will allow me to run some
> tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> kung-fu skills?

What do you want to test?  I can probably answer the questions that are
prodding you to conduct tests.  Also, move onto IKEv2, it's much more
secure, especially on those old platforms, IKEv1 on those old things are
totally busted.  That was before Equation Group drop.  Now they are
swiss cheese.

Happy Holidays!

-Dave


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

Stephen Kraus
Why migrate away from pfsense? Its generally more capable than the ASA and comes cheaper and easier to config.

On Fri, Dec 21, 2018 at 8:20 PM David White <[hidden email]> wrote:
... and in this case, I'm not calling the shots.
The hospital has dictated all of the encryption settings and type of ipsec.

But I'm indeed surprised they are going with ikev1, especially because they shared with me that this particular connection is being built into a new VPN gateway / Cisco ASA. The website that we are migrating is currently connected (again, through pfSense) to an older Cisco ASA that they are retiring.

On Fri, Dec 21, 2018 at 8:17 PM David White <[hidden email]> wrote:
I've been tasked with setting up a new tunnel between a Linux server and a Cisco ASA. I manage the server. I do not mange, nor have any visibility, into the ASA. It is located at a hospital.

We're migrating a website that is currently connected to the hospital's VPN through a pfSense firewall. The goal with the migration is to do away with pfSense entirely, and configure the VPN tunnel on the Linux server itself, using Strongswan (https://strongswan.org/projects/strongswan).

After a few weeks of comparing configs and testing, we still haven't been able to successfully establish the connection. We're able to get past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.

The guys at the hospital don't really have detailed log information, nor do I. We both agree that it is some obscure config mismatch that we haven't been able to identify. No amount of reviewing the following URL has helped: https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

So.... that's what I'm dealing with. I finally got to the point where I decided I need local Cisco hardware to test with, get things working, and then contact the hospital to let them know what changes they need to make on their end, if any.

On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]> wrote:
On 12/21/2018 2:27 PM, David White wrote:
> What's the cheapest option you've got that will allow me to run some
> tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> kung-fu skills?

What do you want to test?  I can probably answer the questions that are
prodding you to conduct tests.  Also, move onto IKEv2, it's much more
secure, especially on those old platforms, IKEv1 on those old things are
totally busted.  That was before Equation Group drop.  Now they are
swiss cheese.

Happy Holidays!

-Dave


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

David White-2
Long story.
I don't manage the old server, nor do I have any visibility into the pfSense config.
I'm the "new web hosting vendor" for my client, which is a marketing company up in Virginia, which in turn has the hospital as their client.

I gave them the option of deploying pfSense and using hardware, but that would have been quite a bit more expensive for them than to go with StrongSwan, as it would have required I deploy my own local hardware into a datacenter here in Chattanooga -- and all of the liabilities, complexities, etc... that come with that. The VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....)

On Fri, Dec 21, 2018 at 8:41 PM Stephen Kraus <[hidden email]> wrote:
Why migrate away from pfsense? Its generally more capable than the ASA and comes cheaper and easier to config.

On Fri, Dec 21, 2018 at 8:20 PM David White <[hidden email]> wrote:
... and in this case, I'm not calling the shots.
The hospital has dictated all of the encryption settings and type of ipsec.

But I'm indeed surprised they are going with ikev1, especially because they shared with me that this particular connection is being built into a new VPN gateway / Cisco ASA. The website that we are migrating is currently connected (again, through pfSense) to an older Cisco ASA that they are retiring.

On Fri, Dec 21, 2018 at 8:17 PM David White <[hidden email]> wrote:
I've been tasked with setting up a new tunnel between a Linux server and a Cisco ASA. I manage the server. I do not mange, nor have any visibility, into the ASA. It is located at a hospital.

We're migrating a website that is currently connected to the hospital's VPN through a pfSense firewall. The goal with the migration is to do away with pfSense entirely, and configure the VPN tunnel on the Linux server itself, using Strongswan (https://strongswan.org/projects/strongswan).

After a few weeks of comparing configs and testing, we still haven't been able to successfully establish the connection. We're able to get past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.

The guys at the hospital don't really have detailed log information, nor do I. We both agree that it is some obscure config mismatch that we haven't been able to identify. No amount of reviewing the following URL has helped: https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

So.... that's what I'm dealing with. I finally got to the point where I decided I need local Cisco hardware to test with, get things working, and then contact the hospital to let them know what changes they need to make on their end, if any.

On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]> wrote:
On 12/21/2018 2:27 PM, David White wrote:
> What's the cheapest option you've got that will allow me to run some
> tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> kung-fu skills?

What do you want to test?  I can probably answer the questions that are
prodding you to conduct tests.  Also, move onto IKEv2, it's much more
secure, especially on those old platforms, IKEv1 on those old things are
totally busted.  That was before Equation Group drop.  Now they are
swiss cheese.

Happy Holidays!

-Dave


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

Stephen Kraus
It doesn't have to be hardware. I use pfsense as a virtual router/VPN/gateway in my sandbox at the office.

On Fri, Dec 21, 2018 at 8:46 PM David White <[hidden email]> wrote:
Long story.
I don't manage the old server, nor do I have any visibility into the pfSense config.
I'm the "new web hosting vendor" for my client, which is a marketing company up in Virginia, which in turn has the hospital as their client.

I gave them the option of deploying pfSense and using hardware, but that would have been quite a bit more expensive for them than to go with StrongSwan, as it would have required I deploy my own local hardware into a datacenter here in Chattanooga -- and all of the liabilities, complexities, etc... that come with that. The VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....)

On Fri, Dec 21, 2018 at 8:41 PM Stephen Kraus <[hidden email]> wrote:
Why migrate away from pfsense? Its generally more capable than the ASA and comes cheaper and easier to config.

