One Bad Pixel
One bad pixel can't be wrong!
«
»

IPSec Tunnel from ASA55xx to VyOS (or Vyatta)

I was recently asked if it was possible to interconnect an ASA5505 and a VyOS router with an IPSec VPN. The answer is absolutely yes. I have setup dozens of IPSec VPNs between these devices and they work very well together. This configuration should *mostly* apply to interconnecting an ASA and a Ubiquiti EdgeMax as well. Without wasting any more time, here is the basic config for how to accomplish this.
First, for these examples, I will assume the LAN on the ASA5505 side is 192.168.1.0/24, and the LAN on the VyOS side is 172.16.1.0/24. The WAN of the ASA5505 is x.x.x.x, and the WAN (eth0) of the VyOS is y.y.y.y.
First, we need to configure the ASA side (x.x.x.x)…

###setup ASA to connect to Vyatta
! Select Interesting Traffic to be encrypted
access-list vpn1_interesting_traffic extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
! Select which traffic must be excluded from NAT.
access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 172.16.1.0 255.255.255.0
! Enable also the Phase 1 isakmp to the outside interface
crypto map outside_map interface outside
! Create a Phase 2 transform set for encryption and authentication protocols.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map outside_map 1 set transform-set ESP-3DES-SHA
! Create a crypto map for the IPSEC VPN with the ASA-2 firewal
crypto map outside_map 1 match address vpn1_interesting_traffic
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer y.y.y.y
! Attach the crypto map to the outside interface
crypto map outside_map interface outside
! Create the Phase 1 isakmp policy
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
! Create a tunnel group for the IPSEC VPN to define the PSK
tunnel-group y.y.y.y type ipsec-l2l
tunnel-group y.y.y.y ipsec-attributes
pre-shared-key !SuperSecretPSK!



Next, we need to configure the VyOS side (y.y.y.y)…

###setup ipsec site-to-site
set vpn ipsec esp-group ESP-1W lifetime 28800
set vpn ipsec esp-group ESP-1W mode tunnel
set vpn ipsec esp-group ESP-1W pfs dh-group5
set vpn ipsec esp-group ESP-1W proposal 1 encryption 3des
set vpn ipsec esp-group ESP-1W proposal 1 hash sha1
set vpn ipsec ike-group IKE-1W lifetime 86400
set vpn ipsec ike-group IKE-1W proposal 1 dh-group 2
set vpn ipsec ike-group IKE-1W proposal 1 encryption 3des
set vpn ipsec ike-group IKE-1W proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer x.x.x.x authentication mode pre-shared-secret
set vpn ipsec site-to-site peer x.x.x.x authentication pre-shared-secret !SuperSecretPSK!
set vpn ipsec site-to-site peer x.x.x.x default-esp-group ESP-1W
set vpn ipsec site-to-site peer x.x.x.x ike-group IKE-1W
set vpn ipsec site-to-site peer x.x.x.x local-address y.y.y.y
#On EdgeMax, the command for the local address is
#set vpn ipsec site-to-site peer x.x.x.x local-ip y.y.y.y
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 esp-group ESP-1W
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix 172.16.1.0/24
set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix 192.168.1.0/24
#On EdgeMax, the commands for the tunnel are
#set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local subnet 172.16.1.0/24
#set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote subnet 192.168.1.0/24
#exclude site-to-site from nat
set nat source rule 10 description "NAT Exclude traffic over site-to-site VPN"
set nat source rule 10 destination address 192.168.1.0/24
set nat source rule 10 exclude
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 172.16.1.0/24
#site-to-site allow any
set firewall name TO-LAN-IPV4 rule 50 description "Allow traffic from site-to-site VPN"
set firewall name TO-LAN-IPV4 rule 50 action accept
set firewall name TO-LAN-IPV4 rule 50 destination address 172.16.1.0/24
set firewall name TO-LAN-IPV4 rule 50 source address 192.168.1.0/24
#ike from anywhere
set firewall name TO-ROUTER-IPV4 rule 50 description "Allow ISAKMP"
set firewall name TO-ROUTER-IPV4 rule 50 action accept
set firewall name TO-ROUTER-IPV4 rule 50 protocol udp
set firewall name TO-ROUTER-IPV4 rule 50 destination port 500
#esp from anywhere
set firewall name TO-ROUTER-IPV4 rule 51 description "Allow ESP"
set firewall name TO-ROUTER-IPV4 rule 51 action accept
set firewall name TO-ROUTER-IPV4 rule 51 protocol esp
#commit
commit



