3.Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peers



In a previous lesson, I explained how to configure a site-to-site IPsec VPN between an ASA with a static IP and one with a dynamic IP address. What if you have multiple peers with dynamic IP addresses?

If you want, you can land all these VPN connections on a single tunnel-group, but it might be a better idea to use different tunnel-groups. This allows you to use different pre-shared keys and policies.

In this lesson, you will learn how to configure site-to-site IPsec VPNs with multiple dynamic peers. Here’s the topology we will use:

Asa1 Asa2 Asa3 Dynamic Peer Topology

We will configure two VPN tunnels:

  • Between ASA1 and ASA2.
  • Between ASA1 and ASA3.

ASA1 will use a static IP address, and ASA2/ASA3 have dynamic IP addresses. Let’s look at the configuration…

1.Configuration


Most of our work will be on ASA1. Let’s start there.

1.1.ASA1 – Static IP

First, we have to configure the IKEv1 policy:

ASA1(config)# crypto ikev1 policy 10
ASA1(config-ikev1-policy)# authentication pre-share 
ASA1(config-ikev1-policy)# encryption aes-256
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 2

It doesn’t matter what we use here, just make sure it’s the same on all ASAs. Since ASA1 is using a static IP address, we can use its address as the identity:

ASA1(config)# crypto isakmp identity address 
ASA1(config)# crypto ikev1 enable OUTSIDE

Make sure you enable this policy on the outside interface. Now we can configure the tunnel-groups, one for each ASA:

ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l
ASA1(config)# tunnel-group ASA1_ASA2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key ASA1_ASA2_KEY
ASA1(config)# tunnel-group ASA1_ASA3 type ipsec-l2l
ASA1(config)# tunnel-group ASA1_ASA3 ipsec-attributes
ASA1(config-tunnel-ipsec)#  ikev1 pre-shared-key ASA1_ASA3_KEY

We will use a different pre-shared key for each ASA. When you configure the tunnel-groups, you’ll get a warning like this:

WARNING: For IKEv1, L2L tunnel-groups that have names which are not an IP
address may only be used if the tunnel authentication
method is Digital Certificates and/or The peer is 
configured to use Aggressive Mode

This is something you need to keep in mind. Since we are using dynamic IP addresses and pre-shared keys on ASA2 and ASA3, we’ll have to use aggressive mode.

Let’s continue; we’ll have to create a transform-set. It doesn’t matter what security parameters we pick as long as it matches with ASA2 and ASA3:

ASA1(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

Let’s add two access-lists that define the traffic that we want to encrypt:

ASA1(config)# access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
ASA1(config)# access-list LAN1_LAN3 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0

We can only attach a single crypto map to the outside interface, so when we have multiple dynamic peers, we’ll have to use multiple dynamic maps. Let’s create two, one of each ASA:

ASA1(config)# crypto dynamic-map ASA1_ASA2 10 match address LAN1_LAN2
ASA1(config)# crypto dynamic-map ASA1_ASA2 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto dynamic-map ASA1_ASA2 10 set reverse-route
ASA1(config)# crypto dynamic-map ASA1_ASA3 10 match address LAN1_LAN3
ASA1(config)# crypto dynamic-map ASA1_ASA3 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto dynamic-map ASA1_ASA3 10 set reverse-route

Now we will attach both dynamic maps to a single crypto map:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 ipsec-isakmp dynamic ASA1_ASA2
ASA1(config)# crypto map MY_CRYPTO_MAP 20 ipsec-isakmp dynamic ASA1_ASA3

Don’t forget to activate the crypto map on the outside interface:

ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

This completes the configuration of ASA1. Let’s take a look at ASA2…

1.2.ASA2 – Dynamic IP

The configuration for ASA2 is much simpler since we will connect to ASA1’s static IP address. Let’s start with the IKEv1 policy:

ASA2(config)# crypto ikev1 policy 10
ASA2(config-ikev1-policy)# authentication pre-share
ASA2(config-ikev1-policy)# encryption aes-256
ASA2(config-ikev1-policy)# hash sha
ASA2(config-ikev1-policy)# group 2

Make sure the policy above matches with ASA1. The next step is an important one:

ASA2(config)# crypto isakmp identity key-id ASA1_ASA2
ASA2(config)# crypto ikev1 enable OUTSIDE

ASA1 has to figure out which tunnel-group to use when ASA2 initiates a VPN connection. This is done with the key-id above. This name has to match with the tunnel-group that we configured on ASA1.

