HOW TO: IKEv1 L2L VPN between IOS and ASA using PSK

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/ikev1-l2l-vpn-with-ios-and-asa-using-psk/
RSS
Follow by Email

In  this article, I will demonstrate how to configure and verify a policy based site 2 site IPSec VPN between a Cisco IOS-based router and an ASA firewall. To best describe, I am using this simple topology as shown in the above-mentioned diagram.

I have R3 on the right side of the diagram, simulating as host. At the end the task we will send the ping from R3 to verify reachability over the VPN tunnel. R3 is connected to the ASA as part of its inside interface.ASA is connected to R2 as part of its outside interface. R2 sends traffic over the internet to R1. In this lab, I will create a policy based site 2 site IPSec VPN between R1 and ASA. For simplicity, I am using static routes everywhere. Here are the initial configurations of all 4 devices. You can replicate this lab in GNS3. I am using 9.4.2 code on an ASA and 15.4(1)T code on all routers.

Click here →

to view the initial configuration

ASA1

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 50.50.50.2 255.255.255.0
 no shutdown
!
interface GigabitEthernet0/1
 nameif inside
 security-level 100
 ip address 172.16.10.1 255.255.255.0
 no shutdown
!
access-list outside_in extended permit icmp any any
access-list inside_out extended permit ip any any
!
access-group inside_out in interface inside
access-group outside_in in interface outside
!
route outside 0.0.0.0 0.0.0.0 50.50.50.1

R3

ip route 0.0.0.0 0.0.0.0 172.16.10.1
!
interface Ethernet0/1
 ip address 172.16.10.2 255.255.255.0
 no shutdown

R1

ip route 0.0.0.0 0.0.0.0 51.51.51.1
!
interface Loopback0
 ip address 172.16.20.1 255.255.255.0
!
interface Ethernet0/1
 ip address 51.51.51.2 255.255.255.0
 no shutdown

R2

ip route 172.16.20.0 255.255.255.0 10.10.10.2
!
interface Ethernet0/0
 ip address 50.50.50.1 255.255.255.0
 no shutdown
!
interface Ethernet0/1
 ip address 51.51.51.1 255.255.255.0
 no shutdown
ISAKMP (Phase 1) configuration
Create ISAKMP policy

First, define global ISAKMP (Phase 1) policy using the command crypto isakmp policy <priority> command. This policy contains authentication method, encryption ciphers to protect ISAKMP, hash functions for integrity check, Diffie-hellman-group and Lifetime. ISAKMP phase 1 policy-list is scanned from lowest numbers to highest when matching the incoming proposals from the remote peer. If lifetime is not configured manually then lowest default lifetime is negotiated on both sides.

In this example, I am using aes encryption method, pre-shared-key based authentication, md5 hash algorithm, Diffie-hellman group 5 and lifetime of 86400 seconds.

R1 ASA
crypto isakmp policy 10
 encryption aes
 authentication pre-share
 hash md5
 group 5
 lifetime 86400
crypto ikev1 policy 10
 encryption aes
 authentication pre-share
 hash md5
 group 5
 lifetime 86400
Create ISAKMP key

To complete phase 1 configuration on a router, define isakmp key using crypto isakmp key <value> address <value> command and on ASA, create a tunnel-group (connection profile using the command tunnel-group <IP> type ipsec-l2l and configure parameters using the command tunnel-group <IP> ipsec-attributes. When the ASA firewall establishes an IKEv1 VPN tunnel, it looks through the list of local tunnel-groups based on the remote endpoint IKE ID (which by default is an IP address).

R1 ASA
crypto isakmp key N3tFixPr0 address 50.50.50.2 255.255.255.255
tunnel-group 51.51.51.2 type ipsec-l2l
tunnel-group 51.51.51.2 ipsec-attributes
 ikev1 pre-shared-key N3tFixPr0
IPSec (Phase 2) configuration
Create transform-set

For phase 2, first define a crypto transform-set using the command crypto ipsec transform-set. Transform-set defines the security parameters for the IPsec tunnel, specifically the cipher, hash function (optionally, the mode of the IPsec protection, tunnel or transport on IOS). Lifetime and PFS are optional in configuration.

