Hi Philip,

alsalemcorp · ‎03-20-2017

Hi,

I have a IPSEC VPN tunnel between StrongSwan and Cisco ASAs. The Cisco ASA will bring up the tunnel if the network behind the ASA (192.168.2.0/24) pings the network behind the Strongswan VPN (10.0.66.0/24). I want the tunnel to remain always available. Is there a modern version if the isakmp keepalive command to keep the tunnels from going down?

I have tried using an SLA monitor and a track, but using the ASA itself to ping the remote network does not bring the tunnel up.

ASA Config (sanitized):

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.6(1)
!
hostname XXXXX
enable password XXXXX encrypted
names

!
interface GigabitEthernet1/1
nameif outside
security-level 0
ip address 8.8.8.8 255.255.255.252
!
interface GigabitEthernet1/2
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
no ip address
!
interface Management1/1
management-only
no nameif
no security-level
no ip address
!
ftp mode passive
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network LocalLAN
subnet 192.168.2.0 255.255.255.0
object-group network MplsLANS
network-object 192.168.1.0 255.255.255.0
network-object 10.0.66.0 255.255.255.0
access-list DC extended permit ip 192.168.2.0 255.255.255.0 10.0.66.0 255.255.255.0
access-list DC extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list Firewall extended permit icmp any any unreachable
access-list Firewall extended permit icmp any any time-exceeded
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,any) source static LocalLAN LocalLAN destination static MplsLANS MplsLANS no-proxy-arp route-lookup
!
object network obj_any
nat (any,outside) dynamic interface
access-group Firewall in interface outside
route outside 0.0.0.0 0.0.0.0 8.8.8.7 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal ikev2-proposal
protocol esp encryption aes
protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map ikev2-map 1 match address DC
crypto map ikev2-map 1 set peer 4.2.2.1
crypto map ikev2-map 1 set ikev2 ipsec-proposal ikev2-proposal
crypto map ikev2-map interface outside
crypto ca trustpool policy
crypto ikev2 policy 1
encryption aes
integrity sha
group 5
prf md5
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 am-disable
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.2.0 255.255.255.0 inside
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
dhcpd address 192.168.2.5-192.168.2.254 inside
dhcpd enable inside
!
dynamic-access-policy-record DfltAccessPolicy
username psadmin password NizKMRaexA8h/wbh encrypted
tunnel-group 4.2.2.1 type ipsec-l2l
tunnel-group 4.2.2.1 ipsec-attributes
isakmp keepalive threshold 1500 retry 2
ikev2 remote-authentication pre-shared-key *****
ikev2 local-authentication pre-shared-key *****
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous

Philip D'Ath · ‎03-20-2017

In Strongswan, make sure you have something like this:

conn %default
  dpdaction=restart
  dpddelay=30 
conn xxx
  auto=start

alsalemcorp · ‎03-21-2017

I added these settings, but the connection still goes idle. Strongswan does not keep it alive at this point. Any other ideas?

Philip D'Ath · ‎03-21-2017

With these settings, as soon as you start StrongSwan the VPN should come up.

alsalemcorp · ‎03-21-2017

Hi Philip,

Yes, the VPN comes up as soon as I start or restart strong swan. My issue is that it goes down after about an hour and stays down until a system on the other side pings me. Is there a way to have the ASA ignore the idle timeouts regardless of whether it sees interesting traffic or not?

Thanks!

ASA 9.6 ISAKMP/IPSEC L2L VPN Tunnel dies until right pings left. Keep-alive setting?