Let’s configure the tunnel-group:

ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key ASA1_ASA2_KEY

The tunnel-group configuration is pretty straight-forward. We define the IP address of ASA1 and the correct pre-shared key.

Let’s configure a transform-set:

ASA2(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

And an access-list:

ASA2(config)# access-list LAN2_LAN1 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

On ASA2 we can use a single crypto map where we configure the IP address of ASA1 as the peer:

ASA2(config)# crypto map MY_CRYPTO_MAP 10 match address LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1 
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive 
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA2(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

Last but not least, don’t forget to add a static route for the 192.168.1.0/24 subnet behind ASA1:

ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1

That’s all we have to configure on ASA2.

1.3.ASA3 – Dynamic IP

The configuration of ASA3 is the same as ASA2; the only exception is the pre-shared key and access-list. Here’s the configuration:

ASA3(config)# crypto ikev1 policy 10
ASA3(config-ikev1-policy)# authentication pre-share 
ASA3(config-ikev1-policy)# encryption aes-256
ASA3(config-ikev1-policy)# hash sha
ASA3(config-ikev1-policy)# group 2

ASA3(config)# crypto isakmp identity key-id ASA1_ASA3
ASA3(config)# crypto ikev1 enable OUTSIDE

ASA3(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA3(config)# tunnel-group 10.10.10.1 ipsec-attributes 
ASA3(config-tunnel-ipsec)# ikev1 pre-shared-key ASA1_ASA3_KEY

ASA3(config)# crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac

ASA3(config)# access-list LAN3_LAN1 extended permit ip 192.168.3.0 255.255.255 192.168.1.0 255.255.255.0

ASA3(config)# crypto map MY_CRYPTO_MAP 10 match address LAN3_LAN1
ASA3(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1 
ASA3(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive 
ASA3(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA3(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

ASA3(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1

All ASA firewalls are now configured. Let’s verify our work!

2.Verification

I’ll send a couple of pings from R2 and R3 to R1. This will trigger the ASA firewalls to initiate a VPN connection:

R2#ping 192.168.1.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 9/9/11 ms
R3#ping 192.168.1.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 7/10/13 ms

Great, our pings are working. Let’s take a closer look at the VPN connections:

ASA1# show crypto isakmp sa

IKEv1 SAs:

   Active SA: 2
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2

1   IKE Peer: 10.10.10.2
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : AM_ACTIVE 
2   IKE Peer: 10.10.10.3
    Type    : L2L             Role    : responder 
    Rekey   : no              State   : AM_ACTIVE

We see two peers and the state is active. Let’s make sure our traffic is encrypted:

ASA1# show crypto ipsec sa peer 10.10.10.2
peer address: 10.10.10.2
    Crypto map tag: ASA1_ASA2, seq num: 10, local addr: 10.10.10.1

      access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
      current_peer: 10.10.10.2


      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9
ASA1# show crypto ipsec sa peer 10.10.10.3
peer address: 10.10.10.3
    Crypto map tag: ASA1_ASA3, seq num: 10, local addr: 10.10.10.1

      access-list LAN1_LAN3 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
      local ident (addr/mask/prot/port): (192.168.1.0/255.255.255.0/0/0)
      remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)
      current_peer: 10.10.10.3


      #pkts encaps: 9, #pkts encrypt: 9, #pkts digest: 9
      #pkts decaps: 9, #pkts decrypt: 9, #pkts verify: 9

Above we see the peer IP addresses and the crypto map tags. Traffic has been encrypted and decrypted so everything is looking good.