On Fri, Dec 21, 2018 at 8:20 PM David White <[hidden email]> wrote:
... and in this case, I'm not calling the shots.
The hospital has dictated all of the encryption settings and type of ipsec.

But I'm indeed surprised they are going with ikev1, especially because they shared with me that this particular connection is being built into a new VPN gateway / Cisco ASA. The website that we are migrating is currently connected (again, through pfSense) to an older Cisco ASA that they are retiring.

On Fri, Dec 21, 2018 at 8:17 PM David White <[hidden email]> wrote:
I've been tasked with setting up a new tunnel between a Linux server and a Cisco ASA. I manage the server. I do not mange, nor have any visibility, into the ASA. It is located at a hospital.

We're migrating a website that is currently connected to the hospital's VPN through a pfSense firewall. The goal with the migration is to do away with pfSense entirely, and configure the VPN tunnel on the Linux server itself, using Strongswan (https://strongswan.org/projects/strongswan).

After a few weeks of comparing configs and testing, we still haven't been able to successfully establish the connection. We're able to get past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.

The guys at the hospital don't really have detailed log information, nor do I. We both agree that it is some obscure config mismatch that we haven't been able to identify. No amount of reviewing the following URL has helped: https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

So.... that's what I'm dealing with. I finally got to the point where I decided I need local Cisco hardware to test with, get things working, and then contact the hospital to let them know what changes they need to make on their end, if any.

On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]> wrote:
On 12/21/2018 2:27 PM, David White wrote:
> What's the cheapest option you've got that will allow me to run some
> tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> kung-fu skills?

What do you want to test?  I can probably answer the questions that are
prodding you to conduct tests.  Also, move onto IKEv2, it's much more
secure, especially on those old platforms, IKEv1 on those old things are
totally busted.  That was before Equation Group drop.  Now they are
swiss cheese.

Happy Holidays!

-Dave


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

David White-2
Right.
But as I said, the VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....)

So we can't actually run pfSense in the VPS provider's environment.

On Fri, Dec 21, 2018 at 8:47 PM Stephen Kraus <[hidden email]> wrote:
It doesn't have to be hardware. I use pfsense as a virtual router/VPN/gateway in my sandbox at the office.

On Fri, Dec 21, 2018 at 8:46 PM David White <[hidden email]> wrote:
Long story.
I don't manage the old server, nor do I have any visibility into the pfSense config.
I'm the "new web hosting vendor" for my client, which is a marketing company up in Virginia, which in turn has the hospital as their client.

I gave them the option of deploying pfSense and using hardware, but that would have been quite a bit more expensive for them than to go with StrongSwan, as it would have required I deploy my own local hardware into a datacenter here in Chattanooga -- and all of the liabilities, complexities, etc... that come with that. The VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....)

On Fri, Dec 21, 2018 at 8:41 PM Stephen Kraus <[hidden email]> wrote:
Why migrate away from pfsense? Its generally more capable than the ASA and comes cheaper and easier to config.

On Fri, Dec 21, 2018 at 8:20 PM David White <[hidden email]> wrote:
... and in this case, I'm not calling the shots.
The hospital has dictated all of the encryption settings and type of ipsec.

But I'm indeed surprised they are going with ikev1, especially because they shared with me that this particular connection is being built into a new VPN gateway / Cisco ASA. The website that we are migrating is currently connected (again, through pfSense) to an older Cisco ASA that they are retiring.

On Fri, Dec 21, 2018 at 8:17 PM David White <[hidden email]> wrote:
I've been tasked with setting up a new tunnel between a Linux server and a Cisco ASA. I manage the server. I do not mange, nor have any visibility, into the ASA. It is located at a hospital.

We're migrating a website that is currently connected to the hospital's VPN through a pfSense firewall. The goal with the migration is to do away with pfSense entirely, and configure the VPN tunnel on the Linux server itself, using Strongswan (https://strongswan.org/projects/strongswan).

After a few weeks of comparing configs and testing, we still haven't been able to successfully establish the connection. We're able to get past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.

The guys at the hospital don't really have detailed log information, nor do I. We both agree that it is some obscure config mismatch that we haven't been able to identify. No amount of reviewing the following URL has helped: https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

So.... that's what I'm dealing with. I finally got to the point where I decided I need local Cisco hardware to test with, get things working, and then contact the hospital to let them know what changes they need to make on their end, if any.

On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]> wrote:
On 12/21/2018 2:27 PM, David White wrote:
> What's the cheapest option you've got that will allow me to run some
> tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> kung-fu skills?

What do you want to test?  I can probably answer the questions that are
prodding you to conduct tests.  Also, move onto IKEv2, it's much more
secure, especially on those old platforms, IKEv1 on those old things are
totally busted.  That was before Equation Group drop.  Now they are
swiss cheese.

Happy Holidays!

-Dave


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

David White-2
... that said, after how much work I've put into this, I'm really kicking myself, because I've spent far more time building and troubleshooting this VPN connection for it to still not work.

And I'll agree 100% -- pfSense is certainly easier and more flexible to use.
Based on the research and documentation I reviewed prior to this project, though, I felt fairly confident that I could do it pretty easily with StrongSwan.

On Fri, Dec 21, 2018 at 8:48 PM David White <[hidden email]> wrote:
Right.
But as I said, the VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....)

So we can't actually run pfSense in the VPS provider's environment.

On Fri, Dec 21, 2018 at 8:47 PM Stephen Kraus <[hidden email]> wrote:
It doesn't have to be hardware. I use pfsense as a virtual router/VPN/gateway in my sandbox at the office.

On Fri, Dec 21, 2018 at 8:46 PM David White <[hidden email]> wrote:
Long story.
I don't manage the old server, nor do I have any visibility into the pfSense config.
I'm the "new web hosting vendor" for my client, which is a marketing company up in Virginia, which in turn has the hospital as their client.

