Security

last person joined: an hour ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

Jump to Best Answer
  • 1.  Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Nov 01, 2012 08:48 AM

    I have been working in my lab (more like a big office) on getting a Cisco ASA5525 and an Aruba 650 point to point tunnel working using ikev2.  They seem to talk but its hard to say where the problem might lay.  I am new to Aruba and have been working with Cisco for a while.  I did some debug yesterday and was able to get them to agree on their profiles.  However unable to get the tunnel working.  Will this even work?   Pretty simple network design.  I have two Cisco ASA devices and two Aruba 650 devices to work with.  I have already configured the 650 to use ikev2 certs for client connections and wireless.  I have attached the configurations for both devices.  Security is not a concern within the configurations, just want to get it working, securing the devices is secondary for now.  Thanks.

      Aruba_to_ASA_P2P.png

    Attachment(s)

    txt
    5525.txt   6 K 1 version
    txt
    aruba.txt   17 K 1 version


  • 2.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Nov 01, 2012 11:09 AM

    Hi,

     

    I used to work as a embedded software developer for Shiva (IPSec VPN Gateways).

    I did inter-operability testing and setup various different kind of VPN Appliances using IPSec.

     

    The worse IPSec stack to inter-operate with is Cisco's.

     

    I recently tried to interconnect a device that had an embedded KAME based IPSec Stack.

    I lost a total of one week worth of effort trying to make it work...

    If was able to get to a point where the Phase 1 was working, however the Phase 2 was never stable and routing was not consistent.

     

    My 2 cents advice: Replace your Cisco ASA with a Linux based IPSec Gateway like: IPCop, Endian Firewall, M0n0Wall, Vyatta, ...

     



  • 3.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Nov 01, 2012 01:14 PM

    Thanks for your suggestion, would be nice to try one of these products, but I am limited to the Juniper, Cisco and Aruba products at hand.  I will keep working on this to see where it will take me. 



  • 4.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?
    Best Answer

    Posted Nov 01, 2012 01:42 PM

    Got them working with a little help from good man at Aruba.

     

    On the Cisco end I had to delete:

     

    no crypto isakmp identity address

     

    On the Aruba end I had to delete:

     

    (Aruba650) (config-ipsec-map)#  no peer-cert-dn

    (Aruba650) (config-ipsec-map)#  exit

    (Aruba650) (config) #exit

     

    I you want to duplicate, use the above configurations with these changes.  The pre-shared key is password. 

    We have proved that a Cisco ASA5525 can tunnel to an Aruba 650 with ikev2 and a pre-shared key.  I will try certs next and share if anyone is interested. 



  • 5.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Nov 01, 2012 02:14 PM

    Hi,

     

    Thanks for sharing the information!

     

    By the way...

    Endian Firewall

    M0n0Wall

    Vyatta

     

    are all Open Source products available in 'community' edition (free).

    It's easy to install as a Virtual Appliance in VMWare Workstation or VMWare ESX (or any hypervisor of your choice).

    These are feature rich, state and free appliances that worth trying!

     

    Best regards,

     



  • 6.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Jan 10, 2013 02:31 PM

    In case anyone is interested.  In the lab at work I was able to get an Aruba 650 to create a point to point dynamic tunnels with the following using ikev2, and EC Certs (generated with OpenSSL):

     

    StrongSwan to Aruba 650

    ASA5525 to Aruba 650

    Juniper SRX to Aruba 650



  • 7.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Jan 10, 2013 02:58 PM

    Details would be nice :)

     



  • 8.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Mar 11, 2013 02:00 PM

    Sorry, burried in a project.  Basics are below.  Some erased for bevity and privacy.  Cisco seems to have better debugs for phase 1 which helps to match up policy.  Will say "expected" and "received".  Adjust as needed. 

     

    The basics are:

     

    Phase 1 or Policy

     

    Aruba

     

    crypto isakmp policy 1
      version v2
      encryption aes256
      hash sha2-384-192
      group 20
      authentication ecdsa-384
      prf prf-hmac-sha384
      lifetime 86400

     

    Cisco

     

    crypto ikev2 policy 1
     encryption aes-256
     integrity sha384
     group 20
     prf sha384
     lifetime seconds 86400

     

     

    Certs:

     

    Aruba

     

    crypto-local isakmp server-certificate "aruba_ec"
    crypto-local isakmp ca-certificate "cacert_ec"

    crypto-local ipsec-map Site-to-Site-Hub 100
      version v2
      set ikev2-policy 1
      peer-ip 0.0.0.0
      peer-cert-dn "/C=US/ST=New Jersey/L=Oseola/O=IAS/OU=COMP/CN=asa5525.sas.ipnet.com/E=cinp@aosec.com"
      peer-fqdn any-fqdn
      vlan 54
      src-net  *(Erased for privacy)
      dst-net  *(Erased for privacy)
      set transform-set "default-gcm256" "default-1st-ikev2-transform" "default-3rd-ikev2-transform"
      set security-association lifetime seconds 86400
      set pfs group20
      pre-connect disable
      trusted enable
      force-natt disable
      set ca-certificate cacert_ec
      set server-certificate aruba_ec

    tunneled-node-address 0.0.0.0

     

