{"id":469,"date":"2015-03-28T22:00:03","date_gmt":"2015-03-28T22:00:03","guid":{"rendered":"http:\/\/www.balajibandi.com\/?p=469"},"modified":"2017-08-28T19:49:29","modified_gmt":"2017-08-28T18:49:29","slug":"cisco-asa-site-to-site-vpn-between-cisco-asa-cisco-ios-router","status":"publish","type":"post","link":"https:\/\/www.balajibandi.com\/?p=469","title":{"rendered":"Cisco ASA: Site-to-site VPN between Cisco ASA & Cisco IOS Router"},"content":{"rendered":"

My way of journey learning Cisco Security : This article show you how to establish VPN between Cisco ASA and Cisco IOS router.<\/span><\/strong><\/h1>\n

Some basics about VPN \u00a0before i proceed to the config :<\/strong><\/p>\n

IKE Phase 1<\/strong><\/p>\n

In this phase, the firewalls use the parameters defined in the IKE Gateway configuration and the IKE Crypto profile to authenticate each other and set up a secure control channel. IKE Phase supports the use of preshared keys or digital certificates (which use public key infrastructure, PKI) for mutual authentication of the VPN peers. Preshared keys are a simple solution for securing smaller networks because they do not require the support of a PKI infrastructure. Digital certificates can be more convenient for larger networks or implementations that require stronger authentication security.<\/p>\n

\n
The IKE-crypto profile defines the following options that are used in the IKE SA negotiation:<\/div>\n
<\/div>\n
– Diffie-Hellman (DH) Group for generating symmetrical keys for IKE. The Diffie Hellman algorithm uses the private key of one party and the public key of the other to create a shared secret, which is an encrypted key that is shared by both VPN tunnel peers. The DH groups supported on the firewall are: Group 1\u2014768 bits; Group 2\u20141024 bits (the default); Group 5\u20141536 bits; Group 14\u20142048 bits<\/span><\/div>\n
–<\/span>Authentication options\u2014sha1; sha 256; sha 384; sha 512; md5 –<\/span><\/div>\n
– Encryption algorithms\u20143des; aes128; aes192; aes256<\/span><\/div>\n
<\/div>\n<\/div>\n
IKE Phase 2<\/strong><\/div>\n
<\/div>\n
\n
\n
After the tunnel is secured and authenticated, in phase 2 the channel is further secured for the transfer of data between the networks. IKE phase 2 uses the keys that were established in Phase 1 of the process and the IPSec Crypto profile, which defines the IPSec protocols and keys used for the SA in IKE Phase 2.<\/div>\n
– The IPSEC uses the following protocols to enable secure communication:<\/span><\/div>\n
– Encapsulating Security Payload (ESP)\u2014Allows you to encrypt the entire IP packet, and authenticate the source and verify integrity of the data. While ESP requires that you encrypt and authenticate the packet, you can choose to only encrypt or only authenticate by setting the encryption option to Null; using encryption without authentication is discouraged.<\/span><\/div>\n
– Authentication Header (AH)\u2014Authenticates the source of the packet and verifies data integrity. AH does not encrypt the data payload and is unsuited for deployments where data privacy is important. AH is commonly used when the main concern is to verify the legitimacy of the peer, and data privacy is not required.<\/span><\/div>\n<\/div>\n<\/div>\n
<\/div>\n
High Level Lab topology :<\/strong><\/div>\n
<\/div>\n
\n

\"\"<\/p>\n<\/div>\n

<\/div>\n
\u00a0For High Availability for the ASA config, you can find my other post<\/div>\n
<\/div>\n
\u00a0http:\/\/www.balajibandi.com\/2015\/01\/12\/asa-activestandby-single-mode-setup\/<\/strong><\/div>\n
<\/div>\n
L2L VPN config Steps :<\/strong><\/span><\/div>\n
\n

======================<\/p>\n

1. Configure Interfaces
\n2. Configure ISAKMP policy
\n3. Configure transform-set
\n4. Configure ACL
\n5. Configure Tunnel group
\n6. Configure crypto map and attach to interface
\n7. Enable isakmp on interface<\/p>\n

sysopt connection permit-vpn<\/strong> — Allow VPN traffic to bypass interface ACL<\/p>\n

