1.Cisco ASA Site-to-Site IKEv1 IPsec VPN


Site-to-site IPsec VPNs are used to “bridge” two distant LANs together over the Internet. Normally on the LAN we use private addresses so without tunneling, the two LANs would be unable to communicate with each other.

In this lesson you will learn how to configure IKEv1 IPsec between two Cisco ASA firewalls to bridge two LANs together.

1.Configuration

We will use the following topology for this example:

ASA1 ASA2 R1 R2 IPSEC site to site VPN

ASA1 and ASA2 are connected with each other using their Ethernet 0/1 interfaces. This is the “OUTSIDE” security zone so imagine that this is their Internet connection. Each ASA has an Ethernet 0/0 interface which is connected to the “INSIDE” security zone. R1 is in network 192.168.1.0 /24 while R2 is in 192.168.2.0 /24. The goal is to ensure that R1 and R2 can communicate with each other through the IPsec tunnel.

1.1.Phase 1 Configuration

Phase 1 of IPsec is used to establish a secure channel between the two peers that will be used for further data transmission. The ASAs will exchange secret keys, they authenticate each other and will negotiate about the IKE security policies. This is what happens in phase 1:

  • Authenticate and protect the identities of the IPsec peers.
  • Negotiate a matching IKE policy between IPsec peers to protect the IKE exchange.
  • Perform an authenticated Diffie-Hellman exchange to have matching shared secret keys.
  • Setup a secure tunnel for IKE phase 2.

Here’s what the configuration looks like on ASA1:

ASA1(config)# crypto ikev1 policy 10 
ASA1(config-ikev1-policy)# authentication pre-share 
ASA1(config-ikev1-policy)# encryption aes
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 2
ASA1(config-ikev1-policy)# lifetime 3600

Let me break down this configuration for you:

  • The IKEv1 policy starts with a priority number, I picked number 10. The lower the number, the higher the priority…you can use this if you have multiple peers.
  • We use a pre-shared key for authentication.
  • Encryption is done with AES.
  • SHA is used for hashing.
  • We use Diffie-Hellman group 2 for secret key exchange.
  • The security association is 3600 seconds, once this expires we will do a renegotiation.
If you use any ASA version before ASA 8.4 then the keyword “ikev1” has to be replaced with “isakmp”.

The IKEv1 policy is configured but we still have to enable it:

ASA1(config)# crypto ikev1 enable OUTSIDE
ASA1(config)# crypto isakmp identity address

The first command enables our IKEv1 policy on the OUTSIDE interface and the second command is used so the ASA identifies itself with its IP address, not its FQDN (Fully Qualified Domain Name).

We configured the IKEv1 policy and activated it on the interface but we still have to specify the remote peer and a pre-shared key. This is done with a tunnel-group:

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l

The IP address above is the IP address of the OUTSIDE interface on ASA2. The type “ipsec-l2l” means lan-to-lan. Let’s configure the pre-shared key now:

ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

The pre-shared key is configured as an attribute for the remote peer. I’ll use “MY_SHARED_KEY” as the pre-shared key between the two ASA firewalls. This takes care of the phase 1 configuration on ASA1, we’ll configure the same thing on ASA2:

ASA2(config)# crypto ikev1 policy 10
ASA2(config-ikev1-policy)# authentication pre-share 
ASA2(config-ikev1-policy)# encryption aes
ASA2(config-ikev1-policy)# hash sha
ASA2(config-ikev1-policy)# group 2
ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config)# crypto ikev1 enable outside
ASA2(config)# crypto isakmp identity address 
ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes 
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

Phase 1 is now configured on both ASA firewalls. Let’s continue with phase 2…

1.2.Phase 2 configuration

Once the secure tunnel from phase 1 has been established, we will start phase 2. In this phase the two firewalls will negotiate about the IPsec security parameters that will be used to protect the traffic within the tunnel. In short, this is what happens in phase 2:

  • Negotiate IPsec security parameters through the secure tunnel from phase 1.
  • Establish IPsec security associations.
  • Periodically renegotiates IPsec security associations for security.

