IPsec VPN Tunnel Configuration Example Between Openswan to Cisco ASA


IPsec’s (Internet protocol security) protocol is open standards framework set of protocols that provides security for Internet Protocol. It uses cryptographic security services to provide data security and helping to create secure private communication channel between two private networks with help of security associations (SA).

IPsec site to site virtual private network (VPN) tunnel use to interconnect two different location network securely over the internet. IPsec objective is to provide security communication for IP packets such as data encrypting, authentication, protection against replay and data confidentiality.


This article will describe site to site vpn tunnel configuration between openswan (Linux box) and Cisco ASA (Ver 9.1).

This tutorial specifically designing for non-Linux tech guy who just know that Linux is a server with black screen CLI based command line OS. It has fun to work on Linux server and create IPsec site to site vpn.

Requirements -:  

Linux box to be installed with  openswan package (no worry if you don’t know the Linux. Just request to you Linux administrator and ask them to install openswan package on that box)


Steps to installing openswan packages on Linux Box.

On Red Hat based System (CentOS):

# yum install openswan

On Debian based System (Ubuntu):

# apt-get install openswan


After the installation openswan package, now Linux box is ready to work as vpn Firewall.Next step is to configure IPsec configuration on Linux box 

Open the putty software do SSL your Linux box IP
Login into the Linux box with root credential
Go to IPsec directory with the command – cd /etc/ipsec.d

[root@MY-VPN-Firewall ~]# cd /etc/ipsec.d
[root@MY-VPN-Firewall ipsec.d]#


Steps of configuration IPsec vpn tunnel on openswan-:

Config File-:

vi  VPN-to-Location-2.conf –  (Vi command use to create the file)

conn VPN-to-Location-B   << Connection name VPN-to-Location-B >>
        left=          << source server interface IP >>
        leftid=                  << SOURCE OUTSIDE IP >>
        leftsubnet=  << SOURCE LAN subnet>> 
        rightsubnet=  << Destination LAN subnet >>
        right=                           << client peer IP >>
        rightid=                       << client peer IP >>
        ike=aes-sha1;modp1024      << phase 1 porposals : modp1024 is DH :group 2 >>
        phase2alg=aes-sha1;modp1024   << phase 2 porposals : modp1024 is DH :group 2 >>


Secrets File-:

vi VPN-to-Location-B.secrets PSK “testmusa123”  << source Peer IP : Dst peer IP : pre-shared-key >>


Steps of configuration IPsec vpn tunnel on Cisco ASA (9.1)-:

crypto isakmp policy 10
authentication pre-share
encryption aes256
hash sha
group 2
lifetime 28800
object-group network Location-B-VPN

object-group network Location-A-VPN

access-list VPN-Location-B extended permit ip object-group Location-B-VPN object-group Location-A-VPN
nat (Inside,Outside) source static Location-B-VPN Location-B-VPN destination static Location-A-VPN Location-A-VPN

crypto ipsec ikev1 transform-set L2L esp-aes256 esp-sha-hmac

crypto map Outside_map 10 match address VPN-Location-B
crypto map Outside_map 10 set peer
crypto map Outside_map 10 set ikev1 transform-set L2L
crypto map Outside_map set security-association lifetime seconds 3600

tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
pre-shared-key ***************
isakmp keepalive threshold 10 retry 3



Author: Ronnie

Your Feedback is Valuable for us. Pls do comments.