2.Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peer



In a previous lesson, I explained how to configure a site-to-site IPsec IKEv1 VPN between two Cisco ASA firewalls. What if one of the ASA firewalls has a dynamic IP address?

You could take a gamble and configure the IP address manually but as soon as your ISP gives you another IP address, your VPN will collapse.

In this lesson, I’ll show you how to configure a site-to-site IPsec VPN but we’ll use a dynamic IP address on one of the ASAs. Here’s the topology we will use:

ASA1 ASA2 R1 R2 IPSEC site to site VPN

ASA1 will use a static IP, ASA2 will use a dynamic IP address.

1.Configuration


We’ll have to configure phase 1 and 2. I’ll show you the similarities and differences between the two ASA firewalls.

1.1.Phase 1 Configuration

We will start with the IKEv1 policy. This will be the same on both ASAs so let’s create a policy:

ASA1 & ASA2
(config)# crypto ikev1 policy 10
(config-ikev1-policy)# authentication pre-share
(config-ikev1-policy)# encryption aes
(config-ikev1-policy)# hash sha
(config-ikev1-policy)# group 2
(config-ikev1-policy)# lifetime 3600

And we will enable it on both firewalls:

ASA1 & ASA2
(config)# crypto isakmp identity address 
(config)# crypto ikev1 enable OUTSIDE

Now we have to configure a tunnel-group. This will be different…

1.1.1.Tunnel-Group Static Peer ASA1

Normally we configure an IP address of the remote peer in our tunnel-group. Since the remote peer is using a dynamic IP address, this is no option. One option is to use the “DefaultL2LGroup” tunnel-group for this. This is a built-in tunnel-group and all connections that don’t match another tunnel-group will belong to this group:

ASA1(config)# tunnel-group DefaultL2LGroup ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

The advantage of using the DefaultL2LGroup is that it’s simple to configure. We add a pre-shared key and that’s it. The downside is that you can only configure a single pre-shared key for all dynamic peers. If you have more than one dynamic peer then it’s probably a better idea to create multiple tunnel-groups. This is something I will explain in another lesson.

1.1.2.Tunnel-Group ASA2 Dynamic Peer

On ASA2 we can use a “normal” tunnel-group where we specify our IP address:

ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key MY_SHARED_KEY

This completes the phase 1 configuration. Let’s work on phase 2…

2.Phase 2 configuration

We will start with the transform-set. We can use the same on both ASAs:

ASA1 & ASA2
(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

Our next step is to create some access-lists that define what traffic should be encrypted:

ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA2(config)# access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

Now we should configure the crypto map. This part will be different.

2.0.3.Crypto Map Static Peer ASA1

Normally we have to specify the remote peer IP address in the crypto map but that’s something we can’t do on ASA1. We have to use a dynamic map:

ASA1(config)# crypto dynamic-map MY_DYNA_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto dynamic-map MY_DYNA_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto dynamic-map MY_DYNA_MAP 10 set reverse-route

In the dynamic map we refer to the transform set and the access-list that we just created. We also add the reverse-route parameter. This allows the ASA to automatically insert a static route in the routing table for networks behind the remote peer. The next hop will be the IP address of the remote peer.

Now we can create a crypto map where we refer to the dynamic map we just created:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 ipsec-isakmp dynamic MY_DYNA_MAP
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

ASA1 is now ready to accept VPN connections from any IP address. Let’s continue with ASA2.

2.0.4.Crypto Map ASA2 Dynamic Peer

ASA2 can connect to the IP address of ASA1 so we can use a regular crypto map here:

ASA2(config)# crypto map MY_CRYPTO_MAP 10 match address LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1 
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA2(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

Don’t forget to add a static route:

ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1

That’s all we need. Time to verify our work.