In this example, I am using ESP protocol, aes encryption and md5 hashing algorithm.

R1 ASA
crypto ipsec transform-set AES_MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set AES_MD5 esp-aes esp-md5-hmac
Create encryption domain

Define a subset of traffic (often called an Encryption domain or interesting traffic ) for IPsec protection using an extended access-list. The syntax format is permit <local-ip> <local-mask> <remote-ip> <remote-mask> and should mirror the entries configured on the remote endpoint. Multiple entries can be configured in the access-list. Since you have to define the traffic manually, this type of VPN is called policy based VPN.

NOTE: standard access-list can also be configured here but it can only match on the source address and hence it is not recommended.

In this example, I am securing VPN traffic between two hosts IP only but multiple segments can be secured as well.

R1 ASA
ip access-list extended VPN-ACL
 permit ip host 172.16.20.1 host 172.16.10.2
 access-list VPN-ACL permit ip host 172.16.10.2 host 172.16.20.1
Create crypto-map

Create a crypto map using the command crypto-map <NAME> <SEQ-NR> [set|match] that matches the above-created access-list and sets the remote peer and the transform-set. This completes the settings for IPSec Phase 2. Setting the remote peer is important, because this is how the device binds the proxy IDs in the access-list to the phase 1 parameters.

R1 ASA
crypto map VPN 10 ipsec-isakmp
 match address VPN-ACL
 set transform AES_MD5
 set peer 50.50.50.2
crypto map VPN 10 match address VPN-ACL
crypto map VPN 10 set peer 51.51.51.2
crypto map VPN 10 set ikev1 transform-set AES_MD5
Apply crypto-map

Apply the crypto-map to the interface where you expect the VPN tunnel to be terminated as follows.

R1 ASA
interface Ethernet0/1
 crypto map VPN
crypto ikev1 enable outside
crypto map VPN interface outside

That’s all is needed to configure the site 2 site IPsec based VPN between IOS based router and an ASA firewall. Let’s verify if R3 is able to reach R1’s loopback 0 interface or not.

R3#ping 172.16.20.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.20.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

Sure enough, first ping packet failed because the tunnel was not up but subsequent packet worked after the tunnel came up. Let’s verify that also.

Phase 1 verification

Click here →

Verify on R1

R1# show crypto isakmp sa detail
Codes: C - IKE configuration mode, D - Dead Peer Detection
       K - Keepalives, N - NAT-traversal
       T - cTCP encapsulation, X - IKE Extended Authentication
       psk - Preshared key, rsig - RSA signature
       renc - RSA encryption
IPv4 Crypto ISAKMP SA

C-id  Local           Remote          I-VRF  Status Encr Hash   Auth DH Lifetime Cap.

1002  51.51.51.2      50.50.50.2             ACTIVE aes  md5    psk  5  23:59:35
       Engine-id:Conn-id =  SW:2

IPv6 Crypto ISAKMP SA

Verify on ASA

ASA# show crypto isakmp sa detail

IKEv1 SAs:

   Active SA: 1
    Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1   IKE Peer: 51.51.51.2
    Type    : L2L             Role    : initiator
    Rekey   : no              State   : MM_ACTIVE
    Encrypt : aes             Hash    : MD5
    Auth    : preshared       Lifetime: 86400
    Lifetime Remaining: 85742
Phase 2 verification