If you are trying to setup an EdgeMax instead of VyOS, everything should be the same except for the NAT rule, which should look something like this (the syntax on EdgeMax for NAT is a little different)

set rule 5000 description 'NAT EXCLUDE to VPN'
set rule 5000 destination address 192.168.1.0/24
set rule 5000 exclude
set rule 5000 log disable
set rule 5000 outbound-interface eth0
set rule 5000 protocol all
set rule 5000 source address 172.16.1.0/24
set rule 5000 type masquerade



I hope this article really helps someone. If you get stuck, make sure to leave a comment asking questions and I will see what I can do to help you out.

 

27 Responses for “IPSec Tunnel from ASA55xx to VyOS (or Vyatta)”

  1. IPSec tunnel from Cisco PIX 6.5 to VyOS (or Vyatta, or EdgeMax) | One Bad Pixel Says:

    […] IPSec Tunnel from ASA55xx to VyOS (or Vyatta) […]

  2. JP Says:

    Great tutorial. Thank you for posting. I need to setup a tunnel between an ASA and a VyOS, but I need to NAT the traffic on the VyOS side before going through the tunnel. So say for example the LAN (inside) subnet of the VyOS is 192.168.1.0/24, and so that subnet needs to be NATed to 10.0.0.0/24 before reaching ASA side. I tried looking over the VyOS documentation, but don’t see it. Any ideas? Thanks in advance.

  3. Jim Says:

    JP – Sure, this is pretty easy. I do this myself when I have a VPN to an external entity with conflicting address space.

    Basically, you need to make a source nat rule to translated 192.168.1.0/24 to 10.0.0.0/24, and a dnat rule to translated back from 10.0.0.0/24 to 192.168.1.0/24. You also need to update your VPN tunnel to have a tunnel defined for 10.0.0.0/24 to the remote subnet.

    For the sake of example, lets say the remote subnet is 172.16.1.0/24 and we are using the config in this post.

    ##translated the 192.168.1.0 to 10.0.0.0 on the way out to the vpn
    set nat source rule 5 description "NAT 1:1 for traffic to VPN"
    set nat source rule 5 destination address 172.16.1.0/24
    set nat source rule 5 outbound-interface eth0
    set nat source rule 5 source address 192.168.1.0/24
    set nat source rule 5 translation address 10.0.0.0/24
    
    ##translate the 10.0.0.0 back to 192.168.1.0 on the way in from the vpn
    set nat destination rule 5 description "NAT 1:1 for traffic from VPN"
    set nat destination rule 5 destination address 10.0.0.0/24
    set nat destination rule 5 inbound-interface eth0
    set nat destination rule 5 source address 172.16.1.0/24
    set nat destination rule 5 translation address 192.168.1.0/24
    
    ##make sure the local prefix on the tunnel is the translated addresses
    set vpn ipsec site-to-site peer x.x.x.x tunnel 1 esp-group ESP-1W
    set vpn ipsec site-to-site peer x.x.x.x tunnel 1 local prefix 10.0.0.0/24
    set vpn ipsec site-to-site peer x.x.x.x tunnel 1 remote prefix 172.16.1.0/24
    
  4. JP Says:

    Thanks Jim. I think I got it, but it seems now I’ve having trouble with the tunnel. Any chance I can send you my config and you can help me review it? This site-to-site is between an ASA and a VyOS. The tunnel shows MM_ACTIVE on the ASA side, and then shows a status of MM_ACTIVE_REKEY and MM_REKEY_DONE_H2 after a few minutes. On the VyOS side when I issue a “show vpn ipsec sa” the status shows DOWN, and a “show vpn ipsec status” shows 0 Active IPsec Tunnels. And a “show vpn debug” outputs quite a bit, of which STATE_MAIN_I3 is displayed. Much appreciated.

  5. Jim Says:

    JP,
    Sure thing. Send your config and the output from “show vpn debug” to jim@onebadpixel.com and I will take a look. Usually, just seeing the debug output is enough for me to find the problem.

  6. Brian Says:

    Jim,

    I have a VyOS router that i have a number of site to site VPNs already established. In those I have a VPN with the remote network of 192.168.1.0/24.

