[Swan] ASA 5550 Connection Help
Paul Wouters
paul at nohats.ca
Sun Apr 29 21:30:44 UTC 2018
On Sun, 29 Apr 2018, Paul Connolly wrote:
> I have to create an IPSec tunnel from amazon to an ASA 5500. Below is the info I was provided on the ASA config:
>
> Support Key Exchanged for Subnets: ON
> IKE Encryption Method: AES256 SHA
> IKE Diffie-Hellman Groups for Phase 1: Group 2 (1024 bit)
> IKE (Phase-1) Timeout: 1440 Min
> IPSEC Encryption Method: AES256 SHA
> IPSEC (Phase-2) Timeout: 3600 Sec
> PFS (Perfect Forward Secrecy): Disabled
> Keepalive: Disabled
>
> I setup libreswan on a centos 7 ec2 instance. This is what I have for Libreswan connection config:
>
> conn ipsec
> type=tunnel
> authby=secret
> remote_peer_type=cisco
Remove the remote_peer_type=cisco line, that is only needed when using
IKEv1 XAUTH as a client towards a Cisco server for Remote Access VPN.
> initial-contact=yes
> rekey=yes
> pfs=no
> ikelifetime=1440m
> salifetime=60m
> ike=aes256-sha1;dh2
> phase2alg=aes256-sha1;modp1024
> aggrmode=no
>
> I've successfully created a tunnel to another libreswan instance in a separate aws vpn and can pass traffic but when I point to the ASA, I don't seem to be even getting
> past the IKE phase. based on this ipsec status:
> 000 #1: "ipsec":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_v1_RETRANSMIT in 12s; nodpd; idle; import:admin initiate
> 1: pending Phase 2 for "ipsec" replacing #0
>
> I know the preshared key is correct but I'm at a loss. For starters, do I at least have the correct libreswan config based the ASA config?
The config looks fine except for you not specifying and IDs for either
end. Since you are in AWS, that means you are likely presenting your
pre-NAT IP as your ID which is most likely rejected by the Cisco.
You should ask them what ID they are using on their end and what ID
they expect you to have on your end.
Also, you should REALLY ask them to change dh2/modp1024 to at least
dh5/modp1536 because dh2/modp1024 has been declared obsolete by RFC-8247
and support will soon be removed from libreswan. This DH group is
simply too weak for today's computing powers.
Paul
More information about the Swan
mailing list