IKEv2 Cisco ASA and strongSwan

This topic is to discuss the following lesson:

Thanx Rene,
This a very clear manual. Gonna use it right away…

Andre

Thanks rené,

My present configuration is quite the same but I don’t have (yet) a subnet under the strongswan platform (this may come later).
So I would like to configure the VPN and test it (ping, scp…) directly with the strongwan plateform and not with its subnet.
What should I change in your configuration for it ?
Thanks again.

Hello Luc,

In this case, you might want to test to configure strongSwan as a remote client perhaps.

First I would try to configure a Cisco router as the VPN server and use a Cisco client. Here’s an example:

Cisco Easy VPN

Once this is working, see if you can replace the client with Strongswan:

https://www.strongswan.org/testing/testresults/ikev1/xauth-psk/

Rene

Rene,

How are you using the Ubuntu server with the strongswan on it. Is it in a laptop or do you have a server. Reason for asking is I am wondering how you got the two ports. Maybe you could point me in the right direction on how to set my lab up. thank you

Hi Cristopher,

I use a HP proliant DL360 G7 with a quad NIC running VMware ESXi. Using virtual machines is a great way to test things like this. You can also use a single physical connection from your VMware server to your switch and then configure it as a trunk. Each virtual NIC in your virtual machine can then use a different VLAN.

Rene

Hi Rene,
Just confuse but what’s benifit of using strongwan with a linux server instead cisco router or ASA devices ?
Thanks!

Hello Nguyen

strongSwan has some EAP and mobility extensions that can be useful for enterprise networks. However, the reason why you would use strongSwan for such a connection is primarily because it is a software package that has widespread use, and you will see it frequently in corporate networks. For this reason, it is a good idea to understand how to interconnect with it, as you may be called upon to make such a connection. Because it is well documented and maintained, it is likely that you will encounter it in the marketplace.

Although much of what strongSwan does can be done with a Cisco ASA, it is always good to know how to interconnect with devices of other vendors.

I hope this has been helpful!

Laz

1 Like

Thanks Laz much !!!

1 Like

Hi Rene,

The strongswan client and cisco router combo is exactly the setup i need right now.

I configured a asa 5505 as remote access vpn server, and i am able to connect to it using the cisco vpn client. But for some reason I can’t get the strongswan settings right to connect to the asa.

I created a test environment (see pic) and I tried creating the conf file using the following guides:

https://www.strongswan.org/testing/testresults/ikev1/xauth-psk/

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/117257-config-ios-vpn-strongswan-00.html

But without any luck.

I would really appreciate if you could help me out setting up the config for my scenario.

regards

jerrel

Hello Jerrel

Can you share with us more details about the types of problems you are having? Where is your configuration failing? Can you attempt to show us some verification commands such as those found in the Verify section of the Cisco document you shared? This way we’ll be able to help you more efficiently.

Looking forward to hearing from you.

Laz

Hello Rene,
I’m trying to configure ipsec ikev2 vpn between cisco ASA(ASA5506-X) and Pfsense but unfortunately unsuccessfully. Doing debug debug crypto ikev2 platform getting next messages:

IKEv2-PLAT-1: (88): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol
IKEv2-PLAT-1: (88): Connection is not authorized based on configured attributes
IKEv2-PLAT-2: (88): connection auth hdl set to -1
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable.  Local Type = 0.  Local Address = 0.0.0.0.  Remote Type = 0.  Remote Address = 0.0.0.0.  Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: (88): Encrypt success status returned via ipc 1
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xFB21E1F5 error FALSE

Hello Alif

The error that you are receiving seems to be related with the identification of the traffic you want to send over the tunnel. Make sure that you have correctly configured the left and right subnets in the strongswan config, and that the same is done in the access list configuration in the ASA.

I hope this has been helpful!

Laz