I have been working in my lab (more like a big office) on getting a Cisco ASA5525 and an Aruba 650 point to point tunnel working using ikev2. They seem to talk but its hard to say where the problem might lay. I am new to Aruba and have been working with Cisco for a while. I did some debug yesterday and was able to get them to agree on their profiles. However unable to get the tunnel working. Will this even work? Pretty simple network design. I have two Cisco ASA devices and two Aruba 650 devices to work with. I have already configured the 650 to use ikev2 certs for client connections and wireless. I have attached the configurations for both devices. Security is not a concern within the configurations, just want to get it working, securing the devices is secondary for now. Thanks.
I used to work as a embedded software developer for Shiva (IPSec VPN Gateways).
I did inter-operability testing and setup various different kind of VPN Appliances using IPSec.
The worse IPSec stack to inter-operate with is Cisco's.
I recently tried to interconnect a device that had an embedded KAME based IPSec Stack.
I lost a total of one week worth of effort trying to make it work...
If was able to get to a point where the Phase 1 was working, however the Phase 2 was never stable and routing was not consistent.
My 2 cents advice: Replace your Cisco ASA with a Linux based IPSec Gateway like: IPCop, Endian Firewall, M0n0Wall, Vyatta, ...
Thanks for your suggestion, would be nice to try one of these products, but I am limited to the Juniper, Cisco and Aruba products at hand. I will keep working on this to see where it will take me.
Got them working with a little help from good man at Aruba.
On the Cisco end I had to delete:
no crypto isakmp identity address
On the Aruba end I had to delete:
(Aruba650) (config-ipsec-map)# no peer-cert-dn
(Aruba650) (config-ipsec-map)# exit
(Aruba650) (config) #exit
I you want to duplicate, use the above configurations with these changes. The pre-shared key is password.
We have proved that a Cisco ASA5525 can tunnel to an Aruba 650 with ikev2 and a pre-shared key. I will try certs next and share if anyone is interested.
Thanks for sharing the information!
By the way...
are all Open Source products available in 'community' edition (free).
It's easy to install as a Virtual Appliance in VMWare Workstation or VMWare ESX (or any hypervisor of your choice).
These are feature rich, state and free appliances that worth trying!
In case anyone is interested. In the lab at work I was able to get an Aruba 650 to create a point to point dynamic tunnels with the following using ikev2, and EC Certs (generated with OpenSSL):
StrongSwan to Aruba 650
ASA5525 to Aruba 650
Juniper SRX to Aruba 650
Details would be nice :)
Sorry, burried in a project. Basics are below. Some erased for bevity and privacy. Cisco seems to have better debugs for phase 1 which helps to match up policy. Will say "expected" and "received". Adjust as needed.
The basics are:
Phase 1 or Policy
crypto isakmp policy 1 version v2 encryption aes256 hash sha2-384-192 group 20 authentication ecdsa-384 prf prf-hmac-sha384 lifetime 86400
crypto ikev2 policy 1 encryption aes-256 integrity sha384 group 20 prf sha384 lifetime seconds 86400
crypto-local isakmp server-certificate "aruba_ec"crypto-local isakmp ca-certificate "cacert_ec"
crypto-local ipsec-map Site-to-Site-Hub 100 version v2 set ikev2-policy 1 peer-ip 0.0.0.0 peer-cert-dn "/C=US/ST=New Jersey/L=Oseola/O=IAS/OU=COMP/CN=asa5525.sas.ipnet.com/Efirstname.lastname@example.org" peer-fqdn any-fqdn vlan 54 src-net *(Erased for privacy) dst-net *(Erased for privacy) set transform-set "default-gcm256" "default-1st-ikev2-transform" "default-3rd-ikev2-transform" set security-association lifetime seconds 86400 set pfs group20 pre-connect disable trusted enable force-natt disable set ca-certificate cacert_ec set server-certificate aruba_ec
access-list outside_cryptomap_1 extended permit ip *(Erased for privacy) 255.255.255.0 *(Erased for privacy) 255.255.255.0crypto dynamic-map ss_dynamic 2 match address outside_cryptomap_1crypto dynamic-map ss_dynamic 2 set pfs group20crypto dynamic-map ss_dynamic 2 set ikev2 ipsec-proposal arubacrypto dynamic-map ss_dynamic 2 set reverse-routecrypto dynamic-map ss_dynamic 65535 set ikev2 ipsec-proposal arubacrypto dynamic-map ss_dynamic 65535 set reverse-routecrypto map outside_map5 2 ipsec-isakmp dynamic ss_dynamiccrypto map outside_map5 interface Graycrypto ca trustpoint ASDM_TrustPoint0 enrollment terminal crl configurecrypto ca trustpoint ASDM_TrustPoint1 enrollment terminal fqdn asa5525.sas.ipnet.com subject-name CN=* (Erased for privacy) crl configurecrypto ca trustpoint ASDM_TrustPoint3 enrollment terminal subject-name CN=*(Erased for privacy) keypair aruba crl configurecrypto ca trustpool policytunnel-group ss_dynamic ipsec-attributes peer-id-validate cert ikev2 remote-authentication certificate ikev2 local-authentication certificate ASDM_TrustPoint3
Phase 2 (ipsec)
crypto ipsec transform-set cisco esp-aes256-gcm esp-null-hmac
crypto ipsec ikev2 ipsec-proposal strong protocol esp encryption aes-gcm-256 protocol esp integrity null
Where I am weak is moving the certs from one Aruba to another. Cisco has the export feature for it's certs and keys. I did perform flashbackup and copied it from one to another and that seemed to work. I also had issues with the CSR on one of the Aruba's. It didn't seem to want to overwrite the old. Is there a way to delete this information? How would one clear this out when you wanted to remove a device from service? Wouldn't want told certs, keys, or even a CSR left behind?
Also if you are making configuring a CA. Make the state two letters instead of spelled out. You will save yourself a big headache. GUI only allows two letters. Command line lets you spell out. Tunnels are dynamic and not static so they match subject information in the cert. Has to be exact. Note that the 0.0.0.0 addresses above are straight out of the configs and trunicated. All certs generated with OpenSSL.
I'm trying to understand why in the Aruba ipsec-map the "dst-net" has to be a single destination subnet. What if I want to be able to access any destination via the tunnel? I cannot input "0.0.0.0 0.0.0.0" into "dst-net" on my ipsec-map.
I get the following error:
(Aruba620) (config-ipsec-map)# dst-net 0.0.0.0 0.0.0.0Error destination network 0.0.0.0/0.0.0.0 overlaps with ipsec-map "GLOBAL-MAP"
hey dh1633pm, this is a seriously cool post - thanks, especially like your use of certificates in preference to psk. I am looking for precisely this kind of thing at the moment and I too am faced with interoperability issues, as I tend to favour the aruba products as they are all rounders, but I got a bunch of legacy backend stuff, that - lets just say - I do not have the authority or the energy to argue about internally.
This is heading toward this "instant office" idea/project I have been working on the side (old news to others I am sure, just me selling internally...). Thanks again.
Lovely thread. I want to ask a couple of questions about choice of VPN concentrator to put in the middle for a bunch of site to site VPNs to aruba controllers.
Here's my use case:
1. I'll need VRF support to separate customers from eachother.
2. I'll need IPSEC support of course. (100Mbit encrypted throughput or so)
3. I want to be able to scale to at least 200+ tunnels.
4. I'll need to perform source-NAT and dest-NAT.
Anyone got experience of a similar setup and got any advise for me?
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.