Setting up an IPSec tunnel between a Cisco ASA and another security appliance
We have three available interfaces on the ASA - they will be provisioned as follows:
Ethernet0/0 (outside - which is connected directly to the internet)
Ethernet0/1 (inside - which is an inside network where we want to terminate one side of the VPN terminal)
We will firstly configure the interfaces accordingly:
enable
configure terminal
We configure the outside interface:
int e0/0
nameif outside
security-level 0
ip address 195.22.22.22 255.255.255.240
no shutdown
We configure the inside interface:
int e0/1
nameif inside
security-level 100
ip address 192.168.220.2 255.255.255.0
no shutdown
int e0/2
nameif management
security-level 100
ip address 192.168.0.1 255.255.255.0
no shutdown
And setup routing on the outside interface:
route outside 0.0.0.0 0.0.0.0 195.22.22.25 1
(195.22.22.22 represents the next hop and the '1' indicates the cost)
ISAKMP / IKE Phase 1 - this is the process where IKE create an initial SA using Diffie-helman forming an asymmetrical encrpytion channel between the two VPN endpoints and forms the foundation for IKE Phase 2
We need to make sure that is enabled on the outside interface firstly - this is achieved by:
show run crypto
ISAKMP was not enabled on my outside interface by default - so we should enable it with:
crypto ikev1 enable outside
crypto ikev2 enable outside
We also want strong encryption as by default I was only using DH Group 2 - lets set it to 5:
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash sha
isakmp policy 1 group 5
isakmp policy 1 lifetime 86400
(or you can explicity define IKE v1 and v2 policies with: crypto ikev1 policy 1 and crypto ikev2 policy 1 - with the introduction of IOS 8.4 and up on ASA.) E.g.
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 5
lifetime 86400
crypto ikev1 enable outside
and
crypto ikev2 policy 1
encryption 3des
group 5
prf sha
lifetime seconds 43200
crypto ikev2 enable outside
** Note: The lowest policy-priority (1 in this case) - take presidence. Policy priorities can range from 1–65535 **
** We do not use the isakmp key on an ASA (unlike Cisco IOS routers) instead we configure a tunnel group **
We will now create an IPSec transform set - which sets the authentication and encryption that the IPSec SA's (IKE Phase 2) will use.
crypto ipsec transform-set L2L esp-3des esp-sha-hmac
or
crypto ipsec ikev1 transform-set trans1 esp-3des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal secure
protocol esp encryption 3des aes des
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal aescustom
protocol esp encryption aes-256
protocol esp integrity sha-1
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
We should now create an ACL to match our "interesting traffic" (traffic that will be traversing through the VPN):
access-list Interesting_Traffic extended permit ip 192.168.0.0 255.255.255.0 192.168.110.0 255.255.255.0
The next step is too define our tunnel group - which defines properties such as the connection type used and authentication parameters (typically this is either a pre-shared key or certificate based) - for this tutorial we will stick with a pre-shared key:
tunnel-group 195.22.22.22 type ipsec-l2l
tunnel-group 195.22.22.22 ipsec-attributes
pre-shared-key your-password
ikev1 pre-shared-key 0 your-password
ikev2 local-authentication pre-shared-key 0 your-password
ikev2 remote-authentication pre-shared-key 0 your-password
The final process is to create a crypto map (called L2L) - that simply ties our IPSec transform set, access lists and tunnel group together:
crypto map L2L 1 match address Interesting_Traffic
crypto map L2L 1 set peer 195.22.22.22
crypto map L2L 1 set transform-set L2L
crypto map L2L 1 set ikev1 transform-set trans1
crypto map L2L 1 set ikev2 ipsec-proposal secure aescustom AES256 AES192 AES 3DES DES
crypto map L2L interface outside
We will finally need to make sure that the interesting traffic is not natted - if the two sites are connected over two RIPE addresses (no-nat / nat exemption) is in place.
If you are using IOS 8.3 or below:
access-list NO-NAT permit ip 192.168.0.0 255.255.255.0 192.168.110.0 255.255.255.0
nat (inside) 0 access-list NO-NAT
or if you are using 8.4 and above use:
object network obj-local
subnet 192.168.0.0 255.255.255.0
object network obj-remote
subnet 192.168.110.0 255.255.255.0
nat (inside,outside) 1 source static obj-local obj-local destination static obj-remote obj-remote
We will commit our changes to the startup-configuration:
write memory
We can now check the staus of ISAKMP (IKE Phase 1) with the following command:
show isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer: 1.2.3.4
Type : L2L Role : responder
Rekey : no State : MM_ACTIVE
show ipsec sa
You might not get any SA's output initially - although this might be because no "interesting traffic" has traversed the VPN yet - as the Phase 2 SA's are not established until interesting traffic traverses the VPN.
We can use an extended ping to generate some traffic from one network to he other as follows:
asa# ping
TCP Ping [n]:
Interface: inside
Target IP address: 192.168.110.10
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.110.10, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
or we can use the packet-tracer command to manually generate some traffic (this is also a very good command to debug packet flow):
packet-tracer input inside tcp 192.168.0.10 1250 192.168.110.1 80
Drop-reason: (acl-drop) Flow is denied by configured rule
You can also debug both phases with the following commands:
debug crypto isakmp
debug crypto ipsec
We can reset the IPSec SA or ISAKMP with:
clear crypto ipsec sa <ip-address>
or
clear crypto ikev1 sa <ip-address>
or
clear crypto ikev2 sa <ip-address>
No comments:
Post a Comment