OpenSwan Error – One Way Traffic with Cisco ASA

Openswan 2.6.37

Symptom: OpenSwan to Cisco ASA Site to Site Tunnel has one way traffic.
Description: The Ipsec Tunnel builds, both the openswan host and the ASA show the tunnel up but traffic only flows from the ASA into Openswan, traffic does not flow back from openswan. No errors were shown in the auth.log.

Solution: It turns out that the issue was related to the openswan ipsec conf file for this connection. The Leftid and rightid were setup as shown here in the problematic conf file:

conn tunnel-to-HQ
  left=10.1.0.50
  leftid=@openswan
  leftsubnet=10.1.0.0/24
  right=PUBLIC.IP.OF.ASA
  rightid=@asa
  rightsubnet=10.2.0.0/24
  .
  .

  auto=add

This conf file would would just fin for an Openswan to Openswan IPSEC tunnel. But for an ASA to Openswan tunnel, it failed to pass two way traffic.

The simple fix was to replace the leftid and rightid with the IP addresses of the 2 peers as shown below:

conn tunnel-to-HQ
  left=10.1.0.50
  leftid=10.1.0.50
  leftsubnet=10.1.0.0/24
  right=PUBLIC.IP.OF.ASA
  rightid=PUBLIC.IP.OF.ASA
  rightsubnet=10.2.0.0/24
  .
  .
  auto=add

The secrets file should reflect the IP addresses in the conf for this PSK setup:

10.1.0.50 PUBLIC.IP.OF.ASA: PSK "123456789"

Restart the tunnel and traffic flowed normally.

Tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Solve : *
29 − 7 =