I gave them the option of deploying pfSense and using hardware, but that would have been quite a bit more expensive for them than to go with StrongSwan, as it would have required I deploy my own local hardware into a datacenter here in Chattanooga -- and all of the liabilities, complexities, etc... that come with that. The VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....)

On Fri, Dec 21, 2018 at 8:41 PM Stephen Kraus <[hidden email]> wrote:
Why migrate away from pfsense? Its generally more capable than the ASA and comes cheaper and easier to config.

On Fri, Dec 21, 2018 at 8:20 PM David White <[hidden email]> wrote:
... and in this case, I'm not calling the shots.
The hospital has dictated all of the encryption settings and type of ipsec.

But I'm indeed surprised they are going with ikev1, especially because they shared with me that this particular connection is being built into a new VPN gateway / Cisco ASA. The website that we are migrating is currently connected (again, through pfSense) to an older Cisco ASA that they are retiring.

On Fri, Dec 21, 2018 at 8:17 PM David White <[hidden email]> wrote:
I've been tasked with setting up a new tunnel between a Linux server and a Cisco ASA. I manage the server. I do not mange, nor have any visibility, into the ASA. It is located at a hospital.

We're migrating a website that is currently connected to the hospital's VPN through a pfSense firewall. The goal with the migration is to do away with pfSense entirely, and configure the VPN tunnel on the Linux server itself, using Strongswan (https://strongswan.org/projects/strongswan).

After a few weeks of comparing configs and testing, we still haven't been able to successfully establish the connection. We're able to get past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.

The guys at the hospital don't really have detailed log information, nor do I. We both agree that it is some obscure config mismatch that we haven't been able to identify. No amount of reviewing the following URL has helped: https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

So.... that's what I'm dealing with. I finally got to the point where I decided I need local Cisco hardware to test with, get things working, and then contact the hospital to let them know what changes they need to make on their end, if any.

On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]> wrote:
On 12/21/2018 2:27 PM, David White wrote:
> What's the cheapest option you've got that will allow me to run some
> tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> kung-fu skills?

What do you want to test?  I can probably answer the questions that are
prodding you to conduct tests.  Also, move onto IKEv2, it's much more
secure, especially on those old platforms, IKEv1 on those old things are
totally busted.  That was before Equation Group drop.  Now they are
swiss cheese.

Happy Holidays!

-Dave


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

Stephen Kraus
Just because I'm bored, and didn't know if you read this through yet (I'm sure you did)

https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

On Fri, Dec 21, 2018 at 8:52 PM David White <[hidden email]> wrote:
... that said, after how much work I've put into this, I'm really kicking myself, because I've spent far more time building and troubleshooting this VPN connection for it to still not work.

And I'll agree 100% -- pfSense is certainly easier and more flexible to use.
Based on the research and documentation I reviewed prior to this project, though, I felt fairly confident that I could do it pretty easily with StrongSwan.

On Fri, Dec 21, 2018 at 8:48 PM David White <[hidden email]> wrote:
Right.
But as I said, the VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....)

So we can't actually run pfSense in the VPS provider's environment.

On Fri, Dec 21, 2018 at 8:47 PM Stephen Kraus <[hidden email]> wrote:
It doesn't have to be hardware. I use pfsense as a virtual router/VPN/gateway in my sandbox at the office.

On Fri, Dec 21, 2018 at 8:46 PM David White <[hidden email]> wrote:
Long story.
I don't manage the old server, nor do I have any visibility into the pfSense config.
I'm the "new web hosting vendor" for my client, which is a marketing company up in Virginia, which in turn has the hospital as their client.

I gave them the option of deploying pfSense and using hardware, but that would have been quite a bit more expensive for them than to go with StrongSwan, as it would have required I deploy my own local hardware into a datacenter here in Chattanooga -- and all of the liabilities, complexities, etc... that come with that. The VPS providers like Digital Ocean and Linode don't let you run your own custom kernels / deployments. You're only limited to what they support (CentOS, Ubuntu, etc....)

On Fri, Dec 21, 2018 at 8:41 PM Stephen Kraus <[hidden email]> wrote:
Why migrate away from pfsense? Its generally more capable than the ASA and comes cheaper and easier to config.

On Fri, Dec 21, 2018 at 8:20 PM David White <[hidden email]> wrote:
... and in this case, I'm not calling the shots.
The hospital has dictated all of the encryption settings and type of ipsec.

But I'm indeed surprised they are going with ikev1, especially because they shared with me that this particular connection is being built into a new VPN gateway / Cisco ASA. The website that we are migrating is currently connected (again, through pfSense) to an older Cisco ASA that they are retiring.

On Fri, Dec 21, 2018 at 8:17 PM David White <[hidden email]> wrote:
I've been tasked with setting up a new tunnel between a Linux server and a Cisco ASA. I manage the server. I do not mange, nor have any visibility, into the ASA. It is located at a hospital.

We're migrating a website that is currently connected to the hospital's VPN through a pfSense firewall. The goal with the migration is to do away with pfSense entirely, and configure the VPN tunnel on the Linux server itself, using Strongswan (https://strongswan.org/projects/strongswan).

After a few weeks of comparing configs and testing, we still haven't been able to successfully establish the connection. We're able to get past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.

The guys at the hospital don't really have detailed log information, nor do I. We both agree that it is some obscure config mismatch that we haven't been able to identify. No amount of reviewing the following URL has helped: https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

So.... that's what I'm dealing with. I finally got to the point where I decided I need local Cisco hardware to test with, get things working, and then contact the hospital to let them know what changes they need to make on their end, if any.

On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]> wrote:
On 12/21/2018 2:27 PM, David White wrote:
> What's the cheapest option you've got that will allow me to run some
> tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my Cisco
> kung-fu skills?

