Openswan Software As A VPN Client For Connecting To Cisco VPN Servers

I have been using “vpnc” software as a VPN client for connecting to my company’s VPN servers for quite some time. However, “vpnc” is very limited in features as it only supports IPsec aggressive mode, pre shared key (PSK) authentication, and only IKEv1 (IKE version 1). Although, “vpnc” also supports “hybrid” authentication, this hybrid authentication just involves verifying server’s certificate, but not client’s certificates. These features are just a subset of features included in various IPsec and IKE protocols. In addition to the features what “vpnc” offers, IPsec and IKE protocol suites involve IKEv1 main mode (phase 1 exchange in addition to phase 2 quick mode exchange), certificates and raw RSA keys based authentication, and IKEv2 (IKE version 2) among several others features. Due to this, I planned to move to another IPsec based VPN software that implements a large IPsec and IKE feature set. Openswan (http://www.openswan.org/) is one such popular open source (free) software available that can be used for connecting to Cisco VPN servers. Here I will explain the instruction I used for connecting to my company’s Cisco VPN server. I used the latest Openswan version (2.6.25) as of now that can be downloaded from http://www.openswan.org/download/openswan-2.6.25.tar.gz . I have experimented Openswan on Fedora and Ubuntu Linux distributions. Fedora offers pre compiled rpms, whereas it should be compiled from source on Ubuntu. For example, Openswan rpms for Fedora 12 can be downloaded from http://koji.fedoraproject.org . Various instructions for using Openswan are described next.

Installation On Fedora 12:

yum install openswan (as a root user)

or

sudo yum install openswan (as a non root user with sudo permissions)

Compilation and Installation on Ubuntu:

tar -xvzf openswan-2.6.25.tar.gz
cd openswan-2.6.25
make programs install

Editing /etc/ipsec.conf file:

Your ipsec.conf file should look like below:

config setup
protostack=netkey
nat_traversal=yes
oe=off

conn   mycompany
authby=secret
left=%defaultroute
leftid=@your company group name

leftxauthclient=yes
leftmodecfgclient=yes
leftxauthusername=your login name in your company
right=your company’s gateway IP address or host name

remote_peer_type=cisco
rightxauthserver=yes
rightmodecfgserver=yes
ike=<described in detail below>
esp=<described in detail below>
auto=add

The value of “ike” and “esp” can be in the format “encryption algorithm-hash algorithm;Diffie Hellman group”, where encryption algorithm can be one of “3des” or “aes”, hash algorithm can be one of “md5” or “sha1”, and Diffie Hellman group can be “modp1024” (similar to diffie hellman group 2 or dh2) or “modp1536” (similar to diffie hellman group 5 or dh5). Although, there are several others encryption algorithm and Diffie Hellman groups implemented in Openswan, however, the values described here are the most frequently used. For example, different values of “ike” can be as follows:

ike=3des-md5;modp1024
ike=aes-sha1;modp1536 or ike=aes-sha1
(by default, Openswan assumes “modp1536”, so it is not required to be written explicitly)

“esp” can also take values similar to “ike” as follows:

esp=3des-md5;modp1024
esp=aes-sha1

The values of “ike” describes the IKE phase1 (main mode or aggressive mode) “encryption algorithm-hash algorithm;Diffie Hellman group” combinations, whereas “esp” describes IKE phase2 (quick mode) “encryption algorithm-hash algorithm;Diffie Hellman group” combinations. You must contact your company’s network administrator about the exact configured values for these parameters.

A sample /etc/ipsec.conf will look like below:

config setup
protostack=netkey
nat_traversal=yes
oe=off

conn   mycompany
authby=secret
left=%defaultroute
leftid=@cisco-group
leftxauthclient=yes
leftmodecfgclient=yes
leftxauthusername=johnmatt
right=your.company.gateway.com
remote_peer_type=cisco
rightxauthserver=yes
rightmodecfgserver=yes
ike=aes-sha1
esp=aes-sha1;modp1024
auto=add

Note: Please leave a space or tab before each line in /etc/ipsec.conf, except the lines “conn setup” and “conn mycompany”.

Editing /etc/ipsec.secrets:

<your company group name as the value of “leftid”>: PSK “your company’s group password”
<@username similar to leftxauthusername beginning with @> : XAUTH “your user password”


A sample /etc/ipsec.secrets will look like below:

@cisco-group: PSK “abcd1234”
@johnmatt : XAUTH “xyz12wx”

Starting Openswan:

service ipsec start (must be root)

or

sudo service ipsec start (as non root user with sudo permissions)

Establishing VPN Connection:

ipsec auto –up mycompany (must be root)

or

sudo ipsec auto –up mycompany (as non root user with sudo permissions)

If you see “IPsec SA established” as one of its output, that means that the connection is established.

Stopping Openswan:

service ipsec stop (must be root)

or

sudo service ipsec stop (as non root user with sudo permissions)

Configuring Aggressive Mode:

By default, Openswan uses IKE “main mode” during its phase1. However, it is possible that your company’s Cisco VPN server may be using “aggressive mode” instead of “main mode”. For configuring, “aggressive mode”, add following line anywhere in the “conn mycompany” section.

aggrmode=yes

Perfect Forward Secrecy (PFS):

By default PFS is enabled in Openswan, to disable that add following line anywhere in the “conn mycompany” section.

pfs=no (pfs=yes by default)

Configuring Openswan With RSA Secure ID (One Time Password (OTP)):

In the above instructions, I have assumed that your user password (@johnmatt : XAUTH “xyz12wx”) does not change, and remains same for long duration. However, several companies are giving RSA secure IDs (also called RSA tokens) that are being used as one time password (OTP) for better security. If you have also got RSA secure ID from your company, then you need to change your /etc/ipsec.secrets slightly, and your /etc/ipsec.secrets will look as follows:

@cisco-group: PSK “abcd1234”

Notice that there is no XAUTH line now. The reason is that when you will run “ipsec auto –up mycompany” command, it will prompt you for user password. When using RSA secure IDs, your password generally would be “PIN+RSA number displayed”, where PIN is a fixed secure string created by you. Your company must tell you about it, so you should not be worried.

In general, Openswan offers many more configuration options than those described here. Please run commands “man ipsec.conf” and “man ipsec.secrets” for more details. If you need further guidance on Openswan configuration, please leave a comment.

This entry was posted in Technology and tagged . Bookmark the permalink.

2 Responses to Openswan Software As A VPN Client For Connecting To Cisco VPN Servers

  1. Very interesting post Thank you for sharing

  2. Sam Bonjeem says:

    I 100% support Openswan as a really great site to site VPN solution and have set it up to Cisco and many other devices without any problems. For newbies who find the configuration a little fiddly my tip is to use an Openswan VPN configuration generator like http://www.whyaws.com/tools/openswan_gen.htm. Great article by the way!

Leave a Reply

Your email address will not be published.