ASA Config :<\/strong>
\n============<\/p>\n

1. Configure Interfaces<\/p>\n

interface GigabitEthernet0\/0
\nnameif outside
\nsecurity-level 0
\nip address 192.168.1.249 255.255.255.0
\nno shutdown
\n!
\ninterface GigabitEthernet0\/1
\nnameif inside
\nsecurity-level 100
\nip address 100.100.100.1 255.255.255.0
\nno shutdown<\/p>\n

2. Configure ISAKMP policy<\/p>\n

crypto ikev1 policy 10
\nauthentication pre-share
\nencryption aes-256
\nhash sha
\ngroup 5
\nlifetime 86400<\/p>\n

3. Configure transform-set<\/p>\n

crypto ipsec ikev1 transform-set ESP-AES256-SHA esp-aes-256 esp-sha-hmac
\ncrypto ipsec df-bit clear-df outside<\/p>\n

4. Configure ACL<\/p>\n

access-list VPN_SITE extended permit ip 30.30.30.0 255.255.255.0 20.20.20.0 255.255.255.0<\/p>\n

5. Configure Tunnel group<\/p>\n

tunnel-group 10.10.10.1 type ipsec-l2l
\ntunnel-group 10.10.10.1 ipsec-attributes
\nikev1 pre-shared-key cisco123<\/p>\n

6. Configure crypto map and attach to interface<\/p>\n

crypto map VPNMAP 10 match address VPN_SITE
\ncrypto map VPNMAP 10 set ikev1 transform-set ESP-AES256-SHA
\ncrypto map VPNMAP 10 set peer 10.10.10.1
\ncrypto map VPNMAP 10 set reverse-route
\ncrypto map VPNMAP 10 set lifetime seconds 28800
\ncrypto map VPNMAP 10 set pfs group5
\ncrypto map VPNMAP interface outside<\/p>\n

7. Enable isakmp on interface<\/p>\n

crypto ikev1 enable outside<\/p>\n<\/div>\n

 <\/p>\n

===============<\/p>\n

Router IOS config :<\/strong>
\n===================<\/p>\n

1. Configure Interfaces<\/p>\n

interface GigabitEthernet0\/0
\nip address 20.20.20.2 255.255.255.0
\nduplex full
\nspeed auto
\nmedia-type rj45
\nno shut
\n!
\ninterface GigabitEthernet0\/1
\nip address 20.20.30.1 255.255.255.0
\nduplex auto
\nspeed auto
\nmedia-type rj45
\nno shut<\/p>\n

2. Configure ISAKMP policy<\/p>\n

crypto isakmp policy 10
\nauthentication pre-share
\nencryption aes 256
\nhash sha
\ngroup 5
\nlifetime 86400<\/p>\n

3. Configure transform-set<\/p>\n

crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac
\ncrypto ipsec df-bit clear<\/p>\n

4. Configure ACL<\/p>\n

ip access-list extended VPN_HQ
\npermit ip 20.20.20.0 0.0.0.255 30.30.30.0 0.0.0.255<\/p>\n

5. Configure Tunnel group<\/p>\n

crypto isakmp key cisco123 address 10.10.10.2 no-xauth
\ncrypto isakmp keepalive 10 3<\/p>\n

6. Configure crypto map<\/p>\n

crypto map VPNMAP 10 ipsec-isakmp
\nmatch address VPN_HQ
\nreverse-route
\nqos pre-classify
\nset peer 10.10.10.2
\nset security-association lifetime seconds 28800
\nset transform-set ESP-AES256-SHA
\nset pfs group5<\/p>\n

 <\/p>\n

7. Enable isakmp on interface<\/p>\n

interface g0\/0
\ncrypto map VPNMAP<\/p>\n

 <\/p>\n

If all Good, you see the below Verification :<\/p>\n

BRA2#show crypto isakmp sa
\nIPv4 Crypto ISAKMP SA
\ndst src state conn-id status<\/p>\n

IPv6 Crypto ISAKMP SA<\/p>\n

BRA2#
\nBRA2#
\nBRA2#show crypto isakmp sa
\nIPv4 Crypto ISAKMP SA
\ndst src state conn-id status<\/strong>
\n20.20.20.2 192.168.1.249 QM_IDLE 1001 ACTIVE<\/strong><\/p>\n

IPv6 Crypto ISAKMP SA<\/p>\n

BRA2#show crypto ipse
\nBRA2#show crypto ipsec sa
\nBRA2#show crypto ipsec sa<\/p>\n

interface: GigabitEthernet0\/0
\nCrypto map tag: VPNMAP, local addr 20.20.20.2<\/p>\n

protected vrf: (none)
\nlocal ident (addr\/mask\/prot\/port): (20.20.30.0\/255.255.255.0\/0\/0)
\nremote ident (addr\/mask\/prot\/port): (100.100.100.0\/255.255.255.0\/0\/0)
\ncurrent_peer 192.168.1.249 port 500
\nPERMIT, flags={origin_is_acl,}
\n#pkts encaps: 30, #pkts encrypt: 30, #pkts digest: 30<\/strong>
\n #pkts decaps: 30, #pkts decrypt: 30, #pkts verify: 30<\/strong>
\n#pkts compressed: 0, #pkts decompressed: 0
\n#pkts not compressed: 0, #pkts compr. failed: 0
\n#pkts not decompressed: 0, #pkts decompress failed: 0
\n#send errors 0, #recv errors 0<\/p>\n

local crypto endpt.: 20.20.20.2, remote crypto endpt.: 192.168.1.249
\nplaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0\/0
\ncurrent outbound spi: 0x35693C5C(896089180)
\nPFS (Y\/N): Y, DH group: group5<\/p>\n

inbound esp sas:
\nspi: 0x87CA1271(2278167153)
\ntransform: esp-256-aes esp-sha-hmac ,
\nin use settings ={Tunnel, }
\nconn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: VPNMAP
\nsa timing: remaining key lifetime (k\/sec): (4358631\/3579)
\nIV size: 16 bytes
\nreplay detection support: Y
\nStatus: ACTIVE(ACTIVE)<\/p>\n

inbound ah sas:<\/p>\n

inbound pcp sas:<\/p>\n

outbound esp sas:
\nspi: 0x35693C5C(896089180)
\ntransform: esp-256-aes esp-sha-hmac ,
\nin use settings ={Tunnel, }
\nconn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: VPNMAP
\nsa timing: remaining key lifetime (k\/sec): (4358631\/3579)
\nIV size: 16 bytes
\nreplay detection support: Y
\nStatus: ACTIVE(ACTIVE)<\/p>\n

outbound ah sas:<\/p>\n

outbound pcp sas:<\/p>\n

 <\/p>\n

ASA Side Verification :<\/strong><\/p>\n

ASAV1# show crypto isakmp sa<\/p>\n

IKEv1 SAs:<\/p>\n

Active SA: 1
\nRekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
\nTotal IKE SA: 1<\/p>\n

1 IKE Peer: 20.20.20.2<\/strong>
\nType : L2L Role : initiator
\nRekey : no State : MM_ACTIVE<\/p>\n

There are no IKEv2 SAs<\/p>\n

ASAV1# show crypto ipsec sa
\ninterface: outside
\nCrypto map tag: VPNMAP, seq num: 10, local addr: 192.168.1.249<\/p>\n

access-list VPN_SITE extended permit ip 100.100.100.0 255.255.255.0 20.20.30.0 255.255.255.0
\nlocal ident (addr\/mask\/prot\/port): (100.100.100.0\/255.255.255.0\/0\/0)
\nremote ident (addr\/mask\/prot\/port): (20.20.30.0\/255.255.255.0\/0\/0)
\ncurrent_peer: 20.20.20.2<\/p>\n