Click here →

Verify on R1

R1#sh crypto ipsec sa detail

interface: Ethernet0/1
    Crypto map tag: VPN, local addr 51.51.51.2

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.20.1/255.255.255.255/0/0)
   remote ident (addr/mask/prot/port): (172.16.10.2/255.255.255.255/0/0)
   current_peer 50.50.50.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
    #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #pkts no sa (send) 0, #pkts invalid sa (rcv) 0
    #pkts encaps failed (send) 0, #pkts decaps failed (rcv) 0
    #pkts invalid prot (recv) 0, #pkts verify failed: 0
    #pkts invalid identity (recv) 0, #pkts invalid len (rcv) 0
    #pkts replay rollover (send): 0, #pkts replay rollover (rcv) 0
    ##pkts replay failed (rcv): 0
    #pkts tagged (send): 0, #pkts untagged (rcv): 0
    #pkts not tagged (send): 0, #pkts not untagged (rcv): 0
    #pkts internal err (send): 0, #pkts internal err (recv) 0

     local crypto endpt.: 51.51.51.2, remote crypto endpt.: 50.50.50.2
     plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/1
     current outbound spi: 0xB21B8128(2988146984)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x68CAAD80(1758113152)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4301041/2553)
        IV size: 16 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB21B8128(2988146984)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: VPN
        sa timing: remaining key lifetime (k/sec): (4301041/2553)
        IV size: 16 bytes
        replay detection support: Y
        ecn bit support: Y status: off
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

Verify on ASA

ASA# show crypto ipsec sa
interface: outside
    Crypto map tag: VPN, seq num: 10, local addr: 50.50.50.2

      access-list VPN-ACL extended permit ip host 172.16.10.2 host 172.16.20.1
      local ident (addr/mask/prot/port): (172.16.10.2/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (172.16.20.1/255.255.255.255/0/0)
      current_peer: 51.51.51.2

      #pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
      #pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 4, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #TFC rcvd: 0, #TFC sent: 0
      #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 50.50.50.2/0, remote crypto endpt.: 51.51.51.2/0
      path mtu 1500, ipsec overhead 74(44), media mtu 1500
      PMTU time remaining (sec): 0, DF policy: copy-df
      ICMP error validation: disabled, TFC packets: disabled
      current outbound spi: 68CAAD80
      current inbound spi : B21B8128

    inbound esp sas:
      spi: 0xB21B8128 (2988146984)
         transform: esp-aes esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: VPN
         sa timing: remaining key lifetime (kB/sec): (4373999/2873)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x0000001F

    outbound esp sas:
      spi: 0x68CAAD80 (1758113152)
         transform: esp-aes esp-md5-hmac no compression
         in use settings ={L2L, Tunnel, IKEv1, }
         slot: 0, conn_id: 8192, crypto-map: VPN
         sa timing: remaining key lifetime (kB/sec): (4373999/2873)
         IV size: 16 bytes
         replay detection support: Y
         Anti replay bitmap:
          0x00000000 0x00000001
Gotchas for ASA firewall:

Make sure that sysopt connection permit-vpn command is configured on ASA firewall. By default it is configured. When this option is enabled, the inbound decrypted VPN traffic is not subject to the inbound access-list checks on the interface (outside/Gig0 interface in our case) where the tunnel has been terminated, or to the global access-list. In other words, it bypasses the access-list check applied on the VPN termination interface. For example, if you have this command disabled and the tunnel terminates on the outside interface, the inbound decrypted traffic will be checked against the outside interface inbound access-list (outside_in access-list in our case) or the global access-list if it exists.

Also starting with ASA sofatware version 8.4, when IKEv1 is enabled on any interface, the ASA activates a default IKEv1 crypto ISAKMP policy with a priority of 65535 (highest) and the following settings:

authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400


I hope you enjoyed reading this article. Please feel free to leave any comment or feedback.

LinkedIn
Facebook
Facebook
Google+
http://netfixpro.com/ikev1-l2l-vpn-with-ios-and-asa-using-psk/
RSS
Follow by Email

Ashutosh Patel

Ashutosh Patel is the Author and editor of netfixpro.com. He currently works as a Network Security Architect. Follow him on following social media to know more about him.

Leave a Reply

Your email address will not be published. Required fields are marked *

Show Buttons
Hide Buttons

Enjoy this article? Please spread the word :)