ASA IKEV2 Policy Based VPN

  • Post author:

ASA IKEV2 Policy Based VPN

A VPN will be setup between the 2 Cisco ASA firewalls (ASAv-1 and ASAv-2). The 2 routers (R1 and R2) will act as hosts in the local networks in order to generate traffic to initiate the VPN tunnel on demand.

Configuration

Configure the INSIDE and OUTSIDE interfaces with security level, IP address and nameif.

interface GigabitEthernet0/0
 nameif INSIDE
 security-level 100
 ip address 192.168.250.1 255.255.255.252
!
interface GigabitEthernet0/1
 nameif OUTSIDE
 security-level 0
 ip address 1.1.1.1 255.255.255.0

Configure routing

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.254 1 
route INSIDE 10.10.0.0 255.255.0.0 192.168.250.2 1

Network Objects

object network S1_NETWORK
 subnet 10.10.0.0 255.255.254.0
object network S2_NETWORK
 subnet 10.10.0.0 255.255.254.0

Access Control List

access-list SITE2_VPN extended permit ip object S1_NETWORK object S2_NETWORK
access-list SITE2_VPN extended permit ip object S2_NETWORK object S1_NETWORK

NAT Exemption

nat (INSIDE,OUTSIDE) source static S1_NETWORK  S1_NETWORK  destination static S2_NETWORK  S2_NETWORK  no-proxy-arp route-lookup

Configure the Tunnel Group and create a PSK for the peer

tunnel-group 2.2.2.1 type ipsec-l2l
tunnel-group 2.2.2.1 ipsec-attributes
 ikev2 local-authentication pre-shared-key cisco1234
 ikev2 remote-authentication pre-shared-key cisco1234

Configure the IKEv2 Policy

crypto ikev2 policy 10
group 14
encryption aes-192
integrity sha256
prf sha256

Enable IKEv2 on External Interface

crypto ikev2 enable OUTSIDE

Configure the IPSec Transform Set

crypto ipsec ikev2 ipsec-proposal TSET
 protocol esp encryption aes-256 
 protocol esp integrity sha-1

Configure the Crypto Map and enable on the OUTSIDE interface

crypto map CRYPTO-MAP 1 match address SITE2_VPN
crypto map CRYPTO-MAP 1 set pfs group2
crypto map CRYPTO-MAP 1 set peer 2.2.2.1
crypto map CRYPTO-MAP 1 set ikev2 ipsec-proposal TSET
!
crypto map CRYPTO-MAP interface OUTSIDE

The configuration above should be mirrored for the peer device, ensure the crypto settings (IKEv2 Policy and IPSec Proposals) are the same between the peers.

Testing

Once the VPN configuration has been setup on both ASA firewall, test connectivity by sending a ping from the local Loopback on one of the routers to the loopback of a router across the VPN. The local Loopback network address and the remote Loopback networks addresses must be defined in the crypto map in order to match and be routed across the tunnel.

When establishing connectivity for the first time over the tunnel, the first ping will drop whilst the tunnel is being established.

Verification

Use the command “show crypto ikev2 sa detailed” to verify IKEv2 SA. This will display the Local/Remote Peer IP addresses, Local/Remote networks, Policy attributes (encryption, hashing algorithms, authentication methods etc).

Use the command “show crypto ipsec sa detailed” to verify the IPSec SA. This will display information such as the crypto map, access-list, packets encrypted/decrypted. If traffic is not being sent across the VPN tunnel check the ACL has the correct local/remote networks otherwise this will not work.

Use the command “show vpn-sessiondb detailed l2l”. This will provide clearer detailed information on the VPN tunnel

 

 

Tags: , ,