IPSec VPN is a security feature that allows
secure communication link (also called
VPN Tunnel) between two different networks located at different sites. Cisco
IOS routers can be used to setup VPN tunnel between two sites. Traffic like
data, voice, video, etc. can be securely transmitted through the VPN tunnel.
Here I will configure IKEv2 IPsec
between two Cisco ASA firewalls to bridge two LANs together.
Configuration
Phase 1 Configuration
Phase 1 of IPsec is used to establish a secure channel
between the two peers that will be used for further data transmission. The ASAs
will exchange secret keys, they authenticate each other and will negotiate
about the IKE security policies. This is what happens in phase 1:
- Authenticate and protect the identities of the IPsec peers.
- Negotiate a matching IKE policy between IPsec peers to protect the IKE exchange.
- Perform an authenticated Diffie-Hellman exchange to have matching shared secret keys.
- Setup a secure tunnel for IKE phase 2.
Here’s what the configuration looks like on ASA1:
ASA1 and ASA2 are connected with each other using their
Ethernet 0/1 interfaces. This is the “OUTSIDE” security zone so imagine that
this is their Internet connection. Each ASA has an Ethernet 0/0 interface which
is connected to the “INSIDE” security zone. R1 is in network 192.168.1.0 /24
while R2 is in 192.168.2.0 /24. The goal is to ensure that R1 and R2 can
communicate with each other through the IPsec tunnel.
Phase 1 Configuration
Phase 1 of IPsec is used to establish a secure channel
between the two peers that will be used for further data transmission. The ASAs
will exchange secret keys, they authenticate each other and will negotiate
about the IKE security policies. This is what happens in phase 1:
- Authenticate and protect the identities of the IPsec peers.
- Negotiate a matching IKE policy between IPsec peers to protect the IKE exchange.
- Perform an authenticated Diffie-Hellman exchange to have matching shared secret keys.
- Setup a secure tunnel for IKE phase 2.
Here’s what the configuration looks like on ASA1:
ASA1(config)# crypto ikev2 policy 10
ASA1(config-ikev1-policy)# authentication pre-share
ASA1(config-ikev1-policy)# encryption aes
ASA1(config-ikev1-policy)# hash sha
ASA1(config-ikev1-policy)# group 2
ASA1(config-ikev1-policy)# lifetime 3600
Break down of the configuration:
- The IKEv1 policy starts with a priority number, I picked number 10. The lower the number, the higher the priority…you can use this if you have multiple peers.
- We use a pre-shared key for authentication.
- Encryption is done with AES.
- SHA is used for hashing.
- We use Diffie-Hellman group 2 for secret key exchange.
- The security association is 3600 seconds, once this expires we will do a renegotiation.
If you use any ASA version before ASA 8.4 then the keyword
“ikev1” has to be replaced with “isakmp”.
The IKEv1 policy is configured but we still have to enable
it:
ASA1(config)# crypto ikev1 enable OUTSIDE
ASA1(config)# crypto isakmp identity address
The first command enables our IKEv1 policy on the OUTSIDE interface and the second command is used so the ASA identifies itself with its IP address, not its FQDN (Fully Qualified Domain Name).
We configured the IKEv1 policy and activated it on the
interface but we still have to specify the remote peer and a pre-shared key.
This is done with a tunnel-group:
ASA1(config)# tunnel-group 10.10.10.2 type ipsec-l2l
The IP address above is the IP address of the OUTSIDE interface on ASA2. The type “ipsec-l2l” means lan-to-lan. Let’s configure the pre-shared key now:
ASA1(config)# tunnel-group 10.10.10.2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key
MY_SHARED_KEY
The pre-shared key is configured as an attribute for the remote peer. I’ll use “MY_SHARED_KEY” as the pre-shared key between the two ASA firewalls. This takes care of the phase 1 configuration on ASA1, we’ll configure the same thing on ASA2:
ASA2(config)# crypto ikev1 policy 10
ASA2(config-ikev1-policy)# authentication pre-share
ASA2(config-ikev1-policy)# encryption aes
ASA2(config-ikev1-policy)# hash sha
ASA2(config-ikev1-policy)# group 2
ASA2(config-ikev1-policy)# lifetime 3600
ASA2(config)# crypto ikev1 enable outside
ASA2(config)# crypto isakmp identity address
ASA2(config)# tunnel-group 10.10.10.1 type ipsec-l2l
ASA2(config)# tunnel-group 10.10.10.1 ipsec-attributes
ASA2(config-tunnel-ipsec)# ikev1 pre-shared-key
MY_SHARED_KEY
Phase 1 is now configured on both ASA firewalls. Let’s continue with phase 2…
Phase 2 configuration
Once the secure tunnel from phase 1 has been established, we
will start phase 2. In this phase the two firewalls will negotiate about the
IPsec security parameters that will be used to protect the traffic within the
tunnel. In short, this is what happens in phase 2:
- Negotiate IPsec security parameters through the secure tunnel from phase 1.
- Establish IPsec security associations.
- Periodically renegotiates IPsec security associations for security.
Here’s what the configuration looks like, we’ll start with
ASA1:
ASA1(config)# access-list LAN1_LAN2 extended permit ip
192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
First we configure an access-list that defines what traffic we are going to encrypt. This will be the traffic between 192.168.1.0 /24 and 192.168.2.0 /24.