To prove that ASA1 will accept VPN connections from any IP address we can try to change the IP addresses on ASA2 and ASA3:

ASA2(config)# interface GigabitEthernet 0/1
ASA2(config-if)# ip address 10.10.10.20 255.255.255.0
ASA3(config)# interface GigabitEthernet 0/1
ASA3(config-if)# ip address 10.10.10.30 255.255.255.0

Let’s do another ping:

R2#ping 192.168.1.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/10/12 ms
R3#ping 192.168.1.1 
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/12/17 ms

Our pings are successful, and the peer IP addresses have changed:

ASA1# show crypto isakmp sa | include Peer
1   IKE Peer: 10.10.10.20
2   IKE Peer: 10.10.10.30

That’s all there is to it!

hostname ASA1
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.1.254 255.255.255.0 
!             
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.1 255.255.255.0 
!
access-list LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0 
access-list LAN1_LAN3 extended permit ip 192.168.1.0 255.255.255.0 192.168.3.0 255.255.255.0 
!
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac 
crypto dynamic-map ASA1_ASA2 10 match address LAN1_LAN2
crypto dynamic-map ASA1_ASA2 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto dynamic-map ASA1_ASA2 10 set reverse-route
crypto dynamic-map ASA1_ASA3 10 match address LAN1_LAN3
crypto dynamic-map ASA1_ASA3 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto dynamic-map ASA1_ASA3 10 set reverse-route
crypto map MY_CRYPTO_MAP 10 ipsec-isakmp dynamic ASA1_ASA2
crypto map MY_CRYPTO_MAP 20 ipsec-isakmp dynamic ASA1_ASA3
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto isakmp identity address 
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
tunnel-group ASA1_ASA2 type ipsec-l2l
tunnel-group ASA1_ASA2 ipsec-attributes
 ikev1 pre-shared-key ASA1_ASA2_KEY
tunnel-group ASA1_ASA3 type ipsec-l2l
tunnel-group ASA1_ASA3 ipsec-attributes
 ikev1 pre-shared-key ASA1_ASA3_KEY
!
: end
hostname ASA2
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.2.254 255.255.255.0 
!             
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.2 255.255.255.0 
!
access-list ASA1_ASA2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0 
!
route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1 1
!
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 10 match address ASA1_ASA2
crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1 
crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive 
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto isakmp identity key-id ASA1_ASA2
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
 ikev1 pre-shared-key ASA1_ASA2_KEY
!
: end
hostname ASA3
!
interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.3.254 255.255.255.0 
!             
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 10.10.10.2 255.255.255.0 
!
access-list ASA1_ASA3 extended permit ip 192.168.3.0 255.255.255.0 192.168.1.0 255.255.255.0 
!
route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1 1
!
crypto ipsec ikev1 transform-set MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac 
crypto ipsec security-association pmtu-aging infinite
crypto map MY_CRYPTO_MAP 10 match address ASA1_ASA3
crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1 
crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive 
crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
crypto map MY_CRYPTO_MAP interface OUTSIDE
!
crypto isakmp identity key-id ASA1_ASA3
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
tunnel-group 10.10.10.1 type ipsec-l2l
tunnel-group 10.10.10.1 ipsec-attributes
 ikev1 pre-shared-key ASA1_ASA3_KEY
!
: end
hostname R1
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.1.1 255.255.255.0
!
ip default-gateway 192.168.1.254
!
end
hostname R2
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.2.2 255.255.255.0
!
ip default-gateway 192.168.2.254
!
end
hostname R3
!
no ip routing
!
interface GigabitEthernet0/1
 ip address 192.168.3.3 255.255.255.0
!
ip default-gateway 192.168.3.254
!
end

3.Conclusion

By using multiple tunnel-groups and dynamic maps we can accept VPN connections from different dynamic peers and we can use different parameters (like the pre-shared key) for each peer.

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more