Here’s what the configuration looks like, we’ll start with ASA1:

ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

First we configure an access-list that defines what traffic we are going to encrypt. This will be the traffic between 192.168.1.0 /24 and 192.168.2.0 /24.

The IPsec peers will negotiate about the encryption and authentication algorithms and this is done using a transform-set. Here’s what it looks like:

ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

The transform set is called “MY_TRANSFORM_SET” and it specifies that we want to use ESP with 256-bit AES encryption and SHA for authentication. Once we configured the transform set we need to configure a crypto map which has all the phase 2 parameters:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

Let me explain the configuration step by step:

  • The crypto map is called “MY_CRYPTO_MAP” and number 10 is the sequence number. The sequence number is used because you can have a single crypto map for multiple different remote peers.
  • The set peer command configures the IP address of the remote peer, ASA2 in this example.
  • The set ikev1 transform-set command is used to refer to the transform set that we configured before.
  • The set security-association command specifies when the security association will expire and when we do a renegotiation.
  • The interface command activates the crypto map on the interface.

We will create a similar configuration on ASA2:

ASA2(config)# access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
ASA2(config)# crypto map MY_CRYPTO_MAP 10 match address LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1   
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600                             
ASA2(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

This takes care of phase 1 and phase on both ASA firewalls. Last but not least, make sure that the firewalls know how to reach each others subnets, I will use a static route for this:

ASA1(config)# route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2
ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1

Everything is in place so let’s verify our work…

2.Verification

We require some traffic between R1 and R2 to trigger the ASA firewalls to build the tunnel. I’ll send a ping from R1 to R2:

R1#ping 192.168.2.2             
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

The ping works so it looks promising, we have to verify however that our traffic is encrypted:

ASA1# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.10.10.2
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE 

There are no IKEv2 SAs

The important thing to look for is the state which is MM_ACTIVE. This means that the IPsec tunnel has been established. Now we can check if our packets and encrypted:

ASA1# show crypto ipsec sa
interface: OUTSIDE
    Crypto map tag: MY_CRYPTO_MAP, seq num: 10, local addr: 10.10.10.1

      access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 10.10.10.2


      #pkts encaps: 1697, #pkts encrypt: 1697, #pkts digest: 1697
      #pkts decaps: 1696, #pkts decrypt: 1696, #pkts verify: 1696
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1697, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.1/0, remote crypto endpt.: 10.10.10.2/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: EECD69E6
      current inbound spi : F74C0050
              
    inbound esp sas:
      spi: 0xF74C0050 (4148953168)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (3914834/3423)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0xFFFFFFFF 0xFFFFFFFF
    outbound esp sas:
      spi: 0xEECD69E6 (4006439398)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (3914834/3423)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

This is looking good, you can see the access-list that matches our traffic and the number of encrypted and decrypted packets.

hostname ASA1
!
interface FastEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!             
interface FastEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.1 255.255.255.0 
!
access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
!
route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2 1
!
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac 
!
crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2 
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto isakmp identity address 
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 3600
!
tunnel-group 10.10.10.2 type ipsec-l2l
tunnel-group 10.10.10.2 ipsec-attributes
 ikev1 pre-shared-key *****
!
end
hostname ASA2
!
interface FastEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
!             
interface FastEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.2 255.255.255.0 
!
access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
!
route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1 1
!
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac 
!
crypto map MY_CRYPTO_MAP 10 match address LAN2_LAN1
crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1 
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto isakmp identity address 
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 3600
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
 ikev1 pre-shared-key *****
!
end 
hostname R1
!
no ip routing
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 duplex auto
 speed auto
!
ip default-gateway 192.168.1.254
!
end
hostname R2
!
no ip routing
!
interface FastEthernet0/0
 ip address 192.168.2.2 255.255.255.0
 duplex auto
 speed auto
!
ip default-gateway 192.168.2.254
!
end

I hope this example has been useful for you, if you have any questions feel free to leave a comment!

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more