    I now have another VPN that needs created but that customers network is also 192.168.1.0/24. Typically I would deal with translating the addresses on the customer side but they don’t have a router that will do NAT on the VPN tunnel.

    My local side is 10.84.0.0/16. Is there a way that I can leave the exiting VPN for 192.168.1.0/24 alone and make the new one translate to say 192.168.101.0/24

    Thanks!

  7. Jim Says:

    Brian,
    I see the dilemma here.. Not really possible to differentiate between the traffic since it all appears to come from 192.168.1.0/24. My suggestion here if it is not possible to renumber either of the networks or do NAT on the remote side is to setup a 2nd VyOS router to terminate the conflicting new customer to. I know this isn’t ideal for management, but its the only solution I can think of to solve this issue. If either of the clients is able to use VTI, you could solve the problem however, as your NAT rules would apply to traffic coming across the VTI rather than on the WAN interface.

  8. Brian Says:

    Jim,

    Thanks for the response. I was coming up with the same thing, just wanted to see if you had any other thoughts that i wasn’t thinking of.

  9. Agen gamat luxor di sorong Says:

    wonderful i say thanks you

  10. aldus Says:

    we have a similar setup from Edgerouter to Cisco, but we need to do a “translated local network” of all outgoing traffic.

    Ike is up but ipsec no

    000 %myid = ‘%any’
    000 loaded plugins: test-vectors curl ldap aes des sha1 sha2 md5 random x509 pkcs1 pgp dnskey pem openssl gmp hmac xauth attr kernel-netlink resolve
    000 debug options: none
    000
    000 “peer-REMOTEPUBLICIP-tunnel-1”: 192.168.1.0/24===LOCALPUBLICIP[LOCALPUBLICIP]—WANOUTIP…REMOTEPUBLICIP[REMOTEPUBLICIP]===10.113.10.0/24; erouted HOLD; eroute owner: #0
    000 “peer-REMOTEPUBLICIP-tunnel-1”: ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
    000 “peer-REMOTEPUBLICIP-tunnel-1”: policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: pppoe0;
    000 “peer-REMOTEPUBLICIP-tunnel-1”: newest ISAKMP SA: #1; newest IPsec SA: #0;
    000 “peer-REMOTEPUBLICIP-tunnel-1”: IKE proposal: 3DES_CBC/HMAC_SHA1/MODP_1024
    000
    000 #33: “peer-REMOTEPUBLICIP-tunnel-1” STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 7s
    000 #32: “peer-REMOTEPUBLICIP-tunnel-1” STATE_QUICK_I1 (sent QI1, expecting QR1); EVENT_RETRANSMIT in 7s
    000 #1: “peer-REMOTEPUBLICIP-tunnel-1” STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 26753s; newest ISAKMP
    000

    show vpn ike sa
    Peer ID / IP Local ID / IP
    ———— ————-
    REMOTEPUBLICIP LOCALPUBLICIP

    State Encrypt Hash D-H Grp NAT-T A-Time L-Time
    —– ——- —- ——- —– —— ——
    up 3des sha1 2 no 2234 28800

    show vpn ipsec sa
    Peer ID / IP Local ID / IP
    ———— ————-
    REMOTEPUBLICIP LOCALPUBLICIP

    Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto
    —— —– ————- ——- —- —– —— —— —–
    1 down n/a n/a n/a no 0 3600 all

    tried with a nat exclude.

    rule type intf translation
    —- —- —- ———–
    X5000 SRC pppoe0 saddr 192.168.1.0/24 to 10.XXX.XXX.XXX
    proto-all sport ANY
    when daddr 10.113.10.0/24, dport ANY

    But i see no count packet or ipsec vpn up.

    Any suggestion?

  11. Nwenne Says:

    Hi JIm,

    Thanks for the post but I am having issues connecting to an ASA which is behind NAT IP address.
    I have replaced the public natted IP woth XXXX and the private IP with YYYY. Is ther eanywhere we can define the local real IP and the natted IP as in OpenSWan?