    Cisco

     

    access-list outside_cryptomap_1 extended permit ip *(Erased for privacy) 255.255.255.0 *(Erased for privacy) 255.255.255.0

    crypto dynamic-map ss_dynamic 2 match address outside_cryptomap_1
    crypto dynamic-map ss_dynamic 2 set pfs group20
    crypto dynamic-map ss_dynamic 2 set ikev2 ipsec-proposal aruba
    crypto dynamic-map ss_dynamic 2 set reverse-route
    crypto dynamic-map ss_dynamic 65535 set ikev2 ipsec-proposal aruba
    crypto dynamic-map ss_dynamic 65535 set reverse-route
    crypto map outside_map5 2 ipsec-isakmp dynamic ss_dynamic
    crypto map outside_map5 interface Gray
    crypto ca trustpoint ASDM_TrustPoint0
     enrollment terminal
     crl configure
    crypto ca trustpoint ASDM_TrustPoint1
     enrollment terminal
     fqdn asa5525.sas.ipnet.com
     subject-name CN=* (Erased for privacy)
     crl configure


    crypto ca trustpoint ASDM_TrustPoint3
     enrollment terminal
     subject-name CN=*(Erased for privacy)
     keypair aruba
     crl configure
    crypto ca trustpool policy

    tunnel-group ss_dynamic ipsec-attributes
     peer-id-validate cert
     ikev2 remote-authentication certificate
     ikev2 local-authentication certificate ASDM_TrustPoint3

     

    Phase 2 (ipsec)

     

    Aruba

     

    crypto ipsec transform-set cisco esp-aes256-gcm esp-null-hmac

     

    Cisco

     

    crypto ipsec ikev2 ipsec-proposal strong
     protocol esp encryption aes-gcm-256
     protocol esp integrity null

     

     

    Where I am weak is moving the certs from one Aruba to another.  Cisco has the export feature for it's certs and keys.  I did perform  flashbackup and copied it from one to another and that seemed to work.  I also had issues with the CSR on one of the Aruba's.  It didn't seem to want to overwrite the old.  Is there a way to delete this information?  How would one clear this out when you wanted to remove a device from service?  Wouldn't want told certs, keys, or even a CSR left behind?

     

    Also if you are making configuring a CA.  Make the state two letters instead of spelled out.  You will save yourself a big headache. GUI only allows two letters.  Command line lets you spell out.  Tunnels are dynamic and not static so they match subject information in the cert.  Has to be exact.  Note that the 0.0.0.0 addresses above are straight out of the configs and trunicated.  All certs generated with OpenSSL. 

     



  • 9.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Sep 10, 2013 09:43 PM

    Hi Guys,

     

    I'm trying to understand why in the Aruba ipsec-map the "dst-net" has to be a single destination subnet. What if I want to be able to access any destination via the tunnel? I cannot input  "0.0.0.0 0.0.0.0" into "dst-net" on my ipsec-map.

     

    I get the following error:

     

    (Aruba620) (config-ipsec-map)# dst-net 0.0.0.0 0.0.0.0
    Error destination network 0.0.0.0/0.0.0.0 overlaps with ipsec-map "GLOBAL-MAP"

     

    Thanks

     

    Chris

     



  • 10.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Dec 15, 2013 03:51 PM

    hey dh1633pm, this is a seriously cool post - thanks, especially like your use of certificates in preference to psk.  I am looking for precisely this kind of thing at the moment and I too am faced with interoperability issues, as I tend to favour the aruba products as they are all rounders, but I got a bunch of legacy backend stuff, that - lets just say - I do not have the authority or the energy to argue about internally.

     

    This is heading toward this "instant office" idea/project I have been working on the side (old news to others I am sure, just me selling internally...). Thanks again.



  • 11.  RE: Anyone able to get an Aruba 650 and Cisco ASA point to point tunnel working?

    Posted Mar 04, 2014 10:12 AM

    Hi guys!

     

    Lovely thread. I want to ask a couple of questions about choice of VPN concentrator to put in the middle for a bunch of site to site VPNs to aruba controllers.

     

    Here's my use case:

    1. I'll need VRF support to separate customers from eachother.

    2. I'll need IPSEC support of course. (100Mbit encrypted throughput or so)

    3. I want to be able to scale to at least 200+ tunnels.

    4. I'll need to perform source-NAT and dest-NAT.

     

    Anyone got experience of a similar setup and got any advise for me?