Monday, November 26, 2018

Cisco ASA IPSec VPN (IKEv1 / IKEv2) with pre-shared key

Setup - we'll interconnect two branches:
  1. Peers use VLAN 56:
    1. one branch has interface with an IP address 10.10.10.1/24 (we'll call these "their-side")
    2. the other branch has an interface IP address 10.10.10.2/24 (we'll call these "our-side")
  2. Encryption domains (network which we want to interconnect via VPN):
    1. their-side has LAN net  192.168.1.0/24
    2. our-side has LAN net 192.168.2.0/24
  3. IKEv1 or IKEv2 can be used
  4. Also assume that both branches use dedicated interface for VPN connection and this is not interface facing the Interntet (this made for simplicity and you can use the same setup to configure already functioning interfaces)

Aggressive or main mode


Normally main mode is used, so check, that aggressive mode is disabled globally: 
sh run | grep crypto ikev1 am-disable

Phase1


Check if needed IKE Phase1 policy is already created (choose IKE version you need 1 or 2):
  1. IKEv1 Phase1 policy:
    1. sh run crypto ikev1 | grep crypto ikev1 policy|pre-share|aes-256| sha|group 5|86400
  2. IKEv2 Phase1 policy (for IKEv2 integrity=hash, prf (Pseudo-Random Function must be = integrity):
    1. sh run crypto ikev2 | grep crypto ikev2 policy|aes-256| sha|group 5|sha|86400

If need is not found, create Phase1 policy (choose IKE version you need 1 or 2):
  1. for IKEv1:
    1. crypto ikev1 policy 160
      1.  authentication pre-share
      2.  encryption aes-256
      3.  hash sha
      4.  group 5
      5.  lifetime 86400
  2. for IKEv2:
    1. crypto ikev2 policy 40
      1.  encryption des
      2.  integrity sha
      3.  group 5 2
      4.  prf sha
      5.  lifetime seconds 86400

Phase2


Check if needed IKE Phase1 policy is already created (choose IKE version you need 1 or 2):
  1. IKEv1 Phase2 policy:
    1. sh run crypto ipsec | grep ikev1.+esp-aes-256.+sha
  2. IKEv1 Phase2 policy:
    1. sh run crypto ipsec | grep ikev2|aes-256|sha-1
If need is not found, create Phase1 policy (choose IKE version you need 1 or 2):
  1. for IKEv1:
    1. crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  2. for IKEv2:
    1. crypto ipsec ikev2 ipsec-proposal AES256-SHA1
      1.  protocol esp encryption aes-256
      2.  protocol esp integrity sha-1

Interface,  & route 


Setup interface which will be used for IPSec VPN initiation (this interface is one peer and the other side is also peer of the VPN tunnel), I suppose that VLAN is used:
interface GigabitEthernet1/10.56
vlan 56
nameif TEST 
security-level 1 
ip address 10.10.10.2 255.255.255.0 # the other peer is 10.10.10.1/24

Check reverse-path:
ip verify reverse-path interface TEST

Set fragment-chain length:
fragment chain 1 TEST

If you don't use proxy-ARP, disable it:
sysopt noproxyarp TEST

If you use ASA cluster and don't want this interfeace link to be monitored: 
no monitor-interface TEST

Create route to the other side (other side encryption domain):
route TEST 192.168.1.0 255.255.255.0 10.10.10.1 1

Group-Policy


VPN Group-Policy (peer IP address is used in naming):
group-policy GP_10.10.10.1 internal 
group-policy GP_10.10.10.1 attributes     
vpn-tunnel-protocol ikev1 
OR 
vpn-tunnel-protocol ikev2
OR
vpn-tunnel-protocol ikev1 ikev2

Tunnel-Group


VPN Tunnel-Group  (peer IP address is used in naming):
tunnel-group 10.10.10.1 type ipsec-l2l 
tunnel-group 10.10.10.1 general-attributes   
default-group-policy GP_10.10.10.1 
tunnel-group 10.10.10.1 ipsec-attributes

