Security

I have been working in my lab (more like a big office) on getting a Cisco ASA5525 and an Aruba 650 point to point tunnel working using ikev2.  They seem to talk but its hard to say where the problem might lay.  I am new to Aruba and have been working with Cisco for a while.  I did some debug yesterday and was able to get them to agree on their profiles.  However unable to get the tunnel working.  Will this even work?   Pretty simple network design.  I have two Cisco ASA devices and two Aruba 650 devices to work with.  I have already configured the 650 to use ikev2 certs for client connections and wireless.  I have attached the configurations for both devices.  Security is not a concern within the configurations, just want to get it working, securing the devices is secondary for now.  Thanks.

Attachment(s)

5525.txt   6 KB 1 version

aruba.txt   17 KB 1 version

Hi,

I used to work as a embedded software developer for Shiva (IPSec VPN Gateways).

I did inter-operability testing and setup various different kind of VPN Appliances using IPSec.

The worse IPSec stack to inter-operate with is Cisco's.

I recently tried to interconnect a device that had an embedded KAME based IPSec Stack.

I lost a total of one week worth of effort trying to make it work...

If was able to get to a point where the Phase 1 was working, however the Phase 2 was never stable and routing was not consistent.

My 2 cents advice: Replace your Cisco ASA with a Linux based IPSec Gateway like: IPCop, Endian Firewall, M0n0Wall, Vyatta, ...

Thanks for your suggestion, would be nice to try one of these products, but I am limited to the Juniper, Cisco and Aruba products at hand.  I will keep working on this to see where it will take me. 

Got them working with a little help from good man at Aruba.

On the Cisco end I had to delete:

no crypto isakmp identity address

On the Aruba end I had to delete:

(Aruba650) (config-ipsec-map)#  no peer-cert-dn

(Aruba650) (config-ipsec-map)#  exit

(Aruba650) (config) #exit

I you want to duplicate, use the above configurations with these changes.  The pre-shared key is password. 

We have proved that a Cisco ASA5525 can tunnel to an Aruba 650 with ikev2 and a pre-shared key.  I will try certs next and share if anyone is interested. 

Hi,

Thanks for sharing the information!

By the way...

Endian Firewall

M0n0Wall

Vyatta

are all Open Source products available in 'community' edition (free).

It's easy to install as a Virtual Appliance in VMWare Workstation or VMWare ESX (or any hypervisor of your choice).

These are feature rich, state and free appliances that worth trying!

Best regards,

In case anyone is interested.  In the lab at work I was able to get an Aruba 650 to create a point to point dynamic tunnels with the following using ikev2, and EC Certs (generated with OpenSSL):

StrongSwan to Aruba 650

ASA5525 to Aruba 650

Juniper SRX to Aruba 650

Details would be nice :)

Sorry, burried in a project.  Basics are below.  Some erased for bevity and privacy.  Cisco seems to have better debugs for phase 1 which helps to match up policy.  Will say "expected" and "received".  Adjust as needed. 

The basics are:

Phase 1 or Policy

Aruba

crypto isakmp policy 1
  version v2
  encryption aes256
  hash sha2-384-192
  group 20
  authentication ecdsa-384
  prf prf-hmac-sha384
  lifetime 86400

Cisco

crypto ikev2 policy 1
 encryption aes-256
 integrity sha384
 group 20
 prf sha384
 lifetime seconds 86400

Certs:

Aruba

crypto-local isakmp server-certificate "aruba_ec"
crypto-local isakmp ca-certificate "cacert_ec"

crypto-local ipsec-map Site-to-Site-Hub 100
  version v2
  set ikev2-policy 1
  peer-ip 0.0.0.0
  peer-cert-dn "/C=US/ST=New Jersey/L=Oseola/O=IAS/OU=COMP/CN=asa5525.sas.ipnet.com/E=cinp@aosec.com"
  peer-fqdn any-fqdn
  vlan 54
  src-net  *(Erased for privacy)
  dst-net  *(Erased for privacy)
  set transform-set "default-gcm256" "default-1st-ikev2-transform" "default-3rd-ikev2-transform"
  set security-association lifetime seconds 86400
  set pfs group20
  pre-connect disable
  trusted enable
  force-natt disable
  set ca-certificate cacert_ec
  set server-certificate aruba_ec

