[Openswan Users] OpenSwan to Cisco ASA with Access Control Lists

James Bewley james.bewley at telemisis.com
Thu Apr 28 09:58:41 EDT 2016 

I've figured this out now.

It appears that the Cisco ASA treats each access-list rule as a separate
connection and your ipsec.conf needs to have a connection for each server
eg:

config setup
        protostack=netkey
        klipsdebug="none"
        plutodebug="none"
        uniqueids=yes
        nat_traversal=yes
        virtual_private=%v4:
10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.123.0/255.255.255.0,%v4:!10.0.123.123/255.255.255.255,%v4:!10.0.123.124/255.255.255.255

conn %default
        keyingtries=0
        disablearrivalcheck=no
        leftupdown=/usr/local/bin/ipsecupdown.sh

#
# net-2-net to RED
conn Site2
        left=<public IP - site1>
        leftsubnet=192.168.123.0/255.255.255.0
        right=<public IP - site2>
        ike=aes256-sha-modp1024
        esp=aes256-sha1
        ikelifetime=8h
        keylife=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=hold
        pfs=no
        authby=secret

# Server 1
conn Site2-Server1
        also=Site2
        rightsubnet=10.0.123.123/255.255.255.255
        auto=start

# Server 2
conn Site2-Server2
        also=Site2
        rightsubnet=10.0.123.124/255.255.255.255
        auto=start

Best,
James



On 28 April 2016 at 13:54, Patrick Naubert <patrickn at xelerance.com> wrote:

> Rescued from the spam bucket.  Please remember to subscribe to the mailing
> list before posting to it.
>
> *From: *James Bewley <james.bewley at telemisis.com>
> *Subject: **OpenSwan to Cisco ASA with Access Control Lists*
> *Date: *April 28, 2016 at 5:02:49 AM EDT
> *To: *users at lists.openswan.org
>
>
> Hi,
>
> I am using IPCop which uses OpenSwan under the hood for IPSec.  I am
> trying to set-up a tunnel between this router and a remote site (Cisco ASA).
>
> With a simple setup bridging both networks works and I can get traffic
> through the tunnel in both directions across the entire IP range.
>
> The remote site now wants to limit the access using an ACL and informs me
> that our end will also need to implement this ACL for the connection to be
> established.  Once they apply the ACL the IPSec tunnel goes down so assume
> he is right.
>
> So, how do I configure OpenSwan to match the ACL; do i need to defined a
> 'subnet' for each remote IP address? Is there another way?
>
>
> Best,
> James
>
>
>
>
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20160428/bd664db7/attachment.html>

More information about the Users mailing list