Site To Site VPN Cisco ASAv Firewall

In this lab I have configured IPSec VPN with IKEv2 according to the diagram.

Lab Diagram

IPSec%20VPN%20ASA.jpg

Steps involved in setting up an IPSec VPN.

  1. Phase 1- IKE parameters
  2. Pre-shared key configuration
  3. Phase-2 transform set
  4. Crypto ACL for interesting traffic
  5. Crypto MAP configuration
  6. Apply crypto map to interface

Required Configuration

Security Zone

  • INSIDE (R1-ASA-1): 192.168.1.0/24
  • INSIDE (R2-ASA-2): 192.168.2.0/24
  • OUTSIDE (ASA-1-ASA-2): 10.10.10.0/24

IPSec VPN configuration

  • ESP: AES-256
  • AH Hash Algorithm: SHA-1
  • Pre-shared key: cisco

I have shared the configuration only relevant to this topology which can be used for reference for setting up an IPSec VPN on Cisco ASAv.

Cisco ASA-FW-1

interface GigabitEthernet0/0
 description to R1
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!
interface GigabitEthernet0/1
 description to ASA2
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.1 255.255.255.0 
!
access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list LAN1_LAN2 extended permit ip host 192.168.1.1 host 192.168.2.2 
!
mtu INSIDE 1500
mtu OUTSIDE 1500
route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.2 
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE
!
tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!

Cisco ASA-FW-2

interface GigabitEthernet0/0
 description to R2
 nameif INSIDE
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
!
interface GigabitEthernet0/1
 description to ASA-1
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.2 255.255.255.0 
!
access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
access-list LAN2_LAN1 extended permit ip host 192.168.2.2 host 192.168.1.1 
!
mtu INSIDE 1500
mtu OUTSIDE 1500
route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1 1
!
crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL
 protocol esp encryption aes
 protocol esp integrity sha-1
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.1 
crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto ikev2 policy 10
 encryption aes
 integrity sha
 group 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable OUTSIDE
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
 ikev2 remote-authentication pre-shared-key *****
 ikev2 local-authentication pre-shared-key *****
!

Router R1 has an interface connected to ASA-FW-1 on Eth0/0

interface Ethernet0/0
 description to ASA-1
 ip address 192.168.1.1 255.255.255.0

Router R2 has an interface connected to ASA-FW-2 on Eth0/0

interface Ethernet0/0
 description to ASA-2
 ip address 192.168.2.2 255.255.255.0

Once the VPN tunnel is up and you are able to see the security associations, you should be able to ping from R1 to R2 and vice versa.

R1#ping 192.168.2.2 source 192.168.1.1 repeat 10
Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.1 
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 2/2/4 ms

To check the IPSec VPN tunnel is up.

ASA-1# show crypto isakmp sa detail 

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:39629, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id Local                                               Remote                                                  Status         Role
  3426173 10.10.10.1/500                                      10.10.10.2/500                                           READY    INITIATOR
      Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/431 sec
      Session-id: 39629
      Status Description: Negotiation done
      Local spi: 700DB874537383FC       Remote spi: 72900FD7800E45AB
      Local id: 10.10.10.1
      Remote id: 10.10.10.2
      Local req mess id: 38             Remote req mess id: 36
      Local next mess id: 38            Remote next mess id: 36
      Local req queued: 38              Remote req queued: 36
      Local window: 1                   Remote window: 1
      DPD configured for 10 seconds, retry 2
      NAT-T is not detected  
      IKEv2 Fragmentation Configured MTU: 576 bytes, Overhead: 28 bytes, Effective MTU: 548 bytes
Child sa: local selector  192.168.1.0/0 - 192.168.1.255/65535
          remote selector 192.168.2.0/0 - 192.168.2.255/65535
          ESP spi in/out: 0x2c1d242a/0x22ded6bd  
          AH spi in/out: 0x0/0x0  
          CPI in/out: 0x0/0x0  
          Encr: AES-CBC, keysize: 128, esp_hmac: SHA96
          ah_hmac: None, comp: IPCOMP_NONE, mode tunnel

ASA-1#  show crypto ipsec sa
interface: OUTSIDE
    Crypto map tag: MY_CRYPTO_MAP, seq num: 1, local addr: 10.10.10.1

      access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 10.10.10.2

      #pkts encaps: 109, #pkts encrypt: 109, #pkts digest: 109
      #pkts decaps: 109, #pkts decrypt: 109, #pkts verify: 109
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 109, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.1/500, remote crypto endpt.: 10.10.10.2/500
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 22DED6BD
      current inbound spi : 2C1D242A

    inbound esp sas:
      spi: 0x2C1D242A (740107306)
         SA State: active
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 162320384, crypto-map: MY_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4101109/28614)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0x22DED6BD (585029309)
         SA State: active
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 162320384, crypto-map: MY_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4331509/28614)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Comments

Add a New Comment
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License