11-01-2012 05:48 AM
I have been working in my lab (more like a big office) on getting a Cisco ASA5525 and an Aruba 650 point to point tunnel working using ikev2. They seem to talk but its hard to say where the problem might lay. I am new to Aruba and have been working with Cisco for a while. I did some debug yesterday and was able to get them to agree on their profiles. However unable to get the tunnel working. Will this even work? Pretty simple network design. I have two Cisco ASA devices and two Aruba 650 devices to work with. I have already configured the 650 to use ikev2 certs for client connections and wireless. I have attached the configurations for both devices. Security is not a concern within the configurations, just want to get it working, securing the devices is secondary for now. Thanks.
Solved! Go to Solution.
11-01-2012 08:09 AM
I used to work as a embedded software developer for Shiva (IPSec VPN Gateways).
I did inter-operability testing and setup various different kind of VPN Appliances using IPSec.
The worse IPSec stack to inter-operate with is Cisco's.
I recently tried to interconnect a device that had an embedded KAME based IPSec Stack.
I lost a total of one week worth of effort trying to make it work...
If was able to get to a point where the Phase 1 was working, however the Phase 2 was never stable and routing was not consistent.
My 2 cents advice: Replace your Cisco ASA with a Linux based IPSec Gateway like: IPCop, Endian Firewall, M0n0Wall, Vyatta, ...
11-01-2012 10:13 AM
Thanks for your suggestion, would be nice to try one of these products, but I am limited to the Juniper, Cisco and Aruba products at hand. I will keep working on this to see where it will take me.
11-01-2012 10:41 AM
Got them working with a little help from good man at Aruba.
On the Cisco end I had to delete:
no crypto isakmp identity address
On the Aruba end I had to delete:
(Aruba650) (config-ipsec-map)# no peer-cert-dn
(Aruba650) (config-ipsec-map)# exit
(Aruba650) (config) #exit
I you want to duplicate, use the above configurations with these changes. The pre-shared key is password.
We have proved that a Cisco ASA5525 can tunnel to an Aruba 650 with ikev2 and a pre-shared key. I will try certs next and share if anyone is interested.
11-01-2012 11:14 AM
Thanks for sharing the information!
By the way...
are all Open Source products available in 'community' edition (free).
It's easy to install as a Virtual Appliance in VMWare Workstation or VMWare ESX (or any hypervisor of your choice).
These are feature rich, state and free appliances that worth trying!
01-10-2013 11:31 AM
In case anyone is interested. In the lab at work I was able to get an Aruba 650 to create a point to point dynamic tunnels with the following using ikev2, and EC Certs (generated with OpenSSL):
StrongSwan to Aruba 650
ASA5525 to Aruba 650
Juniper SRX to Aruba 650
01-10-2013 11:57 AM
Details would be nice :)
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
Validated Reference Design Guides : http://community.arubanetworks.com/t5/Validated-Reference-Design/tkb-p/Aruba-VRDs
03-11-2013 10:59 AM
Sorry, burried in a project. Basics are below. Some erased for bevity and privacy. Cisco seems to have better debugs for phase 1 which helps to match up policy. Will say "expected" and "received". Adjust as needed.
The basics are:
Phase 1 or Policy
crypto isakmp policy 1
crypto ikev2 policy 1
lifetime seconds 86400
crypto-local isakmp server-certificate "aruba_ec"
crypto-local isakmp ca-certificate "cacert_ec"
crypto-local ipsec-map Site-to-Site-Hub 100
set ikev2-policy 1
peer-cert-dn "/C=US/ST=New Jersey/L=Oseola/O=IAS/OU=COMP/CN=asa5525.sas.ipnet
src-net *(Erased for privacy)
dst-net *(Erased for privacy)
set transform-set "default-gcm256" "default-1st-ikev2-transform" "default-3rd-ikev2-transform"
set security-association lifetime seconds 86400
set pfs group20
set ca-certificate cacert_ec
set server-certificate aruba_ec
access-list outside_cryptomap_1 extended permit ip *(Erased for privacy) 255.255.255.0 *(Erased for privacy) 255.255.255.0
crypto dynamic-map ss_dynamic 2 match address outside_cryptomap_1
crypto dynamic-map ss_dynamic 2 set pfs group20
crypto dynamic-map ss_dynamic 2 set ikev2 ipsec-proposal aruba
crypto dynamic-map ss_dynamic 2 set reverse-route
crypto dynamic-map ss_dynamic 65535 set ikev2 ipsec-proposal aruba
crypto dynamic-map ss_dynamic 65535 set reverse-route
crypto map outside_map5 2 ipsec-isakmp dynamic ss_dynamic
crypto map outside_map5 interface Gray
crypto ca trustpoint ASDM_TrustPoint0
crypto ca trustpoint ASDM_TrustPoint1
subject-name CN=* (Erased for privacy)
crypto ca trustpoint ASDM_TrustPoint3
subject-name CN=*(Erased for privacy)
crypto ca trustpool policy
tunnel-group ss_dynamic ipsec-attributes
ikev2 remote-authentication certificate
ikev2 local-authentication certificate ASDM_TrustPoint3
Phase 2 (ipsec)
crypto ipsec transform-set cisco esp-aes256-gcm esp-null-hmac
crypto ipsec ikev2 ipsec-proposal strong
protocol esp encryption aes-gcm-256
protocol esp integrity null
Where I am weak is moving the certs from one Aruba to another. Cisco has the export feature for it's certs and keys. I did perform flashbackup and copied it from one to another and that seemed to work. I also had issues with the CSR on one of the Aruba's. It didn't seem to want to overwrite the old. Is there a way to delete this information? How would one clear this out when you wanted to remove a device from service? Wouldn't want told certs, keys, or even a CSR left behind?
Also if you are making configuring a CA. Make the state two letters instead of spelled out. You will save yourself a big headache. GUI only allows two letters. Command line lets you spell out. Tunnels are dynamic and not static so they match subject information in the cert. Has to be exact. Note that the 0.0.0.0 addresses above are straight out of the configs and trunicated. All certs generated with OpenSSL.
09-10-2013 06:43 PM
I'm trying to understand why in the Aruba ipsec-map the "dst-net" has to be a single destination subnet. What if I want to be able to access any destination via the tunnel? I cannot input "0.0.0.0 0.0.0.0" into "dst-net" on my ipsec-map.
I get the following error:
(Aruba620) (config-ipsec-map)# dst-net 0.0.0.0 0.0.0.0
Error destination network 0.0.0.0/0.0.0.0 overlaps with ipsec-map "GLOBAL-MAP"
12-15-2013 12:51 PM
hey dh1633pm, this is a seriously cool post - thanks, especially like your use of certificates in preference to psk. I am looking for precisely this kind of thing at the moment and I too am faced with interoperability issues, as I tend to favour the aruba products as they are all rounders, but I got a bunch of legacy backend stuff, that - lets just say - I do not have the authority or the energy to argue about internally.
This is heading toward this "instant office" idea/project I have been working on the side (old news to others I am sure, just me selling internally...). Thanks again.