Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1268
Views
0
Helpful
1
Replies

ASA5540 as a remote VPN server, OpenBSD as a client

SuperVitya
Level 1
Level 1

‎12-14-2010 01:35 AM

Hello, collegues!

There is a VPN scheme where two sites are connected with a VPN tunnel. Both peers are based on OpenBSD. The remote site does not have a static IP address so the standard site-to-site VPN is not possible. This peer is configured as a remote VPN client. Here is its configuration in ipsec.conf file:

ike dynamic esp from 172.27.77.0/24 to { 192.168.254.0/24 192.168.200.0/24 192.168.252.0/24 } \
    peer x.x.x.x \
    aggressive auth hmac-sha1 enc 3des \
    quick auth hmac-sha1 enc aes-128 \
    srcid "username@domain" psk "<pre-shared-key>"

On the server I found the isakmpd.conf file with parameters for all VPNs terminated on the device. Specifically for this peer the following string is:

[username@domain]

Authentication=                 <pre-shared-key>

As we see there is not as many parameters as we use on Cisco VPN Client. No tunnel-group and no pre-shared key. (I think the mentioned 'pre-shared-key' is used in x-auth mode authentication).

And now I need to replace the local OpenBSD server with ASA5540 and to configure as a Remote Access VPN server for the peer.

If anybody has dealt with this kind of communication before, please, help me configure ASA5540 for this.

Thank you.

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-20-2010 09:38 AM

Viktor,

Has anyone looked into this already?

Looks like you're doing aggrssive mode and no xauth on the BSD system.

I'm not sure about openbsd but maybe:

username@domain is your ID

and psk is the pass - that's what it would look like to me.

On ASA you can disable xauth for particular tunnel group:

tunnel-group username@domain type remote-access
tunnel-group username@domain ipsec-attributes
  pre-shared-key psk
isakmp ikev1-user-authentication none

I don't know how openbsd implements it and used this as reference:

srcid string dstid string
Define the unique ID that isakmpd(8) will use as the identity of the local (srcid) and remote (dstid) peer; if omitted, the IP address is used.


http://www.kernel-panic.it/openbsd/vpn/vpn3.html


Marcin
0 Helpful
Customers Also Viewed These Support Documents