3.Verification

Since ASA1 doesn’t know the IP address of ASA2, we’ll have to initiate the connection from ASA2. Let’s try a quick ping from R2:

R2#ping 192.168.1.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/11/13 ms

Great, our ping is succesful! Let’s take a closer look at the VPN:

ASA1# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.10.10.2
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : MM_ACTIVE

 

ASA2# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 10.10.10.1
    Type    : L2L             Role    : initiator 
    Rekey   : no              State   : MM_ACTIVE

You can see we have a security association. Here’s the static route that ASA1 inserted automatically:

ASA1# show route static 

S     192.168.2.0 255.255.255.0 [1/0] via 10.10.10.2, OUTSIDE

We can also verify that packets have been encrypted/decrypted:

ASA1# show crypto ipsec sa
interface: OUTSIDE
    Crypto map tag: MY_DYNA_MAP, seq num: 10, local addr: 10.10.10.1

      access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 10.10.10.2


      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.1/0, remote crypto endpt.: 10.10.10.2/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: B7504034
      current inbound spi : 44DDF28D

    inbound esp sas:
      spi: 0x44DDF28D (1155396237)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 36864, crypto-map: MY_DYNA_MAP
         sa timing: remaining key lifetime (kB/sec): (3914999/3459)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x000003FF
    outbound esp sas:
      spi: 0xB7504034 (3075489844)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 36864, crypto-map: MY_DYNA_MAP
         sa timing: remaining key lifetime (kB/sec): (3914999/3459)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

And here is ASA2:

ASA2# show crypto ipsec sa
interface: OUTSIDE
    Crypto map tag: MY_CRYPTO_MAP, seq num: 10, local addr: 10.10.10.2

      access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      current_peer: 10.10.10.1


      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 9, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.2/0, remote crypto endpt.: 10.10.10.1/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 44DDF28D
      current inbound spi : B7504034

    inbound esp sas:
      spi: 0xB7504034 (3075489844)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 36864, crypto-map: MY_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4373999/3381)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x000003FF
    outbound esp sas:
      spi: 0x44DDF28D (1155396237)
         transform: esp-aes-256 esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 36864, crypto-map: MY_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4373999/3380)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Everything is looking good, our VPN is up and running. Is it truly dynamic? Let’s change the outside IP address on ASA2 to find out:

ASA2(config)# interface GigabitEthernet0/1
ASA2(config-if)# ip address 10.10.10.200 255.255.255.0

Let’s send another ping:

R2#ping 192.168.1.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/11/15 ms

Our ping is successful and when you take a look at ASA1, you can see the remote peer addresss has changed:

ASA1# show crypto isakmp sa | include Peer
1   IKE Peer: 10.10.10.200

That’s all there is to it.

hostname ASA1
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!             
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.1 255.255.255.0 
!
access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
!
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac 
!
crypto dynamic-map MY_DYNA_MAP 10 match address LAN1_LAN2
crypto dynamic-map MY_DYNA_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto dynamic-map MY_DYNA_MAP 10 set reverse-route
crypto map MY_CRYPTO_MAP 10 ipsec-isakmp dynamic MY_DYNA_MAP
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto isakmp identity address 
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 3600
!
tunnel-group DefaultL2LGroup ipsec-attributes
 ikev1 pre-shared-key MY_SHARED_KEY
!
: end
hostname ASA2
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
!             
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.2 255.255.255.0 
!
access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
!
route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1 1
!
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac 
crypto map MY_CRYPTO_MAP 10 match address LAN2_LAN1
crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1 
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto isakmp identity address 
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 3600
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
 ikev1 pre-shared-key MY_SHARED_KEY
!
: end
hostname R1
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
!
ip default-gateway 192.168.1.254
!
end
hostname R2
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.2.2 255.255.255.0
!
ip default-gateway 192.168.2.254
!
end

4.Conclusion

With some changes to the tunnel-group and by using a dynamic map, we are able to configure the ASA to accept VPN connections from any dynamic IP. This example can be used when you only have one remote ASA with a dynamic IP address. When you have multiple dynamic peers then it’s best to use a different configuration. We’ll look at this in the next lesson.

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more