    Please see the logs generated from the Vyatta when we try to connect:

    Mar 6 05:39:52 vyatta-64bit pluto[2123]: “peer-XXXX-tunnel-1” #174483: Peer ID is ID_IPV4_ADDR: ‘YYYY’
    Mar 6 05:39:52 vyatta-64bit pluto[2123]: “peer-XXXX-tunnel-1” #174483: we require peer to have ID ‘XXXX’, but peer declares ‘YYYY’
    Mar 6 05:39:52 vyatta-64bit pluto[2123]: “peer-XXXX-tunnel-1” #174483: sending encrypted notification INVALID_ID_INFORMATION to XXXX:500
    Mar 6 05:39:52 vyatta-64bit pluto[2123]: “peer-XXXX-tunnel-1” #174483: ignoring Delete SA payload: ISAKMP SA not established

  12. Jim Says:

    Nwenne, Do you have a router in front of the ASA doing the NAT, or is it on the ASA itself? This article discusses your scenario: https://supportforums.cisco.com/discussion/11016106/how-can-i-configure-local-id-asa

  13. wayne Says:

    new to VPN set up.

    is it possible to use VTI interface on Vyatta going to l2l tunnel on ASA?

  14. Jim Says:

    Wayne, It is unlikely that this is possible, because the VTI is an IPIP tunnel which works differently than the way the L2L tunnel on an ASA works. I have not actually tried it myself.

  15. Farhad Says:

    I have a Vyos firewall behind the bastion in AWS . Can you please guide me how is it possible to connect it with my cisco ASA 5505 Using IPsec .

    Thanks in advance

  16. pengobatan jantung bengkak Says:

    thanks very detail and so clear ..

  17. More suggestions Says:

    More suggestions

    IPSec Tunnel from ASA55xx to VyOS (or Vyatta) | One Bad Pixel

  18. Nwenne Says:

    Hello Jim,

    The ASA is behind a Cyberoam device and is natted on the Cyberoam, Phase 1 seems to form, then suddenly is torn down by the Vyatta box. Is there any configuration on the Vyatta that can help it identlfy that it should ignore the Private ID?

  19. JP Says:

    Do you have an example of a VPN config for a Static-to-Dynamic setup? Where the ASA is the static IP peer and the VyOS dynamic. I have site-to-site tunnels to the ASA already (using static IPs at each end), so I can configure that portion. My challenge is configuring a VyOS behind a “home” dynamic connection.

  20. Jim Says:

    The only real difference on the ASA is that you dont know the remote peer address. On the ASA, omit the

    crypto map outside_map 1 set peer y.y.y.y
    

    and add a default L2L pre-shared key to use for the remote host.

    tunnel-group DefaultL2LGroup type ipsec-l2l
    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key !SuperSecretPSK!
    

    It is worth noting that ONLY the remote would be able to start the connection.

  21. Ler Says:

    Hello,
    I am trying to get this setup. I am not clear on how you apply your firewall rules. I can define them but what interfaces and scope do they belong to? Thank you for writing this up. Hard to find this info.
    Ler

  22. Jim Says:

    Hey Ler,
    Once you create a policy (I like to name mine stuff so I remember what they are, like TO-LAN-IPV4) you apply them to an interface like:


    set interfaces ethernet eth0 firewall in name TO-LAN-IPV4

    The “in” indicates the direction, and would be either “in” for stuff coming in the interface (and passing through), “local” for stuff coming in the interface (but destined to the router), or “out” for stuff leaving the interface.

  23. Ler Says:

    OK so does the TO-LAN-IPV4 policy belong on eth0 in and TO-ROUTER-IPV4 belong on eth0 out ?

  24. Jim Says:

    TO-LAN-IPV4 belongs on the WAN port (eth0?) as “in” and TO-ROUTER-IPV4 belongs on the WAN port (eth0?) as “local”.

    TO-LAN-IPV4 controls traffic passing *THROUGH* the router to the LAN
    TO-ROUTER-IPV4 controls traffic *TO* the router

  25. Ler Says:

    Sorry for the multiple messages but I guess what I am confused on is whether this is a partial firewall rule to be added to existing ones? We do not currently use the firewall functionality of our VyOS(probably should).

  26. Jim Says:

    Oh, I see.. Yes, the rule I described in this article was a partial, to add to the existing policies that I described in previous articles. If you are not using firewall policies, then you don’t need to do anything there, but I highly recommend you add a policy otherwise hackers are going to be hammering on your router constantly (and probably already are)

  27. Ler Says:

    Jim,
    Thanks a million for your help. I went back to your previous tutorials and restructured my config file to better reflect some of the standards you laid out. I’ve been running Vyatta/VyOS for many years but never with a proper firewall in place. I now have my firewall in place and have also established a dedicated tunnel with an ASA55. Thanks!
    Larry

Leave a comment!