Cisco ASA 5505 – Azure Openswan VPN

(07 Jun 2016)

In this test a VPN connection was established between Cisco ASA 5505 appliance (on-premises site) and Azure Virtual Network where an Openswan VPN gateway was running in Ubuntu Linux virtual machine. The authentication was based on certificates. The certificates were issued by an OpenSSL CA server running in the Azure Ubuntu server.

The following configuration settings and VPN versions were used:

Azure

  • Virtual network: 10.4.1.0/24 (protected network)
  • Public ip yyy.yyy.yyy.yyy, internal ip 10.4.1.4
  • Ubunte 14.04 Linux
  • Linux Openswan U2.6.38/K3.19.0-56-generic (netkey)

Cisco ASA 5505

  • Local network 192.168.1.0/24 (protected network)
  • Public ip xxx.xxx.xxx.xxx, internal ip 192.168.1.1
  • ASA version 8.2(5), ASDM 6.4(5)

ASA-Openswan

Setting up of Openswan VPN gateway in Azure

  1. In Azure create Virtual Network with address space 10.4.1.0/24
  2. Add Ubuntu 14.04 Virtual Machine in the Virtual Network
  3. In Azure Endpoints menu of the Ubuntu server, enable the endpoints for UDP 500 and UDP 4500 packets:
    1. UDP 500: Private port 500, Public port 500
    2. UDP 4500: Private port 4500, Public port 4500
  4. In the Dashboard check the Public Virtual IP Address assigned to the Virtual Machine (this will be used as the peer gateway address in the ASA 5505 VPN configuration).
  5. Connect to the Ubuntu server e.g. with Putty app from a Windows VM that is located in the same Virtual Network.
  6. Install Openswan VPN gateway with command (if not already installed): sudo apt-get install openswan
  7. Edit IPSec and address settings in the configuration file: /etc/ipsec.conf
  8. Copy the CA certificate, Openswan VPN gateway certificate and the Private Key file to the Ubuntu server (if not already there):
    • CA certificate to /etc/ipsec.d/cacerts
    • Openswan VPN gateway certificate to /etc/ipsec.d/certs
    • Openswan Private Key file to /etc/ipsec.d/private
  9. Add a reference to the Private Key file and the optional file password in /etc/ipsec.secrets
  10. Restart the VPN service: sudo service ipsec restart

In addition to the above steps, the routing settings in Azure Virtual Network may need to be modified as discussed in the test case Routing with Ubuntu Linux VPN Gateway.

Sample IPSEC.CONF for Azure Openswan

config setup

protostack=netkey
virtual_private=%v4:10.4.1.0/24
oe=off
nat_traversal=yes

conn asa5505cert

authby=rsasig
auto=start
type=tunnel
left=10.4.1.4
leftsubnet=10.4.1.0/24
leftrsasigkey=%cert
rightrsasigkey=%cert
leftcert=openswanCert.pem
leftid=%fromcert
right=xxx.xxx.xxx.xxx
rightid=”C=FI, ST=Some-State, O=MyOrg, OU=MyUnit, CN=asa5505d, E=asa5505d@myorg.com”
rightsubnet=192.168.1.0/24
ike=3des-sha1-modp1024,aes128-sha1-modp1024
esp=3des-sha1,aes128-sha1
pfs=no

 
NOTES:

  • “openswanCert.pem” is the certificate of the Azure Openswan VPN gateway
  • rightid should match with the Subject field of the ASA 5505 VPN gateway certificate
  • right = public ip address of the ASA 5505 VPN gateway
Sample IPSEC.SECRETS for Azure Openswan

: RSA OpenswanKey.pem “password”

NOTES:
  • “OpenswanKey.pem” is the private key file for the Openswan VPN gateway certificate

Setting up the ASA 5505 Site-to-Site VPN Gateway

  1. In ASDM, go to Site-to-Site > Certificate Management menu to create and import the necessary certificates:
    • In the CA certificates menu add the CA certificate (in this case the certificates are issued by the OpenSSL CA residing in the Openswan Ubuntu server from where the CA certificate can be fetched)
    • In Identity Certificates menu select Add to create a certificate request for the ASA VPN gateway
    • Export the certificate request to a file and sign it in the Ubuntu CA server
    • In Identity Certificates menu select Install to import the signed certificate back to ASA 5505
  2. In the CA certificate > Advanced menu check that the option “Accept certificates issued by this CA” is enabled
  3. Go to Site-to-Site VPN > Connection Profiles menu and add a new profile with the settings:
    • Peer IP Address = yyy.yyy.yyy.yyy
    • Local Network = 192.168.1.0/24
    • Remote Network = 10.4.1.0/24
    • Device Certificate = <select the identity certificate imported in the above steps>
  4. Go to Advanced > Crypto Maps menu and check that the peer mapping is correct. In Tunnel Policy menu check that the Device Certificate is selected

After applying and saving the configuration via ASDM, a sample command set below can be found in ASA 5505:

object-group network DM_INLINE_NETWORK_2
network-object 192.168.1.0 255.255.255.0

 

access-list outside_cryptomap_2 extended permit ip object-group DM_INLINE_NETWORK_2 vpnubuntu4-network 255.255.255.0

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 3600
crypto ipsec security-association lifetime kilobytes 102400000 crypto map outside_map0 3 match address outside_cryptomap_2
crypto map outside_map0 3 set peer yyy.yyy.yyy.yyy
crypto map outside_map0 3 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map0 3 set trustpoint ASDM_TrustPoint6
crypto map outside_map0 interface outside

 

crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint6
enrollment terminal
subject-name CN=asa5505d,OU=MyUnit,O=MyOrg,C=FI,St=Some-State,EA=asa5505d@myorg.com
crl configure

 

crypto ca certificate chain ASDM_TrustPoint2
certificate ca 0088c64c185fbbf3fc
 
crypto ca certificate chain ASDM_TrustPoint6
certificate 19

 

crypto isakmp enable outside
crypto isakmp policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto isakmp policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto isakmp policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400

 

tunnel-group yyy.yyy.yyy.yyy type ipsec-l2l
tunnel-group yyy.yyy.yyy.yyy general-attributes
default-group-policy GroupPolicy3
tunnel-group yyy.yyy.yyy.yyy ipsec-attributes
trust-point ASDM_TrustPoint6