12-14-2010 01:35 AM
Hello, collegues!
There is a VPN scheme where two sites are connected with a VPN tunnel. Both peers are based on OpenBSD. The remote site does not have a static IP address so the standard site-to-site VPN is not possible. This peer is configured as a remote VPN client. Here is its configuration in ipsec.conf file:
ike dynamic esp from 172.27.77.0/24 to { 192.168.254.0/24 192.168.200.0/24 192.168.252.0/24 } \
peer x.x.x.x \
aggressive auth hmac-sha1 enc 3des \
quick auth hmac-sha1 enc aes-128 \
srcid "username@domain" psk "<pre-shared-key>"
On the server I found the isakmpd.conf file with parameters for all VPNs terminated on the device. Specifically for this peer the following string is:
[username@domain]
Authentication= <pre-shared-key>
As we see there is not as many parameters as we use on Cisco VPN Client. No tunnel-group and no pre-shared key. (I think the mentioned 'pre-shared-key' is used in x-auth mode authentication).
And now I need to replace the local OpenBSD server with ASA5540 and to configure as a Remote Access VPN server for the peer.
If anybody has dealt with this kind of communication before, please, help me configure ASA5540 for this.
Thank you.
12-20-2010 09:38 AM
Viktor,
Has anyone looked into this already?
Looks like you're doing aggrssive mode and no xauth on the BSD system.
I'm not sure about openbsd but maybe:
username@domain is your ID
and psk is the pass - that's what it would look like to me.
On ASA you can disable xauth for particular tunnel group:
tunnel-group username@domain type remote-access
tunnel-group username@domain ipsec-attributes
pre-shared-key psk
isakmp ikev1-user-authentication none
I don't know how openbsd implements it and used this as reference:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide