Cisco ASA: Site-to-Stite VPN

ASA Site-to-Stite VPN

1.     Enable ISAKMP.


Configuration > Site-to-Site VPN > Connection Profiles

(config)# crypto ikev2 enable outside

2.     Create ISAKMP (ikev1 or 2) policy - optional, can use preconfigured

Configuration > Site-to-Site VPN > Advanced > IKE Policies

 (config)# crypto ikev2 policy 1

 (config-isakmp-policy)# encryption aes-256

 (config-isakmp-policy)# integrity sha

 (config-isakmp-policy)# group 5

 (config-isakmp-policy)# prf sha

 (config-isakmp-policy)# lifetime seconds 86400

To remove an ISAKMP policy:

 clear config crypto ikev2 policy

3.     Set the Tunnel Group, also known as a connection profile, defines a site-to-site or a remoteaccess tunnel and is used to map the attributes that are assigned to a specific IPsec peer. Tunnel group name is the IP address of the remote device.

Configuration > Site-to-Site VPN > Advanced > Tunnel Groups

(config)# tunnel-group 209.165.201.1 type ipsec-l2l

(config)# tunnel-group 209.165.201.1 ipsec-attributes

(config-tunnel-ipsec)# ikev2 remote-authentication pre-shared-key *******

(config-tunnel-ipsec)# ikev2 local-authentication pre-shared-key *******

To view the pre-shared key:

# more system:running-config | inc pre-shared-key

4.    Define the IPsec policy (Transform Set) – can be configured or use the Cisco predefined or preconfigured

(config)# crypto ipsec ikev2 ipsec-proposal name

(config-ipsec-proposal)# protocol esp encryption aes-256

(config-ipsec-proposal)# protocol esp integrity sha-512

5.     Configure crypto ACL

Configuration > Site-to-Site VPN > Advanced > Crypto Maps -> Traffic selection tab -> select “protect” for the matching traffic to be encrypted

(config)# access-list outside_crypto line 2 extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

6.     Configure the crypto map – bind IPSec Policies, VPN Peer and Crypto ACL. Crypt map has a sequence number

Configuration > Site-to-Site VPN > Advanced > Crypto Maps

(config)# crypto map outside_map interface outside

(config)# crypto map outside_map 1 annotation "Describe  map"
(config)# crypto map outside_map 1 match address outside_crypto

(config)# crypto map outside_map 1 set peer 208.1.1.1
/* Optional */
(config)# crypto map outside_map 1 set ikev1 phase1-mode main

(config)# crypto map outside_map 1 set ikev1 transform-set name

(config)# crypto map outside_map 1 set ikev2 ipsec-proposal name


(config)# crypto map outside_map 1 set  df-bit clear-df
(config)# crypto map outside_map 1 set  security-association lifetime seconds 28800

(config)# crypto map outside_map 1 set pfs
(config)# crypto map outside_map 1  reverse-route
(config)# crypto map outside_map 1  set nat-t-disable

6. Configure traffic filtering (optional).


7. Bypass NAT (optional). - required in case there is a generic NAT rule, which can affect the traffic. The below will exclude VPN traffic from NAT. Good practice to conifgure even if not needed.

(config)# nat (inside,outside) source static 192.168-Net 10.1-Net destination static 192.168-Net 10.1-Net

8. Enable Perfect Forward Secrecy (optional).


9. Access list to permit VPN packets from remote end
 By default access rules are bypassed. This behaviour can be changed by issuing "no sysopt connection permit-vpn" . In this case standard access-rules will apply to the    decrypted traffic (e.g. configure in on outside interface)

     Alternatively vpn traffic can be controlled using vpn-fiter or per-user-override.

Troubleshooting commands:

#show crypto isakmp sa | begin 1.1.1.1
#show isakmp sa | begin 1.1.1.1

#show crypto ipsec sa peer 1.1.1.1
#show ipsec sa peer 1.1.1.1-> *same as above*

Nice brief summary of all tunnels:

#show vpn-sessiondb l2l

Debugging (restricted to only a particular tunnel):

(config)#logging monitoring debugging
#debug crypto condition peer 1.1.1.1
#debug crypto ikev1 
#debug crypto ipsec sa

#show crypto debug-condition
#u all

Source:

https://learningnetwork.cisco.com/docs/DOC-8696

Share on FacebookPlus on Google+

SUBSCRIBE MORE CONTENTS