Libreswan as client to a Cisco (ASA or VPN3000) server

From Libreswan
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Many companies have Cisco or cisco-comptable VPN setups to allow laptops to connect to the enterprise network. This most often uses XAUTH with PreSharedKeys. It requires some special handling which libreswan activates with the remote_peer_type= option. The easiest way to configure this is using Networkmanager-libreswan (or NetworkManager-openswan on older distros). But you can do it using manual connections as well:

First, you place the Groupname and Secret in /etc/ipsec.secrets: 

@Groupname : PSK "secret"

In /etc/ipsec.conf you would place the connection information, which also includes the username and groupname: 

conn cisco
	# fill in your groupname and username
	leftid=@Groupname
	leftxauthusername=yourusername
	# 
	# The proposals have to match exactly or the cisco stops talking
	ike=aes128-sha1;modp1024
	esp=aes128-sha1;modp1024
	right=cisco_dns_or_ip
	initial_contact=yes
	# nat-ikev1=drafts
	# cisco_unity=yes
	aggrmode=yes
	authby=secret
	left=%defaultroute
	leftxauthclient=yes
	leftmodecfgclient=yes
	remote_peer_type=cisco
	rightxauthserver=yes
	rightmodecfgserver=yes
	salifetime=24h
	#ikelifetime=1h
	ikelifetime=24h
	dpdaction=restart
	dpdtimeout=60
	dpddelay=30
        auto=add

It is possible, though less secure, to store the user password in ipsec.secrets as well, provided you do not require unique token with each password: 

@username : XAUTH "password"

If the password is in ipsec.secrets, the connection can use auto=start. If not, then the connection needs to be started by NetworkManager or by command line ipsec auto --up to allow typing in the password.

Retrieved from "https://libreswan.org/wiki/index.php?title=Libreswan_as_client_to_a_Cisco_(ASA_or_VPN3000)_server&oldid=20666"