{"id":1240,"date":"2022-02-03T18:36:51","date_gmt":"2022-02-03T15:36:51","guid":{"rendered":"https:\/\/wiki.volu-t.ru\/?p=1240"},"modified":"2022-02-03T18:36:51","modified_gmt":"2022-02-03T15:36:51","slug":"configuring-site-to-site-ipsec-vpn-on-asa-using-ikev2","status":"publish","type":"post","link":"https:\/\/wiki.m-network.ru\/?p=1240","title":{"rendered":"Configuring site-to-site IPSEC VPN on ASA using IKEv2"},"content":{"rendered":"\n

The scenario of configuring site-to-site VPN between two Cisco Adaptive Security Appliances is often used by companies that have more than one geographical location sharing the same resources, documents, servers, etc. The Cisco ASA is often used as VPN terminator, supporting a variety of VPN types and protocols.<\/p>\n\n\n\n

In this tutorial, we are going to configure a site-to-site VPN using IKEv2. IKEv2 is the new standard for configuring IPSEC VPNs. Although the legacy IKEv1<\/a> is widely used in real world networks, it\u2019s good to know how to configure IKEv2 as well since this is usually required in high-security VPN networks (for compliance purposes).<\/p>\n\n\n\n

As described in the topology scenario below, a VPN tunnel will be created between ASA1 and ASA2, connecting the two company sites, HQ and Branch1.<\/p>\n\n\n\n

Behind each security appliance there is a private LAN network. After configuring the VPN tunnel, the private LAN networks in HQ and Branch1 (two geographically dispersed locations) will be able to communicate over the internet and share resources.<\/p>\n\n\n\n

We will refer to the diagram below for this configuration tutorial.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We will start by configuring IP addressing. On ASA1 and ASA2, we will configure the inside interfaces as connected to LAN and the outside interfaces facing the VPN tunnel. In real world networks, the outside interfaces will be on a different subnet and use public IP addressing. Here we will use 10.10.10.0\/24 for the outside network just for making things easier.<\/p>\n\n\n\n

ASA1<\/span><\/strong><\/p>\n\n\n\n

ASA1(config)# interface GigabitEthernet0<\/strong>
ASA1(config-if)# nameif inside<\/strong>
INFO: Security level for \u201cinside\u201d set to 100 by default.<\/strong>
ASA1(config-if)# ip address 192.168.1.2 255.255.255.0<\/strong>
ASA1(config-if)# no shutdown<\/strong><\/p>\n\n\n\n

ASA1(config-if)# interface GigabitEthernet1<\/strong>
ASA1(config-if)# nameif outside<\/strong>
INFO: Security level for \u201coutside\u201d set to 0 by default.<\/strong>
ASA1(config-if)# ip address 10.10.10.1 255.255.255.0<\/strong>
ASA1(config-if)# no shutdown<\/strong><\/p>\n\n\n\n

ASA1# show interfaces ip brief<\/strong><\/p>\n\n\n\n

Interface\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IP-Address\u00a0\u00a0\u00a0\u00a0\u00a0 OK? Method Status\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Protocol<\/strong>
GigabitEthernet0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.1.2\u00a0\u00a0\u00a0\u00a0 YES manual up\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 up<\/strong>
GigabitEthernet1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10.10.10.1\u00a0\u00a0\u00a0\u00a0\u00a0 YES manual up\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 up<\/strong><\/p>\n\n\n\n

ASA2<\/span><\/strong><\/p>\n\n\n\n

ASA2(config)# interface GigabitEthernet0<\/strong>
ASA2(config-if)# nameif inside<\/strong>
INFO: Security level for \u201cinside\u201d set to 100 by default.<\/strong>
ASA2(config-if)# ip address 192.168.2.2 255.255.255.0<\/strong>
ASA2(config-if)# no shutdown<\/strong><\/p>\n\n\n\n

