Have you ever wanted to encrypt your entire home’s internet connection? Of course you have, don’t lie to yourself… you’ve at least thought about it. Now if you’re a PFSense user, you might go with purchasing service through Private Internet Access, and configuring your pfsense firewall to be an openvpn client. Yeah, you could do that. What if you were a Cisco geek who wanted to do something similar with their ASA?? What if you also wanted to tunnel all your traffic to Canada so you had better streaming options from Netflix (Canadian Netflix is insane). Well, you’ve come to the right place.
What you’ll need:
– Cisco ASA (I’ll be using a 5505)
– Some basic familiarity with Ubuntu
– ~$10 a month
– A can do attitude that will annoy most normal people. (optional)
Prep Time: 10 Min
Config Time: 30 Min
Ready In: It’ll be done when it’s done. Stop complaining.
Network Diagram:
Ubuntu Server Configuration:
Summary of steps
1. Install Openswan
2. Enable Kernel packet forwarding and disable icmp redirects
3. Configure Openswan IPsec tunnel
4. Enable NAT/masquerading
Alright! Let’s go! I decided to use DigitOcean as my compute provider for this project. I used their $10/mo droplet, but you could probably get away with the $5/mo option just as easily. So I deployed an Ubuntu 14.04 server and selected Toronto as my regional datacenter. After it was deployed, I ssh’d into my brand new Ubuntu server. First thing you’ll need to do is install Openswan (L2L IPsec).
sudo apt-get install openswan
You’ll see some prompts about x.509 certificates. Just follow the prompts for creating a self-signed certificate.
Now onto the Openswan configuration. Don’t stress too much if your Linux-jitsu isn’t very strong, this configuration is relatively easy. For both phase1 and phase2 I’ll be using aes-128 with sha1 for hash. I created a backup of /etc/ipsec.conf then deleted it so I could have a clean ipsec configuration file. Here’s what it looks like:
Note: Don’t get too hung up on the ‘left’ ‘right’ verbiage. I just think ‘left=local’ and ‘right=remote’.
The other component you’ll need to define is your shared secret, this is stored in /etc/ipsec.secrets . Here’s what mine looks like.
root@ubuntu-torvpn:~# cat /etc/ipsec.secrets
200.1.1.254 200.2.2.254: PSK “thisISaSecurePSK”
include /var/lib/openswan/ipsec.secrets.inc
That’s it for the IPsec config on your Ubuntu server. Seriously, that’s it lol. Last thing you’ll want to do on here is enable masquerading. I’m going to use ufw to configure NAT, then immediate disable ufw. This will work just fine since it will still commit out masquerading rules. Reference materail here.
Change default forwarding policy to accept in /etc/default/ufw
DEFAULT_FORWARD_POLICY=”ACCEPT“
Uncomment this line from /etc/ufw/sysctl.conf
net.ipv4.ip_forward=1
Add the following lines to /etc/ufw/before.rules before “*filter”
# NAT table rules
*nat
:POSTROUTING ACCEPT [0:0]
# Forward traffic through eth0 – Change to match you out-interface
-A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
# don’t delete the ‘COMMIT’ line or these nat table rules won’t
# be processed
COMMIT
Finally, I disable/enable/disable UFW so that my rules are loaded, but UFW is left off.
sudo ufw disable && sudo ufw enable && sudo ufw disable
Cisco ASA Config
Back to familiar territory! Configuring a Lan-2-Lan VPN on an ASA, and the only “weird” part you’ll see is the access list for defining interesting traffic.
!
!
Also, that last line “no sysopt connection permit-vpn“. You’re really going to want that lol. Otherwise all internet traffic coming over your tunnel will be treated as trusted. No bueno. In other posts I’ve talked about using vpn-filters for L2L tunnels, but that would be a nightmare with this configuration. Just disable sysopt connection permit-vpn, and now all traffic coming in from the tunnel will follow your traditional ASA rules.
Off VPN NAT Configuration:
Dam man you good. 🙂