Submitted by greggles on
I recently had to setup OpenSWAN on Ubuntu to be part of a site-to-site VPN with a Cisco ASA 5520. There are a few resources I used to get me there. It was hard to find these resources so I'm keeping track of them for myself and in the hopes it helps someone else.
- this amazing page, about the same thing on ec2 vpc
- man ipsec
- configuring openswan ipsec server - great advice including some "gotchas" and troubleshooting ideas
- linuxjournal backgrounder on ipsec and vpns
- openswan installation and configuration tutorial
- A nice chart about cidr notation in ip addresses
- A gist about setting up openswan site-to-site on ec2
- A serverfault article about two people doing this behind some routers
My requirements were:
- local ike peer IP address: 89.76.54.321
- remote ike peer IP address: 123.45.67.89
-
remote: also want all addresses in 123.45.0/24 to be addressable
-
Authentication: pre shared key
- Encryption Scheme IKE
- Diffie Hellman Group: Group 2
- Encryption Algorithm: AES-256
- Hashing Algorithm: SHA1
- IKE Negotiation Mode: Main mode
-
Lifetime (for renegotation): 480 minutes
-
Phase 2 Encapsulation: ESP
- Phase 2 Encryption Algirithm: AES-256
- Phase 2 Hashing Algorithm: SHA1
- Perfect Forward Secrecy: No PFS
- Lifetime (for renegotiation): 480m
And here is roughly what my /etc/ipsec.d/connection.conf looks like:
conn i2c
authby=secret
type=transport #might be tunnel
keyexchange=ike
ikelifetime=480m
keylife=60m
ike=aes256-sha1;modp1024!
phase2=esp
phase2alg=aes256-sha1;modp1024
pfs=no
auto=start
aggrmode=no
left=89.76.54.321
leftsubnet=89.76.54.321/32
leftnexthop=%defaultroute
right=123.45.67.89
rightsubnet=123.45.67.89/24
We had a few situations where the VPN connection would die. Our website would make calls over it and get timeouts, I would try to ping or telnet across it and those would timeout. The first two times that happened I called our partner and asked if there was any problem - assuming their server was down. In fact there server was up and restarting ipsec fixed the issue. I tried looking in various log files (as suggested by the jameskyle.org article) but didn't find any "smoking gun" of what would cause the hiccup. So...we started a jenkins job that pings an IP on the far side of the VPN connection. If the ping fails then the jenkins job restarts ipsec. Here's that script. Yes, it gives jenkins sudo on restarting that service. I'm not sure of a better way to do that automatically, but would love to hear them!
!/bin/bash
Exit immediately on uninitialized variable or error, and print each command.
set -uex
if ping loses any packets
LINES=ping -w 4 -c 1 123.45.67.99 | grep ", 0% packet loss," | wc -l
if [ $LINES -ne 1 ]; then
# run the ping through awk to hide the nonzero exit code so we definitely get to restart ipsec.
echo "let's see the ping data"
ping -w 4 -c 1 123.45.67.99 | awk '{print $0}'
# now restart ipsec
echo "RESTARTING IPSEC"
sudo service ipsec restart
# this tells jenkins it's a fail so jenkins mails us
exit 1
else
ping -w 4 -c 1 123.45.67.99 | grep "^64 bytes from" | awk '{print d, $0}' "d=$(date)" >> timer_combined.txt
fi
One thing I decided to do with this script is to log the data to a file timer_combined.txt so that we can some-day look at whether the vpn connection ever slows down or something. I set this up 2 months ago and we still haven't looked at that data :)
- Log in to post comments
Comments
Anonymous replied on Permalink
review config
Hey Greg:
I am trying to setup a VPN tunnel between an Xroads Networks UBM20 (uses OpenSwan for IPSEC) and a Cisco ASA 5520 running 9.1(4) code. I would like to know if my config is correct from a syntax standpoint or if something else needs to be added.
on the ASA we are using PFS, D-H group2 and aes-128-sha
I have heard that semi-colons and dashes can be an issue
nat_traversal=yes
nhelpers=0
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
conn CITNetbackup
type=tunnel
authby=secret
left=64.132.140.78
leftnexthop=%defaultroute
leftsubnet=192.168.2.0/24
leftid=64.132.140.78/30
right=my ASA IP *** excluded for security ***
rightsubnet= my local subnet behind the ASA *** excluded for security ***
ike=aes128-sha1;modp1024
phase2=esp
phase2alg=aes128-sha1;modp1024
keyexchange=ike
ikelifetime=1440m
keylife=480m
pfs=yes
aggrmode=no
auto=start
also here is my PSK syntax 64.132.140.78 24.199.199.26: PSK "ya6terecHeprEhuhebedrupramuc6asp"