What do you want to test?  I can probably answer the questions that are
prodding you to conduct tests.  Also, move onto IKEv2, it's much more
secure, especially on those old platforms, IKEv1 on those old things are
totally busted.  That was before Equation Group drop.  Now they are
swiss cheese.

Happy Holidays!

-Dave


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White


--
David White
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

Dave Brockman
In reply to this post by David White-2
Give me:

Right side protected network, left side protected network.
Phase I encryption, Phase I HMAC, PFS Group (if any)
Phase II encryption, Phase II HMAC, PFS Group (if any)

and I'll give you the config.

> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following

This is 100% bullshit. IPSEC is a standard, and almost all vendors can
get a working IKEv1 interop configuration working.  I will bet $100
there is nothing obscure about your configuration. Hopefully
AES128/SHA1-HMAC, PFS Group 5.  My guess is 3DES/MD5/no PFS, or group 2
on IPSEC only, nothing on IKE.

What you need from the remote side is this:

(ASA 8.25)
IKEv1 Policy

crypto isakmp policy XX
 authentication pre-share
 encryption XX
 hash XXX
 group X
 lifetime 86400

or
(ASA 8.3+)
crypto ikev1 policy xx
 authentication pre-share
 encryption xxx
 hash xxx
 group x
 lifetime 86400

crypto ipsec transform-set [VAR]  [hmac-algo]

or

crypto ipsec ikev1 transform-set [VAR] [encryption-algo] [hmac-algo]

I need to know if you have a static or dynamic IP address on the
StrongSwan side to give you the rest of the ASA config.

My guess is that you are missing the NAT BYPASS config on the StrongSwan
side.

Cheers,

-Dave


On 12/21/2018 8:16 PM, David White wrote:

> I've been tasked with setting up a new tunnel between a Linux server and
> a Cisco ASA. I manage the server. I do _not_ mange, nor have any
> visibility, into the ASA. It is located at a hospital.
>
> We're migrating a website that is currently connected to the hospital's
> VPN through a pfSense firewall. The goal with the migration is to do
> away with pfSense entirely, and configure the VPN tunnel on the Linux
> server itself, using Strongswan
> (https://strongswan.org/projects/strongswan).
>
> After a few weeks of comparing configs and testing, we still haven't
> been able to successfully establish the connection. We're able to get
> past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.
>
> The guys at the hospital don't really have detailed log information, nor
> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following URL
> has helped:
> https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
>
> So.... that's what I'm dealing with. I finally got to the point where I
> decided I need local Cisco hardware to test with, get things working,
> and then contact the hospital to let them know what changes they need to
> make on their end, if any.
>
> On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 12/21/2018 2:27 PM, David White wrote:
>     > What's the cheapest option you've got that will allow me to run some
>     > tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my
>     Cisco
>     > kung-fu skills?
>
>     What do you want to test?  I can probably answer the questions that are
>     prodding you to conduct tests.  Also, move onto IKEv2, it's much more
>     secure, especially on those old platforms, IKEv1 on those old things are
>     totally busted.  That was before Equation Group drop.  Now they are
>     swiss cheese.
>
>     Happy Holidays!
>
>     -Dave
>
>
>     _______________________________________________
>     Chugalug mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
> --
> David White
>
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug

signature.asc (495 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

David White-2
I'll research the NAT Bypass suggestion. Thank you.
I did try the "forceencaps" option several times over the past few days (see https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection), but that didn't make a difference.

I believe that DH group 5 is used in both phase 1 and phase 2.

Here's the hospital's config (I'm going to sanitize IP addresses, although in the below config, I don't see their public IP anywhere):

!
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
!
object network host_developCENTS-server_10.255.x.x
host 10.255.0.89
description This address is used by developCENTS on their server located on their side of a site-to-site vpn tunnel.
object-group network nog_developCENTS_ext
description developCENTS manages EPIC Training website which uses LDAP for users to login
network-object object host_developCENTS-server_10.255.x.x
object-group network nog_developCENTS_int
description developCENTS manages Training website which uses LDAP for users to login
network-object object host_dc-wmc-nat_192.77.x.x
!
access-list outside_cryptomap_24 line 1 extended permit ip object-group nog_developCENTS_int object-group nog_developCENTS_ext
group-policy GroupPolicy_developCENTS internal
group-policy GroupPolicy_developCENTS attributes
  vpn-tunnel-protocol ikev1
exit
tunnel-group 138.197.x.x type ipsec-l2l
tunnel-group 138.197.x.x general-attributes
  default-group-policy GroupPolicy_developCENTS
tunnel-group 138.197.x.x ipsec-attributes
  ikev1 pre-shared-key **********
  isakmp keepalive threshold 10 retry 2
crypto map outside_map1 22 match address outside_cryptomap_24
crypto map outside_map1 22 set  peer  138.197.x.x
crypto map outside_map1 22 set  pfs group5
crypto map outside_map1 22 set  ikev1 transform-set  ESP-AES-256-SHA

And here's my config:
conn %default
    # P1 Lifetime is 86400 seconds
        ikelifetime=1440m

    #P2 Lifetime is 28800 seconds
        keylife=480m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn vh
        keyexchange=ikev1
        authby=secret
        # P1 Lifetime is 86400 seconds
        ikelifetime=1440m
        #P2 Lifetime is 28800 seconds
        keylife=480m
        type=tunnel
    left=138.197.x.x
        leftsubnet=10.255.x.x/32
        leftid=138.197.x.x
        right=192.77.x.x
    rightsubnet=192.177.x.x/32
    rightid=192.77.x.x
        auto=start
        ike=aes256-sha1-modp1536
        esp=aes256-sha1
        keyexchange=ikev1
#    forceencaps=yes
    leftfirewall=yes


On Fri, Dec 21, 2018 at 11:24 PM Dave Brockman <[hidden email]> wrote:
Give me:

Right side protected network, left side protected network.
Phase I encryption, Phase I HMAC, PFS Group (if any)
Phase II encryption, Phase II HMAC, PFS Group (if any)

and I'll give you the config.

> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following

This is 100% bullshit. IPSEC is a standard, and almost all vendors can
get a working IKEv1 interop configuration working.  I will bet $100
there is nothing obscure about your configuration. Hopefully
AES128/SHA1-HMAC, PFS Group 5.  My guess is 3DES/MD5/no PFS, or group 2
on IPSEC only, nothing on IKE.

What you need from the remote side is this:

(ASA 8.25)
IKEv1 Policy

crypto isakmp policy XX
 authentication pre-share
 encryption XX
 hash XXX
 group X
 lifetime 86400

or
(ASA 8.3+)
crypto ikev1 policy xx
 authentication pre-share
 encryption xxx
 hash xxx
 group x
 lifetime 86400

crypto ipsec transform-set [VAR]  [hmac-algo]

or

crypto ipsec ikev1 transform-set [VAR] [encryption-algo] [hmac-algo]

I need to know if you have a static or dynamic IP address on the
StrongSwan side to give you the rest of the ASA config.

My guess is that you are missing the NAT BYPASS config on the StrongSwan
side.

Cheers,

-Dave


On 12/21/2018 8:16 PM, David White wrote:
> I've been tasked with setting up a new tunnel between a Linux server and
> a Cisco ASA. I manage the server. I do _not_ mange, nor have any
> visibility, into the ASA. It is located at a hospital.
>
> We're migrating a website that is currently connected to the hospital's
> VPN through a pfSense firewall. The goal with the migration is to do
> away with pfSense entirely, and configure the VPN tunnel on the Linux
> server itself, using Strongswan
> (https://strongswan.org/projects/strongswan).
>
> After a few weeks of comparing configs and testing, we still haven't
> been able to successfully establish the connection. We're able to get
> past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.
>
> The guys at the hospital don't really have detailed log information, nor
> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following URL
> has helped:
> https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
>
> So.... that's what I'm dealing with. I finally got to the point where I
> decided I need local Cisco hardware to test with, get things working,
> and then contact the hospital to let them know what changes they need to
> make on their end, if any.
>
> On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 12/21/2018 2:27 PM, David White wrote:
>     > What's the cheapest option you've got that will allow me to run some
>     > tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my
>     Cisco
>     > kung-fu skills?
>
>     What do you want to test?  I can probably answer the questions that are
>     prodding you to conduct tests.  Also, move onto IKEv2, it's much more
>     secure, especially on those old platforms, IKEv1 on those old things are
>     totally busted.  That was before Equation Group drop.  Now they are
>     swiss cheese.
>
>     Happy Holidays!
>
>     -Dave
>
>
>     _______________________________________________
>     Chugalug mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
> --
> David White
>
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

David White-2
Well this is interesting:
(Not the interesting part, but an FYI for context: This webserver is running cPanel (Yuck -- client insists they need it though, and they're paying for it, so whatever)

One of my troubleshooting steps I was going to do today was to build out an ipsec tunnel between this server and a 2nd StrongSwan instance on a different server somewhere. As I'm in the original StrongSwan server (again, running cpanel - Yuck), I noticed that although I had built the virtual network (in the above config, the 10.255.x.x/32 address) inside of cPanel, that IP is nowhere to be found in /etc/sysconfig/network-scripts/ifcfg-eth0.

That may be the issue. Need to research that further...

On Sat, Dec 22, 2018 at 5:40 AM David White <[hidden email]> wrote:
I'll research the NAT Bypass suggestion. Thank you.
I did try the "forceencaps" option several times over the past few days (see https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection), but that didn't make a difference.

I believe that DH group 5 is used in both phase 1 and phase 2.

Here's the hospital's config (I'm going to sanitize IP addresses, although in the below config, I don't see their public IP anywhere):

!
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
!
object network host_developCENTS-server_10.255.x.x
host 10.255.0.89
description This address is used by developCENTS on their server located on their side of a site-to-site vpn tunnel.
object-group network nog_developCENTS_ext
description developCENTS manages EPIC Training website which uses LDAP for users to login
network-object object host_developCENTS-server_10.255.x.x
object-group network nog_developCENTS_int
description developCENTS manages Training website which uses LDAP for users to login
network-object object host_dc-wmc-nat_192.77.x.x
!
access-list outside_cryptomap_24 line 1 extended permit ip object-group nog_developCENTS_int object-group nog_developCENTS_ext
group-policy GroupPolicy_developCENTS internal
group-policy GroupPolicy_developCENTS attributes
  vpn-tunnel-protocol ikev1
exit
tunnel-group 138.197.x.x type ipsec-l2l
tunnel-group 138.197.x.x general-attributes
  default-group-policy GroupPolicy_developCENTS
tunnel-group 138.197.x.x ipsec-attributes
  ikev1 pre-shared-key **********
  isakmp keepalive threshold 10 retry 2
crypto map outside_map1 22 match address outside_cryptomap_24
crypto map outside_map1 22 set  peer  138.197.x.x
crypto map outside_map1 22 set  pfs group5
crypto map outside_map1 22 set  ikev1 transform-set  ESP-AES-256-SHA

And here's my config:
conn %default
    # P1 Lifetime is 86400 seconds
        ikelifetime=1440m

    #P2 Lifetime is 28800 seconds
        keylife=480m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn vh
        keyexchange=ikev1
        authby=secret
        # P1 Lifetime is 86400 seconds
        ikelifetime=1440m
        #P2 Lifetime is 28800 seconds
        keylife=480m
        type=tunnel
    left=138.197.x.x
        leftsubnet=10.255.x.x/32
        leftid=138.197.x.x
        right=192.77.x.x
    rightsubnet=192.177.x.x/32
    rightid=192.77.x.x
        auto=start
        ike=aes256-sha1-modp1536
        esp=aes256-sha1
        keyexchange=ikev1
#    forceencaps=yes
    leftfirewall=yes


On Fri, Dec 21, 2018 at 11:24 PM Dave Brockman <[hidden email]> wrote:
Give me:

Right side protected network, left side protected network.
Phase I encryption, Phase I HMAC, PFS Group (if any)
Phase II encryption, Phase II HMAC, PFS Group (if any)

and I'll give you the config.

> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following

This is 100% bullshit. IPSEC is a standard, and almost all vendors can
get a working IKEv1 interop configuration working.  I will bet $100
there is nothing obscure about your configuration. Hopefully
AES128/SHA1-HMAC, PFS Group 5.  My guess is 3DES/MD5/no PFS, or group 2
on IPSEC only, nothing on IKE.

What you need from the remote side is this:

(ASA 8.25)
IKEv1 Policy

crypto isakmp policy XX
 authentication pre-share
 encryption XX
 hash XXX
 group X
 lifetime 86400

or
(ASA 8.3+)
crypto ikev1 policy xx
 authentication pre-share
 encryption xxx
 hash xxx
 group x
 lifetime 86400

crypto ipsec transform-set [VAR]  [hmac-algo]

or

crypto ipsec ikev1 transform-set [VAR] [encryption-algo] [hmac-algo]

I need to know if you have a static or dynamic IP address on the
StrongSwan side to give you the rest of the ASA config.

My guess is that you are missing the NAT BYPASS config on the StrongSwan
side.

Cheers,

-Dave


On 12/21/2018 8:16 PM, David White wrote:
> I've been tasked with setting up a new tunnel between a Linux server and
> a Cisco ASA. I manage the server. I do _not_ mange, nor have any
> visibility, into the ASA. It is located at a hospital.
>
> We're migrating a website that is currently connected to the hospital's
> VPN through a pfSense firewall. The goal with the migration is to do
> away with pfSense entirely, and configure the VPN tunnel on the Linux
> server itself, using Strongswan
> (https://strongswan.org/projects/strongswan).
>
> After a few weeks of comparing configs and testing, we still haven't
> been able to successfully establish the connection. We're able to get
> past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.
>
> The guys at the hospital don't really have detailed log information, nor
> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following URL
> has helped:
> https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
>
> So.... that's what I'm dealing with. I finally got to the point where I
> decided I need local Cisco hardware to test with, get things working,
> and then contact the hospital to let them know what changes they need to
> make on their end, if any.
>
> On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 12/21/2018 2:27 PM, David White wrote:
>     > What's the cheapest option you've got that will allow me to run some
>     > tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my
>     Cisco
>     > kung-fu skills?
>
>     What do you want to test?  I can probably answer the questions that are
>     prodding you to conduct tests.  Also, move onto IKEv2, it's much more
>     secure, especially on those old platforms, IKEv1 on those old things are
>     totally busted.  That was before Equation Group drop.  Now they are
>     swiss cheese.
>
>     Happy Holidays!
>
>     -Dave
>
>
>     _______________________________________________
>     Chugalug mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
> --
> David White
>
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

David White-2
That IP address shows up when I run "ip addr", but it isn't in the /etc/sysconfig/network-scripts/ifcfg-eth0 file. Never seen that before... But the fact the IP address exists when I run "ip addr" leads me to believe that Strongswan can in fact know about that IP address and use it.

On Sat, Dec 22, 2018 at 5:58 AM David White <[hidden email]> wrote:
Well this is interesting:
(Not the interesting part, but an FYI for context: This webserver is running cPanel (Yuck -- client insists they need it though, and they're paying for it, so whatever)

One of my troubleshooting steps I was going to do today was to build out an ipsec tunnel between this server and a 2nd StrongSwan instance on a different server somewhere. As I'm in the original StrongSwan server (again, running cpanel - Yuck), I noticed that although I had built the virtual network (in the above config, the 10.255.x.x/32 address) inside of cPanel, that IP is nowhere to be found in /etc/sysconfig/network-scripts/ifcfg-eth0.

That may be the issue. Need to research that further...

On Sat, Dec 22, 2018 at 5:40 AM David White <[hidden email]> wrote:
I'll research the NAT Bypass suggestion. Thank you.
I did try the "forceencaps" option several times over the past few days (see https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection), but that didn't make a difference.

I believe that DH group 5 is used in both phase 1 and phase 2.

Here's the hospital's config (I'm going to sanitize IP addresses, although in the below config, I don't see their public IP anywhere):

!
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
!
object network host_developCENTS-server_10.255.x.x
host 10.255.0.89
description This address is used by developCENTS on their server located on their side of a site-to-site vpn tunnel.
object-group network nog_developCENTS_ext
description developCENTS manages EPIC Training website which uses LDAP for users to login
network-object object host_developCENTS-server_10.255.x.x
object-group network nog_developCENTS_int
description developCENTS manages Training website which uses LDAP for users to login
network-object object host_dc-wmc-nat_192.77.x.x
!
access-list outside_cryptomap_24 line 1 extended permit ip object-group nog_developCENTS_int object-group nog_developCENTS_ext
group-policy GroupPolicy_developCENTS internal
group-policy GroupPolicy_developCENTS attributes
  vpn-tunnel-protocol ikev1
exit
tunnel-group 138.197.x.x type ipsec-l2l
tunnel-group 138.197.x.x general-attributes
  default-group-policy GroupPolicy_developCENTS
tunnel-group 138.197.x.x ipsec-attributes
  ikev1 pre-shared-key **********
  isakmp keepalive threshold 10 retry 2
crypto map outside_map1 22 match address outside_cryptomap_24
crypto map outside_map1 22 set  peer  138.197.x.x
crypto map outside_map1 22 set  pfs group5
crypto map outside_map1 22 set  ikev1 transform-set  ESP-AES-256-SHA

