This topic is to discuss the following lesson:
Thanx Rene,
This a very clear manual. Gonna use it right away…
Andre
Thanks rené,
My present configuration is quite the same but I don’t have (yet) a subnet under the strongswan platform (this may come later).
So I would like to configure the VPN and test it (ping, scp…) directly with the strongwan plateform and not with its subnet.
What should I change in your configuration for it ?
Thanks again.
Hello Luc,
In this case, you might want to test to configure strongSwan as a remote client perhaps.
First I would try to configure a Cisco router as the VPN server and use a Cisco client. Here’s an example:
Once this is working, see if you can replace the client with Strongswan:
https://www.strongswan.org/testing/testresults/ikev1/xauth-psk/
Rene
Rene,
How are you using the Ubuntu server with the strongswan on it. Is it in a laptop or do you have a server. Reason for asking is I am wondering how you got the two ports. Maybe you could point me in the right direction on how to set my lab up. thank you
Hi Cristopher,
I use a HP proliant DL360 G7 with a quad NIC running VMware ESXi. Using virtual machines is a great way to test things like this. You can also use a single physical connection from your VMware server to your switch and then configure it as a trunk. Each virtual NIC in your virtual machine can then use a different VLAN.
Rene
Hi Rene,
Just confuse but what’s benifit of using strongwan with a linux server instead cisco router or ASA devices ?
Thanks!
Hello Nguyen
strongSwan has some EAP and mobility extensions that can be useful for enterprise networks. However, the reason why you would use strongSwan for such a connection is primarily because it is a software package that has widespread use, and you will see it frequently in corporate networks. For this reason, it is a good idea to understand how to interconnect with it, as you may be called upon to make such a connection. Because it is well documented and maintained, it is likely that you will encounter it in the marketplace.
Although much of what strongSwan does can be done with a Cisco ASA, it is always good to know how to interconnect with devices of other vendors.
I hope this has been helpful!
Laz
1 Like
Thanks Laz much !!!
1 Like
Hi Rene,
The strongswan client and cisco router combo is exactly the setup i need right now.
I configured a asa 5505 as remote access vpn server, and i am able to connect to it using the cisco vpn client. But for some reason I can’t get the strongswan settings right to connect to the asa.
I created a test environment (see pic) and I tried creating the conf file using the following guides:
https://www.strongswan.org/testing/testresults/ikev1/xauth-psk/
But without any luck.
I would really appreciate if you could help me out setting up the config for my scenario.
regards
jerrel
Hello Jerrel
Can you share with us more details about the types of problems you are having? Where is your configuration failing? Can you attempt to show us some verification commands such as those found in the Verify section of the Cisco document you shared? This way we’ll be able to help you more efficiently.
Looking forward to hearing from you.
Laz
Hello Rene,
I’m trying to configure ipsec ikev2 vpn between cisco ASA(ASA5506-X) and Pfsense but unfortunately unsuccessfully. Doing debug debug crypto ikev2 platform getting next messages:
IKEv2-PLAT-1: (88): IKEv2 protocol not allowed by policy set for vpn-tunnel-protocol
IKEv2-PLAT-1: (88): Connection is not authorized based on configured attributes
IKEv2-PLAT-2: (88): connection auth hdl set to -1
IKEv2-PLAT-1: Failed to remove peer correlation entry from cikePeerCorrTable. Local Type = 0. Local Address = 0.0.0.0. Remote Type = 0. Remote Address = 0.0.0.0. Correlation Peer Index = 0. IPSEC Tunnel Index = 0.
IKEv2-PLAT-2: (88): Encrypt success status returned via ipc 1
IKEv2-PLAT-2: Received PFKEY delete SA for SPI 0xFB21E1F5 error FALSEHello Alif
The error that you are receiving seems to be related with the identification of the traffic you want to send over the tunnel. Make sure that you have correctly configured the left and right subnets in the strongswan config, and that the same is done in the access list configuration in the ASA.
I hope this has been helpful!
Laz
Hey
The network lesson for this was awesome, thanks, I was able to get the VPN tunnel up, but I’m hoping you might be able to point me in the right direction. I think I am missing some routing, as I can not ping between my subnets.
Looking at the this diagram I have 154.63.212.12 connected to the asa VPN, but if I do pings nothing comes through.
if I do show crypto isakmp sa:
IKEv2 SAs:
Session-id:10230, Status:UP-ACTIVE, IKE count:1, CHILD count:1
Tunnel-id Local Remote Status Role
36313153 143.5.220.246/4500 154.63.212.12/4500 READY RESPONDER
Encr: AES-CBC, keysize: 256, Hash: SHA256, DH Grp:14, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/24 sec
Child sa: local selector 192.168.30.0/0 - 192.168.30.255/65535
remote selector 192.168.70.102/0 - 192.168.70.102/65535
ESP spi in/out: 0x6c8f08d0/0xc5691db9on the server 192.168.30.161 routes are as follows:
default via 192.168.30.200 dev prod proto dhcp src 192.168.30.161 metric 100
192.168.30.0/24 dev prod proto kernel scope link src 192.168.30.161 metric 100
192.168.30.200 dev prod proto dhcp scope link src 192.168.30.161 metric 100on the server 192.168.70.102 routes are in the diagram.