Then:
  1. for IKEv1:
    1. ikev1 pre-shared-key PSK-KEY-GOES-HERE
  2. for IKEv2:
    1. ikev2 local-authentication pre-shared-key PSK-KEY-GOES-HERE  
    2. ikev2 remote-authentication pre-shared-key PSK-KEY-GOES-HERE  
If keepalive is needed (normally this doesn't create a problem even if peer doesn't use this option)
isakmp keepalive threshold 10 retry 2 

Objects


Object local encryption domain (our LAN network - our network which will be seen from the other side of the VPN):
object network TEST_VPN_our_ED  
subnet 192.168.2.0 255.255.255.0 

Object remote local encryption domain (their LAN network - their network which will be seen by our side):
object network TEST_VPN_their_ED  
subnet 192.168.1.0 255.255.255.0

If you have another LAN network and want this network to access VPN too (but don't want or don't allowed to add this network to the VPN setup as another encryption domain), you can achieve this using NAT. For simplicity use VLAN ID as network NAT identifier (it will you to more easily identify NAT-ted traffic in log files):  
object network TEST_VPN_our_NET57_NAT 
host 192.168.2.57

VPN ACL & enable protocol on an interface (note here we first write "our IP" and then "their IP")


VPN ACL:
access-list TEST-VPN line 1 extended permit ip object TEST_VPN_our_ED object TEST_VPN_their_ED 

Enable VPN IKEV1 protocol on an interface (only once):
crypto ikev1 enable TEST
OR 
crypto ikev2 enable TEST

Crypto-Map & add map to the interface


TEST_map crypto-map creation:
crypto map TEST_map 1 match address TEST-VPN
crypto map TEST_map 1 set peer 10.10.10.1

Then:
  1. for IKEv1:
    1. crypto map TEST_map 1 set ikev1 transform-set ESP-AES-256-SHA
  2. for IKEv2:
    1. crypto map TEST_map 1 set ikev2 ipsec-proposal AES256-SHA1
crypto map TEST_map 1 set security-association lifetime seconds 28800
crypto map TEST_map 1 set security-association lifetime kilobytes unlimited

If PFS is needed:
crypto map TEST_map 1 set pfs group5

Add map to the interface (only once - when creating TEST_map):
crypto map TEST_map interface TEST

Interface ACL & access-group


Interface ACL:
access-list TEST_access_in extended permit ip object TEST_VPN_their_ED object TEST_VPN_our_ED 
access-list TEST_access_in extended permit icmp host 10.10.10.1 host 10.10.10.2
access-list TEST_access_in extended permit esp any4 interface TEST 
access-list TEST_access_in extended permit udp any4 interface TEST eq isakmp 
access-list TEST_access_in extended permit icmp any4 interface TEST 
access-list TEST_access_in extended deny ip any any 

access-group TEST_access_in in interface TEST

NAT & no-NAT (NAT exemption) examples/templates


Host 192.168.3.2 VPN-traffic NAT exemption (no-NAT):
nat (LAN57,TEST) source static lan57.srv.3.2 TEST_VPN_our_NET57_NAT destination static TEST_VPN_their_ED TEST_VPN_their_ED no-proxy-arp

Allowing Host 192.168.3.2
access-list TEST_access_in extended permit ip object TEST_VPN_their_ED object  lan57.srv.3.2

Group-Policy ACL (note here we first write "their IP" and then "our IP")

You can setup VPN with simple rules as TEST-VPN above and then make restrictions for ports, source IP etc:

Create group-policy ACL (we'll permit access from their net IP 192.168.1.10 to our net IP 192.168.2.10 port 443 and deny access for all others):
access-list TEST-VPN_GP_FILTER extended permit tcp host 192.168.1.10 host 192.168.2.10 eq 443
access-list TEST-VPN_GP_FILTER extended deny ip any any

group-policy GP_10.10.10.1 attributes
 vpn-filter value TEST-VPN_GP_FILTER

Posted by at

2 comments:

  1. İT İNCAugust 9, 2019 at 9:27 AM

    Dear Mr. Tarasov please please correct the error - tunnel-group 10.10.10.11 type ipsec-l2l.it should 10.10.10.1
    Thanks for attention

    ReplyDelete
    Replies
    1. tarasov.dmitriyDecember 2, 2019 at 6:31 PM

      Hello, thank you so much for your comment. Typo is corrected.

      Delete

Subscribe to: Post Comments (Atom)