And here's my config:
conn %default
    # P1 Lifetime is 86400 seconds
        ikelifetime=1440m

    #P2 Lifetime is 28800 seconds
        keylife=480m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn vh
        keyexchange=ikev1
        authby=secret
        # P1 Lifetime is 86400 seconds
        ikelifetime=1440m
        #P2 Lifetime is 28800 seconds
        keylife=480m
        type=tunnel
    left=138.197.x.x
        leftsubnet=10.255.x.x/32
        leftid=138.197.x.x
        right=192.77.x.x
    rightsubnet=192.177.x.x/32
    rightid=192.77.x.x
        auto=start
        ike=aes256-sha1-modp1536
        esp=aes256-sha1
        keyexchange=ikev1
#    forceencaps=yes
    leftfirewall=yes


On Fri, Dec 21, 2018 at 11:24 PM Dave Brockman <[hidden email]> wrote:
Give me:

Right side protected network, left side protected network.
Phase I encryption, Phase I HMAC, PFS Group (if any)
Phase II encryption, Phase II HMAC, PFS Group (if any)

and I'll give you the config.

> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following

This is 100% bullshit. IPSEC is a standard, and almost all vendors can
get a working IKEv1 interop configuration working.  I will bet $100
there is nothing obscure about your configuration. Hopefully
AES128/SHA1-HMAC, PFS Group 5.  My guess is 3DES/MD5/no PFS, or group 2
on IPSEC only, nothing on IKE.

What you need from the remote side is this:

(ASA 8.25)
IKEv1 Policy

crypto isakmp policy XX
 authentication pre-share
 encryption XX
 hash XXX
 group X
 lifetime 86400

or
(ASA 8.3+)
crypto ikev1 policy xx
 authentication pre-share
 encryption xxx
 hash xxx
 group x
 lifetime 86400

crypto ipsec transform-set [VAR]  [hmac-algo]

or

crypto ipsec ikev1 transform-set [VAR] [encryption-algo] [hmac-algo]

I need to know if you have a static or dynamic IP address on the
StrongSwan side to give you the rest of the ASA config.

My guess is that you are missing the NAT BYPASS config on the StrongSwan
side.

Cheers,

-Dave


On 12/21/2018 8:16 PM, David White wrote:
> I've been tasked with setting up a new tunnel between a Linux server and
> a Cisco ASA. I manage the server. I do _not_ mange, nor have any
> visibility, into the ASA. It is located at a hospital.
>
> We're migrating a website that is currently connected to the hospital's
> VPN through a pfSense firewall. The goal with the migration is to do
> away with pfSense entirely, and configure the VPN tunnel on the Linux
> server itself, using Strongswan
> (https://strongswan.org/projects/strongswan).
>
> After a few weeks of comparing configs and testing, we still haven't
> been able to successfully establish the connection. We're able to get
> past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.
>
> The guys at the hospital don't really have detailed log information, nor
> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following URL
> has helped:
> https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
>
> So.... that's what I'm dealing with. I finally got to the point where I
> decided I need local Cisco hardware to test with, get things working,
> and then contact the hospital to let them know what changes they need to
> make on their end, if any.
>
> On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 12/21/2018 2:27 PM, David White wrote:
>     > What's the cheapest option you've got that will allow me to run some
>     > tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my
>     Cisco
>     > kung-fu skills?
>
>     What do you want to test?  I can probably answer the questions that are
>     prodding you to conduct tests.  Also, move onto IKEv2, it's much more
>     secure, especially on those old platforms, IKEv1 on those old things are
>     totally busted.  That was before Equation Group drop.  Now they are
>     swiss cheese.
>
>     Happy Holidays!
>
>     -Dave
>
>
>     _______________________________________________
>     Chugalug mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
> --
> David White
>
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White


--
David White


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] Strongswan ipsec tunnel to Cisco ASA (Was Re: Need a ASA for testing purposes)

David White-2
I successfully established a VPN tunnel between two Strongswan instances, so that's encouraging, anyway -- and it rules out the possibility that I've missed something dumb in my own firewall. :)

On Sat, Dec 22, 2018 at 7:35 AM David White <[hidden email]> wrote:
That IP address shows up when I run "ip addr", but it isn't in the /etc/sysconfig/network-scripts/ifcfg-eth0 file. Never seen that before... But the fact the IP address exists when I run "ip addr" leads me to believe that Strongswan can in fact know about that IP address and use it.

On Sat, Dec 22, 2018 at 5:58 AM David White <[hidden email]> wrote:
Well this is interesting:
(Not the interesting part, but an FYI for context: This webserver is running cPanel (Yuck -- client insists they need it though, and they're paying for it, so whatever)

One of my troubleshooting steps I was going to do today was to build out an ipsec tunnel between this server and a 2nd StrongSwan instance on a different server somewhere. As I'm in the original StrongSwan server (again, running cpanel - Yuck), I noticed that although I had built the virtual network (in the above config, the 10.255.x.x/32 address) inside of cPanel, that IP is nowhere to be found in /etc/sysconfig/network-scripts/ifcfg-eth0.

That may be the issue. Need to research that further...

On Sat, Dec 22, 2018 at 5:40 AM David White <[hidden email]> wrote:
I'll research the NAT Bypass suggestion. Thank you.
I did try the "forceencaps" option several times over the past few days (see https://wiki.strongswan.org/projects/strongswan/wiki/ConnSection), but that didn't make a difference.

I believe that DH group 5 is used in both phase 1 and phase 2.