ASA2(config-if)# interface GigabitEthernet1<\/strong>
ASA2(config-if)# nameif outside<\/strong>
INFO: Security level for \u201coutside\u201d set to 0 by default.<\/strong>
ASA2(config-if)# ip address 10.10.10.2 255.255.255.0<\/strong>
ASA2(config-if)# no shutdown<\/strong><\/p>\n\n\n\n

ASA2# show interfaces ip brief<\/strong><\/p>\n\n\n\n

Interface\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IP-Address\u00a0\u00a0\u00a0\u00a0\u00a0 OK? Method Status\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Protocol<\/strong>
GigabitEthernet0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.2.2\u00a0\u00a0\u00a0\u00a0 YES manual up\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 up<\/strong>
GigabitEthernet1\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10.10.10.2\u00a0\u00a0\u00a0\u00a0\u00a0 YES manual up\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 up<\/strong><\/p>\n\n\n\n

Next, we will configure the ISAKMP policies with IKEv2. We will first use the crypto ikev2 policy command to enter IKEv2 policy configuration mode, where we will configure the IKEv2 parameters.<\/p>\n\n\n\n

In this scenario, we used 3DES encryption with Diffie-Hellman group 2, hash function SHA-1 and an encryption key lifetime of 43200 seconds (12 hours).<\/p>\n\n\n\n

ASA1<\/span><\/strong><\/p>\n\n\n\n

ASA1(config)# crypto ikev2 policy 1<\/strong>
ASA1(config-ikev2-policy)# group 2<\/strong>
ASA1(config-ikev2-policy)# encryption 3des<\/strong>
ASA1(config-ikev2-policy)# prf sha<\/strong>
ASA1(config-ikev2-policy)# lifetime seconds 43200<\/strong><\/p>\n\n\n\n

Finally, after the parameters have been set, we will enable IKEv2 on the outside interface<\/p>\n\n\n\n

ASA1(config-ikev2-policy)# crypto ikev2 enable outside<\/strong><\/p>\n\n\n\n

ASA2<\/span><\/strong><\/p>\n\n\n\n

ASA2(config)# crypto ikev2 policy 1<\/strong>
ASA2(config-ikev2-policy)# group 2<\/strong>
ASA2(config-ikev2-policy)# encryption 3des<\/strong>
ASA2(config-ikev2-policy)# prf sha<\/strong>
ASA2(config-ikev2-policy)# lifetime seconds 43200<\/strong>
ASA2(config-ikev2-policy)# crypto ikev2 enable outside<\/strong><\/p>\n\n\n\n

Next, we will configure IKEv2 proposal. As opposed to IKEv1, where we configured a transform set that combines the encryption and authentication method, with IKEv2 we can configure multiple encryption and authentication types, and multiple integrity algorithms for a single policy.<\/p>\n\n\n\n

For this scenario, we will first enter ipsec proposal configuration mode and there set the parameters.<\/p>\n\n\n\n

ASA1<\/span><\/strong><\/p>\n\n\n\n

ASA1(config)#crypto ipsec ikev2 ipsec-proposal P1<\/strong>
ASA1(config-ipsec-proposal)#protocol esp encryption 3des aes des<\/strong>
ASA1(config-ipsec-proposal)#protocol esp integrity sha-1<\/strong><\/p>\n\n\n\n

ASA2<\/span><\/strong><\/p>\n\n\n\n

The same configuration is applied to ASA2.<\/p>\n\n\n\n

ASA2(config)# crypto ipsec ikev2 ipsec-proposal P1<\/strong>
ASA2(config-ipsec-proposal)# protocol esp encryption 3des aes des<\/strong>
ASA2(config-ipsec-proposal)# protocol esp integrity sha-1<\/strong><\/p>\n\n\n\n

Next we need to identify the VPN interesting traffic with an access list.<\/p>\n\n\n\n

ASA1(config)# access-list ACL1 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0<\/strong><\/p>\n\n\n\n

The mirror ACL should be configured on ASA2.<\/p>\n\n\n\n

ASA2(config)# access-list ACL2 extended permit ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0<\/strong><\/p>\n\n\n\n