 <\/p>\n

#pkts encaps: 62, #pkts encrypt: 62, #pkts digest: 62<\/strong>
\n #pkts decaps: 62, #pkts decrypt: 62, #pkts verify: 62<\/strong>
\n#pkts compressed: 0, #pkts decompressed: 0
\n#pkts not compressed: 62, #pkts comp failed: 0, #pkts decomp failed: 0
\n#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
\n#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
\n#TFC rcvd: 0, #TFC sent: 0
\n#Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
\n#send errors: 0, #recv errors: 0<\/p>\n

local crypto endpt.: 192.168.1.249\/0, remote crypto endpt.: 20.20.20.2\/0
\npath mtu 1500, ipsec overhead 74(44), media mtu 1500
\nPMTU time remaining (sec): 0, DF policy: clear-df
\nICMP error validation: disabled, TFC packets: disabled
\ncurrent outbound spi: 87CA1271
\ncurrent inbound spi : 35693C5C<\/p>\n

inbound esp sas:
\nspi: 0x35693C5C (896089180)
\ntransform: esp-aes-256 esp-sha-hmac no compression
\nin use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
\nslot: 0, conn_id: 4096, crypto-map: VPNMAP
\nsa timing: remaining key lifetime (kB\/sec): (4373996\/3562)
\nIV size: 16 bytes
\nreplay detection support: Y
\nAnti replay bitmap:
\n0xFFFFFFFF 0xFFFFFFFF
\noutbound esp sas:
\nspi: 0x87CA1271 (2278167153)
\ntransform: esp-aes-256 esp-sha-hmac no compression
\nin use settings ={L2L, Tunnel, PFS Group 5, IKEv1, }
\nslot: 0, conn_id: 4096, crypto-map: VPNMAP
\nsa timing: remaining key lifetime (kB\/sec): (4373996\/3562)
\nIV size: 16 bytes
\nreplay detection support: Y
\nAnti replay bitmap:
\n0x00000000 0x00000001<\/p>\n

<\/div>\n
\n

\u00a0IOS router side connected Windows PC :<\/p>\n

\"\"<\/p>\n

Pinging to other side Windows box.<\/p>\n<\/div>\n

<\/div>\n
\n

\"\"<\/p>\n<\/div>\n

\u00a0ASA connected Windows Testing :<\/div>\n
<\/div>\n
\n

\"\"<\/p>\n

Pinging to other side Windows box.<\/p>\n

\"\"<\/p>\n<\/div>\n

<\/div>\n
\n

DEBUGING :<\/strong>
\n========<\/p>\n

debug crypto engine 127
\ndebug crypto isakmp 127
\ndebug crypto ipsesc 127<\/p>\n

 <\/p>\n

Phase 1 :
\nshow isa sa<\/p>\n

Phase 2:
\nshow cry ipsec sa<\/p>\n

CLEAR THE CONFIG IPSEC:<\/strong>
\n======================<\/p>\n

clear config crypto
\nclear config group-policy
\nclear config tunnel-group<\/p>\n

CLEAR THE CONFIG SSL:<\/strong>
\n======================
\nclear config webvpn
\nclear config group-policy
\nclear config tunnel-group<\/p>\n<\/div>\n

<\/div>\n
\u00a0Hope you enjoyed the article, Happy Labbing – BB<\/strong><\/div>\n
<\/div>\n","protected":false},"excerpt":{"rendered":"

My way of journey learning Cisco Security : This article show you how to establish VPN between Cisco ASA and Cisco IOS router. Some basics about VPN \u00a0before i proceed to the config : IKE Phase 1 In this phase, the firewalls use the parameters defined in the IKE Gateway configuration and the IKE Crypto […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,2,6],"tags":[],"class_list":["post-469","post","type-post","status-publish","format-standard","hentry","category-ccie-sec","category-cisco","category-security"],"_links":{"self":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/469","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=469"}],"version-history":[{"count":11,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/469\/revisions"}],"predecessor-version":[{"id":485,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=\/wp\/v2\/posts\/469\/revisions\/485"}],"wp:attachment":[{"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=469"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=469"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.balajibandi.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=469"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}