On Sun, 29 Apr 2018, Paul Connolly wrote:
I have to create an IPSec tunnel from amazon to an ASA 5500. Below is the info
I was provided on the ASA config:
Support Key Exchanged for Subnets: ON
IKE Encryption Method: AES256 SHA
IKE Diffie-Hellman Groups for Phase 1: Group 2 (1024 bit)
IKE (Phase-1) Timeout: 1440 Min
IPSEC Encryption Method: AES256 SHA
IPSEC (Phase-2) Timeout: 3600 Sec
PFS (Perfect Forward Secrecy): Disabled
Keepalive: Disabled
I setup libreswan on a centos 7 ec2 instance. This is what I have for Libreswan
connection config:
conn ipsec
type=tunnel
authby=secret
remote_peer_type=cisco
Remove the remote_peer_type=cisco line, that is only needed when using
IKEv1 XAUTH as a client towards a Cisco server for Remote Access VPN.
initial-contact=yes
rekey=yes
pfs=no
ikelifetime=1440m
salifetime=60m
ike=aes256-sha1;dh2
phase2alg=aes256-sha1;modp1024
aggrmode=no
I've successfully created a tunnel to another libreswan instance in a separate
aws vpn and can pass traffic but when I point to the ASA, I don't seem to be
even getting
past the IKE phase. based on this ipsec status:
000 #1: "ipsec":4500 STATE_MAIN_I3 (sent MI3, expecting MR3);
EVENT_v1_RETRANSMIT in 12s; nodpd; idle; import:admin initiate
1: pending Phase 2 for "ipsec" replacing #0
I know the preshared key is correct but I'm at a loss. For starters, do I at
least have the correct libreswan config based the ASA config?
The config looks fine except for you not specifying and IDs for either
end. Since you are in AWS, that means you are likely presenting your
pre-NAT IP as your ID which is most likely rejected by the Cisco.
You should ask them what ID they are using on their end and what ID
they expect you to have on your end.
Also, you should REALLY ask them to change dh2/modp1024 to at least
dh5/modp1536 because dh2/modp1024 has been declared obsolete by RFC-8247
and support will soon be removed from libreswan. This DH group is
simply too weak for today's computing powers.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