The next step is to define a tunnel group. There are two default tunnel groups in the ASA: DefaultRAGroup is the default IPsec remote-access tunnel group and DefaultL2Lgroup is the default IPsec LAN-to-LAN tunnel group.<\/p>\n\n\n\n

To establish a LAN-to-LAN connection, two attributes must be set:<\/p>\n\n\n\n

\u2013  Connection type \u2013 IPsec LAN-to-LAN.<\/p>\n\n\n\n

\u2013  Authentication method for the IP \u2013 in this scenario we will use preshared key for IKEv2.<\/p>\n\n\n\n

The name of the tunnel is the IP address of the peer. IKEv2 preshared key is configured as 32fjsk0392fg.<\/p>\n\n\n\n

NOTE:\u00a0<\/strong>For ikev2 you can have asymmetric pre-shared keys. You can configure a different local and different remote pre-shared key. If you want to have a configuration similar with the legacy ikev1 technology, you need to have the same local and remote pre-shared keys (as we do in our example below)<\/p>\n\n\n\n

ASA1<\/span><\/strong><\/p>\n\n\n\n

ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l<\/strong>
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes<\/strong>
ASA1(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg<\/strong>
ASA1(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg<\/strong><\/p>\n\n\n\n

ASA2<\/span><\/strong><\/p>\n\n\n\n

ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l<\/strong>
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes<\/strong>
ASA2(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key 32fjsk0392fg<\/strong>
ASA2(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key 32fjsk0392fg<\/strong><\/p>\n\n\n\n

Finally, we will create a crypto map linking the access list, the peer and the IKEv2 proposal. We will apply this crypto map to the ASA outside interface.<\/p>\n\n\n\n

ASA1<\/span><\/strong><\/p>\n\n\n\n

ASA1(config)# crypto map cmap 1 match address ACL1<\/strong>
ASA1(config)# crypto map cmap 1 set peer 10.10.10.2<\/strong>
ASA1(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1<\/strong>
ASA1(config)# crypto map cmap interface outside<\/strong><\/p>\n\n\n\n

ASA2<\/span><\/strong><\/p>\n\n\n\n

Similar configuration will be applied to ASA2:<\/p>\n\n\n\n

ASA2(config)# crypto map cmap 1 match address ACL2<\/strong>
ASA2(config)# crypto map cmap 1 set peer 10.10.10.1<\/strong>
ASA2(config)# crypto map cmap 1 set ikev2 ipsec-proposal P1<\/strong>
ASA2(config)# crypto map cmap interface outside<\/strong><\/p>\n\n\n\n

The above concludes the actual IPSEC lan-to-lan configuration. In real world scenarios, the two ASA devices would be connected to the Internet and access from internal users towards the Internet must be provided as well (in addition to the lan-to-lan traffic).<\/p>\n\n\n\n

This requirement (i.e internet access for users in each site) necessitates the configuration of NAT rules in order to translate the internal private IP addresses to a public IP. Let\u2019s configure this new requirement below:<\/p>\n\n\n\n

Internet Access and NAT Exclusion for VPN traffic<\/h3>\n\n\n\n

IPSEC VPN traffic does not work with NAT. You must not perform NAT on VPN packets. Therefore, in addition to configuring Internet access (with using NAT overload in our example here), we must also configure NAT exclusion for VPN traffic:<\/p>\n\n\n\n

1) Configure NAT Overload (PAT) for Internet Access<\/strong><\/p>\n\n\n\n

ASA1<\/span><\/strong><\/p>\n\n\n\n

object network HQ
subnet 192.168.1.0 255.255.255.0
nat (inside,outside) dynamic interface<\/p>\n\n\n\n

object network Branch1
subnet 192.168.2.0 255.255.255.0<\/p>\n\n\n\n

ASA2<\/span><\/strong><\/p>\n\n\n\n

object network Branch1
subnet 192.168.2.0 255.255.255.0
nat (inside,outside) dynamic interface<\/p>\n\n\n\n

object network HQ
subnet 192.168.1.0 255.255.255.0<\/p>\n\n\n\n

2) Configure NAT Exclusion for VPN Traffic<\/strong><\/p>\n\n\n\n

ASA1<\/span><\/strong><\/p>\n\n\n\n

nat (inside,outside) source static HQ HQ destination static Branch1 Branch1 no-proxy-arp route-lookup<\/p>\n\n\n\n