tunneled-node-address 0.0.0.0

Cisco

access-list outside_cryptomap_1 extended permit ip *(Erased for privacy) 255.255.255.0 *(Erased for privacy) 255.255.255.0

crypto dynamic-map ss_dynamic 2 match address outside_cryptomap_1
crypto dynamic-map ss_dynamic 2 set pfs group20
crypto dynamic-map ss_dynamic 2 set ikev2 ipsec-proposal aruba
crypto dynamic-map ss_dynamic 2 set reverse-route
crypto dynamic-map ss_dynamic 65535 set ikev2 ipsec-proposal aruba
crypto dynamic-map ss_dynamic 65535 set reverse-route
crypto map outside_map5 2 ipsec-isakmp dynamic ss_dynamic
crypto map outside_map5 interface Gray
crypto ca trustpoint ASDM_TrustPoint0
 enrollment terminal
 crl configure
crypto ca trustpoint ASDM_TrustPoint1
 enrollment terminal
 fqdn asa5525.sas.ipnet.com
 subject-name CN=* (Erased for privacy)
 crl configure


crypto ca trustpoint ASDM_TrustPoint3
 enrollment terminal
 subject-name CN=*(Erased for privacy)
 keypair aruba
 crl configure
crypto ca trustpool policy

tunnel-group ss_dynamic ipsec-attributes
 peer-id-validate cert
 ikev2 remote-authentication certificate
 ikev2 local-authentication certificate ASDM_TrustPoint3

Phase 2 (ipsec)

Aruba

crypto ipsec transform-set cisco esp-aes256-gcm esp-null-hmac

Cisco

crypto ipsec ikev2 ipsec-proposal strong
 protocol esp encryption aes-gcm-256
 protocol esp integrity null

Where I am weak is moving the certs from one Aruba to another.  Cisco has the export feature for it's certs and keys.  I did perform  flashbackup and copied it from one to another and that seemed to work.  I also had issues with the CSR on one of the Aruba's.  It didn't seem to want to overwrite the old.  Is there a way to delete this information?  How would one clear this out when you wanted to remove a device from service?  Wouldn't want told certs, keys, or even a CSR left behind?

Also if you are making configuring a CA.  Make the state two letters instead of spelled out.  You will save yourself a big headache. GUI only allows two letters.  Command line lets you spell out.  Tunnels are dynamic and not static so they match subject information in the cert.  Has to be exact.  Note that the 0.0.0.0 addresses above are straight out of the configs and trunicated.  All certs generated with OpenSSL. 

Hi Guys,

I'm trying to understand why in the Aruba ipsec-map the "dst-net" has to be a single destination subnet. What if I want to be able to access any destination via the tunnel? I cannot input  "0.0.0.0 0.0.0.0" into "dst-net" on my ipsec-map.

I get the following error:

(Aruba620) (config-ipsec-map)# dst-net 0.0.0.0 0.0.0.0
Error destination network 0.0.0.0/0.0.0.0 overlaps with ipsec-map "GLOBAL-MAP"

Thanks

Chris

hey dh1633pm, this is a seriously cool post - thanks, especially like your use of certificates in preference to psk.  I am looking for precisely this kind of thing at the moment and I too am faced with interoperability issues, as I tend to favour the aruba products as they are all rounders, but I got a bunch of legacy backend stuff, that - lets just say - I do not have the authority or the energy to argue about internally.

This is heading toward this "instant office" idea/project I have been working on the side (old news to others I am sure, just me selling internally...). Thanks again.

Hi guys!

Lovely thread. I want to ask a couple of questions about choice of VPN concentrator to put in the middle for a bunch of site to site VPNs to aruba controllers.

Here's my use case:

1. I'll need VRF support to separate customers from eachother.

2. I'll need IPSEC support of course. (100Mbit encrypted throughput or so)

3. I want to be able to scale to at least 200+ tunnels.

4. I'll need to perform source-NAT and dest-NAT.

Anyone got experience of a similar setup and got any advise for me?