The IPsec peers will negotiate about the encryption and authentication algorithms and this is done using a transform-set. Here’s what it looks like:
ASA1(config)# crypto ipsec ikev1 transform-set
MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
The transform set is called “MY_TRANSFORM_SET” and it specifies that we want to use ESP with 256-bit AES encryption and SHA for authentication. Once we configured the transform set we need to configure a crypto map which has all the phase 2 parameters:
ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address
LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer
10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1
transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set
security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE
Let me explain the configuration step by step:
- The crypto map is called “MY_CRYPTO_MAP” and number 10 is the sequence number. The sequence number is used because you can have a single crypto map for multiple different remote peers.
- The set peer command configures the IP address of the remote peer, ASA2 in this example.
- The set ikev1 transform-set command is used to refer to the transform set that we configured before.
- The set security-association command specifies when the security association will expire and when we do a renegotiation.
- The interface command activates the crypto map on the interface.
Configuration on ASA2:
ASA2(config)# access-list LAN2_LAN1 extended permit ip
192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
ASA2(config)# crypto ipsec ikev1 transform-set
MY_TRANSFORM_SET esp-aes-256 esp-sha-hmac
ASA2(config)# crypto map MY_CRYPTO_MAP 10 match address
LAN2_LAN1
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set peer
10.10.10.1
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set ikev1
transform-set MY_TRANSFORM_SET
ASA2(config)# crypto map MY_CRYPTO_MAP 10 set
security-association lifetime seconds 3600
ASA2(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE
This takes care of phase 1 and phase on both ASA firewalls.
Last but not least, make sure that the firewalls know how to reach each others
subnets, I will use a static route for this:
ASA1(config)# route OUTSIDE 192.168.2.0 255.255.255.0
10.10.10.2
ASA2(config)# route OUTSIDE 192.168.1.0 255.255.255.0
10.10.10.1
Everything is in place so let’s verify our work…
Verification
We require some traffic between R1 and R2 to trigger the ASA
firewalls to build the tunnel. I’ll send a ping
from R1 to R2:
from R1 to R2:
R1#ping 192.168.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.2.2, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
1/2/4 ms
The ping works so it looks promising, we have to verify
however that our traffic is encrypted:
ASA1# show crypto isakmp sa
IKEv1 SAs:
Active SA: 1
Rekey SA: 0 (A
tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1
1 IKE Peer:
10.10.10.2
Type : L2L Role : initiator
Rekey : no State : MM_ACTIVE
There are no IKEv2 SAs
The important thing to look for is the state which is
MM_ACTIVE. This means that the IPsec tunnel has been established. Now we can
check if our packets and encrypted:
ASA1# show crypto ipsec sa
interface: OUTSIDE
Crypto map tag:
MY_CRYPTO_MAP, seq num: 10, local addr: 10.10.10.1
access-list
LAN1_LAN2 extended permit ip 192.168.1.0 255.255.255.0 192.168.2.0
255.255.255.0
local ident (addr/mask/prot/port):
(192.168.1.0/255.255.255.0/0/0)
remote ident
(addr/mask/prot/port): (192.168.2.0/255.255.255.0/0/0)
current_peer:
10.10.10.2
#pkts encaps:
1697, #pkts encrypt: 1697, #pkts digest: 1697
#pkts decaps:
1696, #pkts decrypt: 1696, #pkts verify: 1696
#pkts
compressed: 0, #pkts decompressed: 0
#pkts not
compressed: 1697, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag
successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0,
#PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#TFC rcvd: 0,
#TFC sent: 0
#Valid ICMP
Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
#send errors: 0,
#recv errors: 0
local crypto
endpt.: 10.10.10.1/0, remote crypto endpt.: 10.10.10.2/0
path mtu 1500,
ipsec overhead 74(44), media mtu 1500
PMTU time
remaining (sec): 0, DF policy: copy-df
ICMP error
validation: disabled, TFC packets: disabled
current outbound spi: EECD69E6
current inbound
spi : F74C0050
inbound esp sas:
spi: 0xF74C0050
(4148953168)
transform:
esp-aes-256 esp-sha-hmac no compression
in use
settings ={L2L, Tunnel, IKEv1, }
slot: 0, conn_id: 4096, crypto-map:
MY_CRYPTO_MAP
sa timing:
remaining key lifetime (kB/sec): (3914834/3423)
IV size: 16
bytes
replay
detection support: Y
Anti replay
bitmap:
0xFFFFFFFF
0xFFFFFFFF
outbound esp sas:
spi: 0xEECD69E6
(4006439398)
transform:
esp-aes-256 esp-sha-hmac no compression
in use
settings ={L2L, Tunnel, IKEv1, }
slot: 0,
conn_id: 4096, crypto-map: MY_CRYPTO_MAP
sa timing:
remaining key lifetime (kB/sec): (3914834/3423)
IV size: 16
bytes
replay
detection support: Y
Anti replay
bitmap:
0x00000000
0x00000001
You can see the access-list that
matches our traffic and the number of encrypted and decrypted packets. I hope
this example has been useful for you, if you have any questions feel free to
leave a comment!