ASA2<\/span><\/strong><\/p>\n\n\n\n

nat (inside,outside) source static Branch1\u00a0 Branch1 destination static HQ HQ no-proxy-arp route-lookup<\/p>\n\n\n\n

\u041e\u0440\u0438\u0433\u0438\u043d\u0430 https:\/\/www.networkstraining.com\/configuring-site-to-site-ipsec-vpn-on-asa-using-ikev2\/<\/p>\n\n\n\n

<\/p>\n\n\n\n

Another example with the config<\/h2>\n\n\n\n
\"\"<\/figure>\n\n\n\n
\r\n#Setting interfaces<\/strong>\r\ninterface GigabitEthernet0\/0\r\n nameif outside\r\n security-level 0\r\n ip address 100.17.30.2 255.255.255.0\r\n\r\ninterface GigabitEthernet0\/2\r\n nameif inside\r\n security-level 100\r\n ip address 192.168.10.1 255.255.255.0\r\n\r\n#Create object-group for local_net and destination_net<\/strong>\r\nobject-group network s2s_dest\r\n network-object 192.168.20.0 255.255.255.0\r\nobject-group network LAN\r\n network-object 192.168.10.0 255.255.255.0\r\n\r\n#Create ACL <\/strong>\r\naccess-list s2s extended permit ip object-group LAN object-group s2s_dest\r\n\r\n#Create NAT<\/strong>\r\nnat (inside,outside) source static LAN LAN destination static s2s_dest s2s_dest no-proxy-arp route-lookup\r\n\r\n#Create ipsec proposal<\/strong>\r\ncrypto ipsec ikev2 ipsec-proposal s2s_1\r\n protocol esp encryption aes-256\r\n protocol esp integrity sha-256\r\n\r\n#Create crypto map<\/strong>\r\ncrypto map outside_s2s 1 match address s2s\r\ncrypto map outside_s2s 1 set pfs group14\r\ncrypto map outside_s2s 1 set peer 100.17.40.2\r\ncrypto map outside_s2s 1 set ikev2 ipsec-proposal s2s_1\r\ncrypto map outside_s2s 1 set security-association lifetime seconds 86400\r\ncrypto map outside_s2s interface outside\r\n\r\n#Create crypto policy<\/strong>\r\ncrypto ikev2 policy 1\r\n encryption aes-256\r\n integrity sha256\r\n group 14\r\n prf sha256\r\n lifetime seconds 28800\r\n\r\n#Enable IKEv2 on interface<\/strong>\r\ncrypto ikev2 enable outside\r\n\r\n#Create tunnel-group<\/strong>\r\ntunnel-group 100.17.40.2 type ipsec-l2l\r\ntunnel-group 100.17.40.2 ipsec-attributes\r\n ikev2 remote-authentication pre-shared-key *****\r\n ikev2 local-authentication pre-shared-key *****\r\n<\/code><\/pre>\n\n\n\n
Create a mirror configuration on the second ASA.<\/p>\n","protected":false},"excerpt":{"rendered":"
The scenario of configuring site-to-site VPN between two Cisco Adaptive Security Appliances is often used by companies that have more than one geographical location sharing the same resources, documents, servers, etc. The Cisco ASA is often used as VPN terminator, supporting a variety of VPN types and protocols. In this tutorial, we are going to ..<\/p>\n
<\/div>\n
Read more<\/a><\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[217,205],"tags":[],"_links":{"self":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts\/1240"}],"collection":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1240"}],"version-history":[{"count":1,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts\/1240\/revisions"}],"predecessor-version":[{"id":1243,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=\/wp\/v2\/posts\/1240\/revisions\/1243"}],"wp:attachment":[{"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wiki.m-network.ru\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}