5.Cisco ASA Site-to-Site IKEv2 IPSEC VPN


IKEv2 has been published in RFC 5996 in September 2010 and is fully supported on Cisco ASA firewalls. In this lesson you will learn how to configure site-to-site IKEv2 IPsec VPN. If you haven’t seen it before, in a previous lesson I showed you how to configure IKEv1 IPsec VPN.

We will use the following topology for this example:

ASA1 ASA2 R1 R2 IPSEC site to site VPN

ASA1 and ASA2 are able to reach each other through their “OUTSIDE” Ethernet 0/1 interfaces. Their Ethernet 0/0 interfaces are the “INSIDE” where we have R1 and R2. The goal is to configure IKEv2 IPSEC site-to-site VPN between ASA1 and ASA2 so that R1 and R2 are able to reach each other.

1.Configuration

First we will configure the IKEv2 policy which is similar to phase 1 of IKEv1.

1.1.IKEv2 Policy Configuration

Here’s what it looks like for both ASA firewalls:

ASA1 & ASA2#
(config)# crypto ikev2 policy 10
ASA1(config-ikev2-policy)# encryption aes
ASA1(config-ikev2-policy)# group 2
ASA1(config-ikev2-policy)# prf sha
ASA1(config-ikev2-policy)# lifetime seconds 86400

The configuration is similar to the IKEv1 policy, the only new command is prf sha. PRF is the Pseudo Random Function algorithm which is the same as the integrity algorithm.

1.2.IKEv2 IPSEC Proposal

This section is similar to phase 2 of IKEv1 where we have to configure a transform set. For IKEv2 we call this the IPSEC proposal which is configured like this:

ASA1 & ASA2#
(config)# crypto ipsec ikev2 ipsec-proposal MY_PROPOSAL 
(config-ipsec-proposal)# protocol esp encryption aes
(config-ipsec-proposal)# protocol esp integrity sha-1

We will use ESP, AES as the encryption algorithm and SHA for integrity. Next step is to configure an access-list that defines what traffic we will encrypt:

ASA1(config)# access-list LAN1_LAN2 extended permit ip host 192.168.1.1 host 192.168.2.2
ASA2(config)# access-list LAN2_LAN1 extended permit ip host 192.168.2.2 host 192.168.1.1

Now we have to configure a crypto map that combines the access-list, remote peer and IKEv2 proposal together:

ASA1(config)# crypto map MY_CRYPTO_MAP 1 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.2   
ASA1(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE
ASA2(config)# crypto map MY_CRYPTO_MAP 1 match address LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set peer 10.10.10.1         
ASA2(config)# crypto map MY_CRYPTO_MAP 1 set ikev2 ipsec-proposal MY_PROPOSAL                                
ASA2(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

The crypto map is called “MY_CRYPTO_MAP” and it specifies the access-list, remote peer and the IKEv2 proposal. It has been attached to the OUTSIDE interface.

The next step is to configure a tunnel group. This is where we define authentication and the pre-shared-key:

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes 
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key CISCO123 
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key CISCO456
ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l 
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes 
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key CISCO456
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key CISCO123

Above we configured the remote peer and the IPSEC type (lan to lan). IKEv2 allows us to use different authentication methods for each peer. In this example I used a different pre-shared key for each peer. The last step is to enable IKEv2 on the interface:

ASA1(config)# crypto ikev2 enable OUTSIDE
ASA2(config)# crypto ikev2 enable OUTSIDE

This takes care of the IKEv2 configuration. Don’t forget to configure routing so that ASA1 and ASA2 know how to reach each others INSIDE interfaces:

ASA1(config)# route OUTSIDE 192.168.2.0 255.255.255.0 10.10.10.2
ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0 10.10.10.1

This completes the configuration. Let’s see if it works…

2.Verification

Generate some traffic between R1 and R2 so that the ASA firewalls have to establish the IPSEC tunnel. First we’ll check if we have a IKEv2 security association:

ASA1# show crypto isakmp sa

There are no IKEv1 SAs

IKEv2 SAs:

Session-id:1, Status:UP-ACTIVE, IKE count:1, CHILD count:1

Tunnel-id                 Local                Remote     Status         Role
  7658533       10.10.10.1/500       10.10.10.2/500      READY    INITIATOR
      Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/22 sec
Child sa: local selector  192.168.1.1/0 - 192.168.1.1/65535
          remote selector 192.168.2.2/0 - 192.168.2.2/65535
          ESP spi in/out: 0x99589369/0xfcd7e620

This is looking good, a security association has been established between ASA1 and ASA2. Let’s check if traffic is encrypted:

ASA1# show crypto ipsec sa
interface: OUTSIDE
    Crypto map tag: MY_CRYPTO_MAP, seq num: 1, local addr: 10.10.10.1

      access-list LAN1_LAN2 extended permit ip host 192.168.1.1 host 192.168.2.2 
      local ident (addr/mask/prot/port): (192.168.1.1/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (192.168.2.2/255.255.255.255/0/0)
      current_peer: 10.10.10.2


      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 10.10.10.1/500, remote crypto endpt.: 10.10.10.2/500
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: FCD7E620
      current inbound spi : 99589369
              
    inbound esp sas:
      spi: 0x99589369 (2572718953)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (4193279/28737)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x0000001F
    outbound esp sas:
      spi: 0xFCD7E620 (4242007584)
         transform: esp-aes esp-sha-hmac no compression 
         in use settings ={L2L, Tunnel, IKEv2, }
         slot: 0, conn_id: 4096, crypto-map: MY_CRYPTO_MAP
         sa timing: remaining key lifetime (kB/sec): (3962879/28737)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap: 
          0x00000000 0x00000001

Looking good, packets have been encrypted and decrypted. Hopefully this lesson was useful to learn how to configure IKEv2 IPSEC site-to-site VPN. If you have any questions, just leave a comment.

Comments

Post a Comment

Popular posts from this blog

Cisco ASA Packet Drop Troubleshooting

Image
As a firewall, the Cisco ASA drops packets. That’s great until it drops packets that you want to permit, and you have no idea what is going on. Fortunately, the ASA supports different tools to show you why and what packets it drops. In this lesson, we’ll cover the following tools: Connection State Interface Drops Syslog ASP Drops Packet Capture Packet Tracer Service Policy Conclusion Here is the topology I use: We use a simple topology: Two “host” devices: These are routers with ip routing disabled, and they use ASA1 as their default gateway. An HTTP server is enabled on both devices. ASA1 runs ASAv Version 9.9(2) and has two interfaces: INSIDE: security level 100 OUTSIDE: security level 0 In this topology, H1 will be able to initiate a connection to H2. H2 won’t be able to initiate a connection to H1 because we go from a  low-security level (0) to a high-security level (100) . Configurations ASA1 H1 H2 hostname ASA1 ! interface GigabitEthernet0/0 nameif INSIDE security-level 100...
Read more

show asp drop Command Usage

The  show asp drop  command shows the packets or connections dropped by the accelerated security path, which might help you troubleshoot a problem. See the general operations configuration guide for more information about the accelerated security path. This information is used for debugging purposes only, and the information output is subject to change. Consult Cisco TAC to help you debug your system with this command. The following sections include each drop reason name and description, including recommendations: rame Drop Reasons   ---------------------------------------------------------------- Name: natt-keepalive NAT-T keepalive message: This counter will increment when the appliance receives an IPSec NAT-T keepalive message. NAT-T keepalive messages are sent from the IPSec peer to the appliance to keep NAT/PAT flow information current in network devices between the NAT-T IPSec peer and the appliance.   Recommendation: If you have configured IPSec NAT-T on your ...
Read more

1.Cisco ASA Clock Configuration

The Cisco ASA firewall has a battery on the motherboard that saves the clock settings. Even when it’s is powered off, the clock will be stored. There are two important reasons why you want to make sure that your ASA has the correct date/time: In case of a security breach you want to track log files for events. With an incorrect timestamp, your log files are useless. PKI (Public Key Infrastructure) that we use for digital certificates to authenticate remote users (IPSEC or SSL VPN) requires the correct date/time. The most simple method is to configure the date/time manually, you can do it like this: ASA1(config)# clock set 13:15:00 Dec 19 2014 Just use the  clock set  command and enter the correct time/date. You can verify it like this: ASA1# show clock 13:15:15.709 UTC Fri Dec 19 2014 As you can see, the default timezone is UTC. If you are in another timezone like me then you have to change this: ASA1(config)# clock timezone CET +1 Use the  clock timezone  command t...
Read more