Sunday, 12 April 2015

Setting up an IPSec tunnel between a Cisco ASA and another security appliance

Setting up an IPSec tunnel between a Cisco ASA and another security appliance

We have three available interfaces on the ASA - they will be provisioned as follows:

Ethernet0/0 (outside - which is connected directly to the internet)
Ethernet0/1 (inside - which is an inside network where we want to terminate one side of the VPN terminal)

We will firstly configure the interfaces accordingly:

enable
configure terminal

We configure the outside interface:

int e0/0
nameif outside
security-level 0
ip address 195.22.22.22 255.255.255.240
no shutdown

We configure the inside interface:

int e0/1
nameif inside
security-level 100
ip address 192.168.220.2 255.255.255.0
no shutdown

int e0/2
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
no shutdown

And setup routing on the outside interface:
route outside 0.0.0.0 0.0.0.0 195.22.22.25 1
(195.22.22.22 represents the next hop and the '1' indicates the cost)

ISAKMP / IKE Phase 1 - this is the process where IKE create an initial SA using Diffie-helman forming an asymmetrical encrpytion channel between the two VPN endpoints and forms the foundation for IKE Phase 2

We need to make sure that is enabled on the outside interface firstly - this is achieved by:

show run crypto

ISAKMP was not enabled on my outside interface by default - so we should enable it with:

crypto ikev1 enable outside
crypto ikev2 enable outside

We also want strong encryption as by default I was only using DH Group 2 - lets set it to 5:

isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 5
isakmp policy 1 lifetime 86400

(or you can explicity define IKE v1 and v2 policies with: crypto ikev1 policy 1 and crypto ikev2 policy 1 - with the introduction of IOS 8.4 and up on ASA.) E.g.

crypto ikev1 policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 5
  lifetime 86400
crypto ikev1 enable outside

and

crypto ikev2 policy 1
  encryption 3des
  group 5
  prf sha
  lifetime seconds 43200
crypto ikev2 enable outside

** Note: The lowest policy-priority (1 in this case) - take presidence. Policy priorities can range from 1–65535 **

** We do not use the isakmp key on an ASA (unlike Cisco IOS routers) instead we configure a tunnel group **

We will now create an IPSec transform set - which sets the authentication and encryption that the IPSec SA's (IKE Phase 2) will use.

crypto ipsec transform-set L2L esp-3des esp-sha-hmac

or

crypto ipsec ikev1 transform-set trans1 esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal secure
 protocol esp encryption 3des aes des
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal aescustom
 protocol esp encryption aes-256
 protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5


We should now create an ACL to match our "interesting traffic" (traffic that will be traversing through the VPN):

access-list Interesting_Traffic extended permit ip 192.168.0.0 255.255.255.0 192.168.110.0 255.255.255.0

The next step is too define our tunnel group - which defines properties such as the connection type used and authentication parameters (typically this is either a pre-shared key or certificate based) - for this tutorial we will stick with a pre-shared key:

tunnel-group 195.22.22.22 type ipsec-l2l
tunnel-group 195.22.22.22 ipsec-attributes
  pre-shared-key your-password
  ikev1 pre-shared-key 0 your-password
  ikev2 local-authentication pre-shared-key 0 your-password
  ikev2 remote-authentication pre-shared-key 0 your-password

The final process is to create a crypto map (called L2L) - that simply ties our IPSec transform set, access lists and tunnel group together:

crypto map L2L 1 match address Interesting_Traffic
crypto map L2L 1 set peer 195.22.22.22
crypto map L2L 1 set transform-set L2L
crypto map L2L 1 set ikev1 transform-set trans1
crypto map L2L 1 set ikev2 ipsec-proposal secure aescustom AES256 AES192 AES 3DES DES
crypto map L2L interface outside

We will finally need to make sure that the interesting traffic is not natted - if the two sites are connected over two RIPE addresses (no-nat / nat exemption) is in place.

If you are using IOS 8.3 or below:
access-list NO-NAT permit ip 192.168.0.0 255.255.255.0 192.168.110.0 255.255.255.0
nat (inside) 0 access-list NO-NAT

or if you are using 8.4 and above use:
object network obj-local
     subnet 192.168.0.0 255.255.255.0
object network obj-remote
     subnet 192.168.110.0 255.255.255.0
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote

We will commit our changes to the startup-configuration:
write memory

We can now check the staus of ISAKMP (IKE Phase 1) with the following command:

show isakmp sa

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 1.2.3.4
    Type    : L2L             Role    : responder
    Rekey   : no              State   : MM_ACTIVE

show ipsec sa

You might not get any SA's output initially - although this might be because no "interesting traffic" has traversed the VPN yet - as the Phase 2 SA's are not established until interesting traffic traverses the VPN.

We can use an extended ping to generate some traffic from one network to he other as follows:

asa# ping
TCP Ping [n]:
Interface: inside
Target IP address: 192.168.110.10
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.110.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

or we can use the packet-tracer command to manually generate some traffic (this is also a very good command to debug packet flow):

packet-tracer input inside tcp 192.168.0.10 1250 192.168.110.1 80

Drop-reason: (acl-drop) Flow is denied by configured rule

You can also debug both phases with the following commands:

debug crypto isakmp
debug crypto ipsec

We can reset the IPSec SA or ISAKMP with:

clear crypto ipsec sa <ip-address>
or
clear crypto ikev1 sa <ip-address>
or
clear crypto ikev2 sa <ip-address>

0 comments:

Post a Comment