Here's the hospital's config (I'm going to sanitize IP addresses, although in the below config, I don't see their public IP anywhere):

!
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
!
object network host_developCENTS-server_10.255.x.x
host 10.255.0.89
description This address is used by developCENTS on their server located on their side of a site-to-site vpn tunnel.
object-group network nog_developCENTS_ext
description developCENTS manages EPIC Training website which uses LDAP for users to login
network-object object host_developCENTS-server_10.255.x.x
object-group network nog_developCENTS_int
description developCENTS manages Training website which uses LDAP for users to login
network-object object host_dc-wmc-nat_192.77.x.x
!
access-list outside_cryptomap_24 line 1 extended permit ip object-group nog_developCENTS_int object-group nog_developCENTS_ext
group-policy GroupPolicy_developCENTS internal
group-policy GroupPolicy_developCENTS attributes
  vpn-tunnel-protocol ikev1
exit
tunnel-group 138.197.x.x type ipsec-l2l
tunnel-group 138.197.x.x general-attributes
  default-group-policy GroupPolicy_developCENTS
tunnel-group 138.197.x.x ipsec-attributes
  ikev1 pre-shared-key **********
  isakmp keepalive threshold 10 retry 2
crypto map outside_map1 22 match address outside_cryptomap_24
crypto map outside_map1 22 set  peer  138.197.x.x
crypto map outside_map1 22 set  pfs group5
crypto map outside_map1 22 set  ikev1 transform-set  ESP-AES-256-SHA

And here's my config:
conn %default
    # P1 Lifetime is 86400 seconds
        ikelifetime=1440m

    #P2 Lifetime is 28800 seconds
        keylife=480m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1
        authby=secret

conn vh
        keyexchange=ikev1
        authby=secret
        # P1 Lifetime is 86400 seconds
        ikelifetime=1440m
        #P2 Lifetime is 28800 seconds
        keylife=480m
        type=tunnel
    left=138.197.x.x
        leftsubnet=10.255.x.x/32
        leftid=138.197.x.x
        right=192.77.x.x
    rightsubnet=192.177.x.x/32
    rightid=192.77.x.x
        auto=start
        ike=aes256-sha1-modp1536
        esp=aes256-sha1
        keyexchange=ikev1
#    forceencaps=yes
    leftfirewall=yes


On Fri, Dec 21, 2018 at 11:24 PM Dave Brockman <[hidden email]> wrote:
Give me:

Right side protected network, left side protected network.
Phase I encryption, Phase I HMAC, PFS Group (if any)
Phase II encryption, Phase II HMAC, PFS Group (if any)

and I'll give you the config.

> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following

This is 100% bullshit. IPSEC is a standard, and almost all vendors can
get a working IKEv1 interop configuration working.  I will bet $100
there is nothing obscure about your configuration. Hopefully
AES128/SHA1-HMAC, PFS Group 5.  My guess is 3DES/MD5/no PFS, or group 2
on IPSEC only, nothing on IKE.

What you need from the remote side is this:

(ASA 8.25)
IKEv1 Policy

crypto isakmp policy XX
 authentication pre-share
 encryption XX
 hash XXX
 group X
 lifetime 86400

or
(ASA 8.3+)
crypto ikev1 policy xx
 authentication pre-share
 encryption xxx
 hash xxx
 group x
 lifetime 86400

crypto ipsec transform-set [VAR]  [hmac-algo]

or

crypto ipsec ikev1 transform-set [VAR] [encryption-algo] [hmac-algo]

I need to know if you have a static or dynamic IP address on the
StrongSwan side to give you the rest of the ASA config.

My guess is that you are missing the NAT BYPASS config on the StrongSwan
side.

Cheers,

-Dave


On 12/21/2018 8:16 PM, David White wrote:
> I've been tasked with setting up a new tunnel between a Linux server and
> a Cisco ASA. I manage the server. I do _not_ mange, nor have any
> visibility, into the ASA. It is located at a hospital.
>
> We're migrating a website that is currently connected to the hospital's
> VPN through a pfSense firewall. The goal with the migration is to do
> away with pfSense entirely, and configure the VPN tunnel on the Linux
> server itself, using Strongswan
> (https://strongswan.org/projects/strongswan).
>
> After a few weeks of comparing configs and testing, we still haven't
> been able to successfully establish the connection. We're able to get
> past Phase 1, but Phase 2 of the ipsec tunnel continues to fail.
>
> The guys at the hospital don't really have detailed log information, nor
> do I. We both agree that it is some obscure config mismatch that we
> haven't been able to identify. No amount of reviewing the following URL
> has helped:
> https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html
>
> So.... that's what I'm dealing with. I finally got to the point where I
> decided I need local Cisco hardware to test with, get things working,
> and then contact the hospital to let them know what changes they need to
> make on their end, if any.
>
> On Fri, Dec 21, 2018 at 6:58 PM Dave Brockman <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On 12/21/2018 2:27 PM, David White wrote:
>     > What's the cheapest option you've got that will allow me to run some
>     > tests with an ikev1 ipsec tunnel, and while I'm at it, refresh my
>     Cisco
>     > kung-fu skills?
>
>     What do you want to test?  I can probably answer the questions that are
>     prodding you to conduct tests.  Also, move onto IKEv2, it's much more
>     secure, especially on those old platforms, IKEv1 on those old things are
>     totally busted.  That was before Equation Group drop.  Now they are
>     swiss cheese.
>
>     Happy Holidays!
>
>     -Dave
>
>
>     _______________________________________________
>     Chugalug mailing list
>     [hidden email] <mailto:[hidden email]>
>     http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
>
> --
> David White
>
> _______________________________________________
> Chugalug mailing list
> [hidden email]
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
David White


--
David White


--
David White


--
David White

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug