Embed Size (px)
Citation preview
http://forum.saigonctt.com.vn/showthread.php?157-H%E1%BB%8Fi-v%E1%BB%81-VPN-tren-FTTH-d%E1%BB%B1a-tr%EAn-thi%E1%BA%BFt-b%E1%BB%8B-Cisco.
http://www.tech21century.com/cisco-router-with-cisco-asa-for-internet-access/
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b3d511.shtml
Following is a turnkey solution for a site-to-site IPSec based VPN between a Cisco ASA5505 running version 7.3(4) on one end (Site A) and a Cisco router 2621 running IOS version 12.3 on the other end (Site B).
This scenario was tested in the Lab with a router in between the ASA and the 2621 end router in order to better simulate the Internet. This “middle” WAN router is optional but it surely adds more realism to the Lab.
The IP addresses used in this LAB are private for the two sites behind the ASA and the router and public on the WAN (Internet) sides. You can adjust the following configurations to your own IP addressing schema depending on your personal needs.
SITE A Internet (simulated) SITE BEnc. Domain: 192.168.9.0/24, Cisco ASA 5505 Version 7.3(4) Interface E0 IP: 172.100.99.65/29 Interface E1 IP: 192.168.9.254/24, Test PC: 192.168.9.22, 192.168.9.50
WAN Router Cisco 2611 (in between ASA and End Router): E0/0: 172.100.99.70/29 (ASA’s Gateway) E0/1: 172.77.200.193/28 (Router’s Gateway)
Enc. Domain: 192.168.50.0/24, Cisco 2621 IOS Version 12.3 F0/1 IP: 172.77.200.206/28, F0/0 IP: 192.168.50.1/24, Test PC: 192.168.50.23, 192.168.50.101
Network Diagram
IPSec Tunnel Parameters
Pre-shared key: Cisco123 Encryption: 3des Hash: md5 Group: 2 Lifetime: 86400
Site A: Cisco ASA5505 Configuration
TechCity-ASA5505# sh run: Saved:ASA Version 7.2(4)!hostname TechCity-ASA5505domain-name cgngroup.comenable password [--removed--] encryptedpasswd [--removed--] encryptednames!interface Vlan1 description Most Secure Inside LAN Connection nameif inside security-level 100 ip address 192.168.9.254 255.255.255.0!interface Vlan2 description Outside WAN Connection
nameif outside security-level 0 ip address 172.100.99.65 255.255.255.248!interface Ethernet0/0 switchport access vlan 2!interface Ethernet0/1interface Ethernet0/2interface Ethernet0/3interface Ethernet0/4interface Ethernet0/5interface Ethernet0/6interface Ethernet0/7!ftp mode passiveclock timezone EST -5clock summer-time EDT recurringdns domain-lookup outsidedns server-group DefaultDNS domain-name cgngroup.comaccess-list ACL_INBOUND remark --- allow return traffic back for ICMP from inside ---access-list ACL_INBOUND extended permit icmp any any unreachableaccess-list ACL_INBOUND extended permit icmp any any echo-replyaccess-list ACL_INBOUND extended permit icmp any any time-exceededaccess-list ACL_INBOUND extended permit icmp any any source-quenchaccess-list ACL_ENCRYPTION remark --- Link to Cisco 2621 TechCity_Lab_C2621 ---access-list ACL_ENCRYPTION extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0access-list ACL_NONAT remark --- NO NAT ACL ---access-list ACL_NONAT extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0pager lines 60logging enablelogging timestamplogging buffer-size 16384logging asdm informationallogging device-id ipaddress outsidemtu inside 1500mtu outside 1454ip verify reverse-path interface insideip verify reverse-path interface outsideicmp unreachable rate-limit 1 burst-size 1icmp deny any outsideasdm image disk0:/asdm-524.binasdm history enablearp timeout 14400nat-controlglobal (outside) 1 interfacenat (inside) 0 access-list ACL_NONATnat (inside) 1 192.168.9.0 255.255.255.0access-group ACL_INBOUND in interface outsideroute outside 0.0.0.0 0.0.0.0 172.100.99.70 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00timeout sip-provisional-media 0:02:00 uauth 0:05:00 absoluteaaa authentication telnet console LOCALaaa authentication ssh console LOCALaaa authentication serial console LOCALhttp server enablehttp 192.168.9.0 255.255.255.0 insidecrypto ipsec transform-set labset esp-3des esp-md5-hmaccrypto ipsec df-bit clear-df outsidecrypto map labmap 1 match address ACL_ENCRYPTIONcrypto map labmap 1 set pfscrypto map labmap 1 set peer 172.77.200.206crypto map labmap 1 set transform-set labsetcrypto map labmap interface outsidecrypto isakmp identity addresscrypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption 3des hash md5 group 2 lifetime 86400client-update enabletelnet 192.168.9.0 255.255.255.0 insidetelnet timeout 5ssh 192.168.9.0 255.255.255.0 insidessh timeout 25console timeout 25management-access insideusername cris password [--removed--] encrypted privilege 15username Admin password [--removed--] encrypted privilege 15tunnel-group 172.77.200.206 type ipsec-l2ltunnel-group 172.77.200.206 ipsec-attributes pre-shared-key Cisco123!prompt hostname contextCryptochecksum:[--removed--]: endTechCity-ASA5505#
Site B: Cisco 2621 Router Configuration
TechCity_Lab_C2621#sh runBuilding configuration...
Current configuration : 2110 bytes!version 12.3service timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname TechCity_Lab_C2621
!boot-start-markerboot-end-marker!enable secret [--removed--]enable password [--removed--]!aaa new-modelaaa authentication login default localaaa session-id commonip subnet-zeroip cef!no ip domain lookupip domain name cgngroup.comip audit po max-events 100!username cris privilege 15 secret [--removed--]username Admin privilege 15 secret [--removed--]!ip ssh time-out 5!crypto isakmp policy 10 encr 3des hash md5 authentication pre-share group 2crypto isakmp key Cisco123 address 172.100.99.65!crypto ipsec transform-set labset esp-3des esp-md5-hmac!crypto map labmap 1 ipsec-isakmp description --- Link to the ASA TechCity-ASA5505 --- set peer 172.100.99.65 set security-association lifetime seconds 86400 set transform-set labset set pfs group2 match address 101!interface FastEthernet0/0 description LAN Connection Interface to SITE B ip address 192.168.50.1 255.255.255.0 ip nat inside!interface FastEthernet0/1 description WAN Connection Interface ip address 172.77.200.206 255.255.255.240 ip nat outside crypto map labmap!ip nat inside source route-map nonat interface FastEthernet0/1 overloadno ip http serverno ip http secure-serverip classlessip route 0.0.0.0 0.0.0.0 172.77.200.193!access-list 100 remark --- NO NAT ACL ---
access-list 100 deny ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255access-list 100 permit ip 192.168.50.0 0.0.0.255 anyaccess-list 101 remark --- Link to the Cisco 2621 TechCity-ASA5505 ---access-list 101 permit ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255!route-map nonat permit 10 match ip address 100!line con 0 session-timeout 3600 exec-timeout 60 0 password [--removed--]line aux 0line vty 0 4 session-timeout 60 exec-timeout 3600 0 password [--removed--] transport input all!!end
TechCity_Lab_C2621#
The “Middle” Cisco 2611 WAN Router Configuration
TechCity_Lab_C2611WAN# sh runBuilding configuration...
Current configuration : 899 bytes!version 12.1service timestamps debug uptimeservice timestamps log uptimeservice password-encryption!hostname TechCity_Lab_C2611WAN!username cris password [--removed--]!ip subnet-zerono ip fingerno ip domain-lookupip domain-name cgngroup.com!interface Ethernet0/0 description Connected to the Cisco ASA5505 Outside Interface ip address 172.100.99.70 255.255.255.248 ip accounting output-packets!interface Ethernet0/1 description Connected to the Cisco 2621 F0/1 Interface ip address 172.77.200.193 255.255.255.240 ip accounting output-packets
!ip classlessno ip http server!line con 0 session-timeout 60 exec-timeout 60 0 password [--removed--] login transport input noneline aux 0line vty 0 4 session-timeout 60 exec-timeout 60 0 password [--removed--] login!no scheduler allocateend
TechCity_Lab_C2611WAN#
Various investigative commands related to VPN
ASA troubleshooting commands Router troubleshooting commandssh ipsec sa peer 172.77.200.206sh isakmp sash crypto isakmpsh crypto protocol statistics ipsecsh access-list [acl_name]debug crypto isakmpdebug crypto ipsec
sh crypto ipsec sash crypto engine connections activesh access-list [acl_name]debug crypto isakmpdebug crypto ipsecdebug crypto engine
From SITE A, Test PC we generate useful traffic:
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.9.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.9.1
C:\>C:\>ping 192.168.50.23
Pinging 192.168.50.23 with 32 bytes of data:Request timed out.Request timed out.Request timed out.Reply from 192.168.50.23: bytes=32 time=6ms TTL=254
Ping statistics for 192.168.50.23: Packets: Sent = 4, Received = 1, Lost = 3 (75% loss),Approximate round trip times in milli-seconds: Minimum = 6ms, Maximum = 6ms, Average = 6ms
C:\>C:\>ping 192.168.50.23
Pinging 192.168.50.23 with 32 bytes of data:Reply from 192.168.50.23: bytes=32 time=5ms TTL=254Reply from 192.168.50.23: bytes=32 time=5ms TTL=254Reply from 192.168.50.23: bytes=32 time=5ms TTL=254Reply from 192.168.50.23: bytes=32 time=5ms TTL=254
Ping statistics for 192.168.50.23: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 5ms, Maximum = 5ms, Average = 5ms
C:\>
On Site B we test connectivity from the Test PC behind the 2621:
C:\>ipconfig
Windows IP ConfigurationWireless LAN adapter Wireless Network Connection: Connection-specific DNS Suffix . : IPv4 Address. . . . . . . . . . . : 192.168.50.23 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.50.1
C:\>ping 192.168.9.50
Pinging 192.168.9.50 with 32 bytes of data:Reply from 192.168.9.50: bytes=32 time=6ms TTL=31Reply from 192.168.9.50: bytes=32 time=6ms TTL=31Reply from 192.168.9.50: bytes=32 time=6ms TTL=31Reply from 192.168.9.50: bytes=32 time=6ms TTL=31
Ping statistics for 192.168.9.50: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 6ms, Maximum = 6ms, Average = 6msC:\>
Troubleshooting SITE A, Cisco ASA5505:
Capture before and immediately after issuing the ping commands:
TechCity-ASA5505# sh crypto isakmp sa
There are no isakmp sas
TechCity-ASA5505# sh crypto isakmp sa
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1
1 IKE Peer: 172.77.200.206 Type : L2L Role : initiator Rekey : no State : MM_ACTIVETechCity-ASA5505#TechCity-ASA5505# sh crypto ipsec sainterface: outside Crypto map tag: labmap, seq num: 1, local addr: 172.100.99.65 access-list ACL_ENCRYPTION permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) current_peer: 172.77.200.206 #pkts encaps: 6, #pkts encrypt: 6, #pkts digest: 6 #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 6, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.100.99.65, remote crypto endpt.: 172.77.200.206 path mtu 1454, ipsec overhead 58, media mtu 1500 current outbound spi: 2899FC7D inbound esp sas: spi: 0x972BD6B8 (2536232632) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274999/28501) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x2899FC7D (681180285) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274999/28501) IV size: 8 bytes replay detection support: Y
TechCity-ASA5505# sh crypto protocol statistics ipsec[IPsec statistics] Encrypt packet requests: 6 Encapsulate packet requests: 6 Decrypt packet requests: 5 Decapsulate packet requests: 5 HMAC calculation requests: 11 SA creation requests: 2 SA rekey requests: 0 SA deletion requests: 0 Next phase key allocation requests: 0 Random number generation requests: 0 Failed requests: 0TechCity-ASA5505#TechCity-ASA5505# sh access-listaccess-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096) alert-interval 300access-list ACL_INBOUND; 4 elementsaccess-list ACL_INBOUND line 1 extended permit icmp any any unreachable (hitcnt=0) 0x8a00bb1daccess-list ACL_INBOUND line 2 extended permit icmp any any echo-reply (hitcnt=2) 0xbd068d3daccess-list ACL_INBOUND line 3 extended permit icmp any any time-exceeded (hitcnt=0) 0x1487340baccess-list ACL_INBOUND line 4 extended permit icmp any any source-quench (hitcnt=0) 0xe202f87baccess-list ACL_ENCRYPTION; 1 elementsaccess-list ACL_ENCRYPTION line 1 remark --- Link to Cisco 2621 TechCity_Lab_C2621 ---access-list ACL_ENCRYPTION line 2 extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=5) 0x0b6bc5e7access-list ACL_NONAT; 1 elementsaccess-list ACL_NONAT line 1 remark --- NO NAT ACL ---access-list ACL_NONAT line 2 extended permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 (hitcnt=0) 0x5c3c3d90TechCity-ASA5505#TechCity-ASA5505# sh ipsec sa peer 172.77.200.206peer address: 172.77.200.206 Crypto map tag: labmap, seq num: 1, local addr: 172.100.99.65 access-list ACL_ENCRYPTION permit ip 192.168.9.0 255.255.255.0 192.168.50.0 255.255.255.0 local ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) current_peer: 172.77.200.206 #pkts encaps: 51, #pkts encrypt: 51, #pkts digest: 51 #pkts decaps: 50, #pkts decrypt: 50, #pkts verify: 50 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 51, #pkts comp failed: 0, #pkts decomp failed: 0 #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0 #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0 #send errors: 0, #recv errors: 0 local crypto endpt.: 172.100.99.65, remote crypto endpt.: 172.77.200.206 path mtu 1454, ipsec overhead 58, media mtu 1500 current outbound spi: 2899FC7D inbound esp sas: spi: 0x972BD6B8 (2536232632) transform: esp-3des esp-md5-hmac none
in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274995/28137) IV size: 8 bytes replay detection support: Y outbound esp sas: spi: 0x2899FC7D (681180285) transform: esp-3des esp-md5-hmac none in use settings ={L2L, Tunnel, PFS Group 2, } slot: 0, conn_id: 1, crypto-map: labmap sa timing: remaining key lifetime (kB/sec): (4274995/28137) IV size: 8 bytes replay detection support: Y
TechCity-ASA5505# sh isakmp sa
Active SA: 1 Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1
1 IKE Peer: 172.77.200.206 Type : L2L Role : initiator Rekey : no State : MM_ACTIVETechCity-ASA5505#TechCity-ASA5505# debug crypto isakmpTechCity-ASA5505# conf tTechCity-ASA5505(config)# logging console debugTechCity-ASA5505(config)# May 05 2011 13:43:36 172.100.99.65 : %ASA-5-111008: User 'enable_15' executed the 'logging console debug' command.May 05 2011 13:43:37 172.100.99.65 : %ASA-7-710005: UDP request discarded from 192.168.9.22/59483 to inside:255.255.255.255/34447May 05 2011 13:43:39 172.100.99.65 : %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host outside:192.168.50.23May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609002: Teardown local-host outside:192.168.50.23 duration 0:00:00May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715077: Pitcher: received a key acquire message, spi 0x0May 05 2011 13:43:40 172.100.99.65 : %ASA-5-713041: IP = 172.77.200.206, IKE Initiator: New Phase 1, Intf inside, IKE Peer 172.77.200.206 local Proxy Address 192.168.9.0, remote Proxy Address 192.168.50.0, Crypto map (labmap)May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing ISAKMP SA payloadMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing Fragmentation VID + extended capabilities payloadMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + SA (1) + VENDOR (13) + NONE (0) total length : 108May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host NP Identity Ifc:172.100.99.65May 05 2011 13:43:40 172.100.99.65 : %ASA-7-609001: Built local-host outside:172.77.200.206May 05 2011 13:43:40 172.100.99.65 : %ASA-6-302015: Built outbound UDP connection 175 for outside:172.77.200.206/500 (172.77.200.206/500) to NP Identity Ifc:172.100.99.65/500 (172.100.99.65/500)
May 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + SA (1) + NONE (0) total length : 84May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing SA payloadMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206, Oakley proposal is acceptableMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing ke payloadMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing nonce payloadMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing Cisco Unity VID payloadMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing xauth V6 VID payloadMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-715048: IP = 172.77.200.206, Send IOS VIDMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-715038: IP = 172.77.200.206, Constructing ASA spoofing IOS Vendor ID payload (version: 1.0.0, capabilities: 20000001)May 05 2011 13:43:40 172.100.99.65 : %ASA-7-715046: IP = 172.77.200.206, constructing VID payloadMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-715048: IP = 172.77.200.206, Send Altiga/Cisco VPN3000/Cisco ASA GW VIDMay 05 2011 13:43:40 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + KE (4) + NONCE (10) + VENDOR (13) + VENDOR (13) + VENDOR (13) + VENDOR (13) + NONE (0) total length : 256May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing ke payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing ISA_KE payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing nonce payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206, Received Cisco Unity client VIDMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206, Received DPD VIDMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715038: IP = 172.77.200.206, Processing IOS/PIX Vendor ID payload (version: 1.0.0, capabilities: 0000077f)May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715047: IP = 172.77.200.206, processing VID payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715049: IP = 172.77.200.206, Received xauth V6 VIDMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206, Connection landed on tunnel_group 172.77.200.206
May 05 2011 13:43:41 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, Generating keys for Initiator...May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing ID payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing hash payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715076: Group = 172.77.200.206, IP = 172.77.200.206, Computing hash for ISAKMPMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-715034: IP = 172.77.200.206, Constructing IOS keep alive payload: proposal=32767/32767 sec.May 05 2011 13:43:41 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing dpd vid payloadMay 05 2011 13:43:41 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + IOS KEEPALIVE (128) + VENDOR (13) + NONE (0) total length : 92May 05 2011 13:43:42 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE RECEIVED Message (msgid=0) with payloads : HDR + ID (5) + HASH (8) + NONE (0) total length : 60May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715047: Group = 172.77.200.206, IP = 172.77.200.206, processing ID payloadMay 05 2011 13:43:42 172.100.99.65 : %ASA-7-714011: Group = 172.77.200.206, IP = 172.77.200.206, ID_IPV4_ADDR ID received 172.77.200.206May 05 2011 13:43:42 172.100.99.65 : %ASA-7-715047: Group = 172.77.200.206, IP = 172.77.200.206, processing hash payloadMay 05 2011 13:43:42 172.100.99.65 : %ASA-7-715076: Group = 172.77.200.206, IP = 172.77.200.206, Computing hash for ISAKMPMay 05 2011 13:43:42 172.100.99.65 : %ASA-7-713906: IP = 172.77.200.206, Connection landed on tunnel_group 172.77.200.206May 05 2011 13:43:43 172.100.99.65 : %ASA-4-713903: Group = 172.77.200.206, IP = 172.77.200.206, Freeing previously allocated memory for authorization-dn-attributesMay 05 2011 13:43:43 172.100.99.65 : %ASA-6-113009: AAA retrieved default group policy (DfltGrpPolicy) for user = 172.77.200.206May 05 2011 13:43:43 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, Oakley begin quick modeMay 05 2011 13:43:43 172.100.99.65 : %ASA-7-714002: Group = 172.77.200.206, IP = 172.77.200.206, IKE Initiator starting QM: msg id = d2a3e6cbMay 05 2011 13:43:43 172.100.99.65 : %ASA-3-713119: Group = 172.77.200.206, IP = 172.77.200.206, PHASE 1 COMPLETEDMay 05 2011 13:43:43 172.100.99.65 : %ASA-7-713121: IP = 172.77.200.206, Keep-alive type for this connection: DPDMay 05 2011 13:43:43 172.100.99.65 : %ASA-7-715080: Group = 172.77.200.206, IP = 172.77.200.206, Starting P1 rekey timer: 82080 seconds.May 05 2011 13:43:44 172.100.99.65 : %ASA-7-715006: Group = 172.77.200.206, IP = 172.77.200.206, IKE got SPI from key engine: SPI = 0x4cc39f88May 05 2011 13:43:44 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, oakley constucting quick modeMay 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing blank hash payloadMay 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing IPSec SA payloadMay 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing IPSec nonce payloadMay 05 2011 13:43:44 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing pfs ke payloadMay 05 2011 13:43:44 172.100.99.65 : %ASA-7-715001: Group = 172.77.200.206, IP = 172.77.200.206, constructing proxy ID
May 05 2011 13:43:44 172.100.99.65 : %ASA-7-713906: Group = 172.77.200.206, IP = 172.77.200.206, Transmitting Proxy Id: Local subnet: 192.168.9.0 mask 255.255.255.0 Protocol 0 Port 0 Remote subnet: 192.168.50.0 Mask 255.255.255.0 Protocol 0 Port 0May 05 2011 13:43:45 172.100.99.65 : %ASA-7-714007: Group = 172.77.200.206, IP = 172.77.200.206, IKE Initiator sending Initial ContactMay 05 2011 13:43:45 172.100.99.65 : %ASA-7-715046: Group = 172.77.200.206, IP = 172.77.200.206, constructing qm hash payloadMay 05 2011 13:43:45 172.100.99.65 : %ASA-7-714004: Group = 172.77.200.206, IP = 172.77.200.206, IKE Initiator sending 1st QM pkt: msg id = d2a3e6cbMay 05 2011 13:43:45 172.100.99.65 : %ASA-7-713236: IP = 172.77.200.206, IKE_DECODE SENDING Message (msgid=d2a3e6cb) with payloads : HDR + HASH (8) + SA (1) + NONCE (10) + KE (4) + ID (5) + ID (5) + NOTIFY (11) + NONE (0) total length : 328
TechCity-ASA5505(config)# no logging console debugTechCity-ASA5505(config)# exitTechCity-ASA5505# undebug all
Troubleshooting SITE B, Cisco 2621:
TechCity_Lab_C2621# sh crypto isakmp sadst src state conn-id slot
TechCity_Lab_C2621# debug crypto isakmpCrypto ISAKMP debugging is onTechCity_Lab_C2621#00:06:00: ISAKMP (0:0): received packet from 172.100.99.65 dport 500 sport 500 Global (N) NEW SA00:06:00: ISAKMP: Created a peer struct for 172.100.99.65, peer port 50000:06:00: ISAKMP: Locking peer struct 0x830314A4, IKE refcount 1 for Responding to new initiation00:06:00: ISAKMP: local port 500, remote port 50000:06:00: ISAKMP: insert sa successfully sa = 82FE581400:06:00: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH00:06:00: ISAKMP (0:1): Old State = IKE_READY New State = IKE_R_MM100:06:00: ISAKMP (0:1): processing SA payload. message ID = 000:06:00: ISAKMP (0:1): processing vendor id payload00:06:00: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch00:06:00: ISAKMP: Looking for a matching key for 172.100.99.65 in default : success00:06:00: ISAKMP (0:1): found peer pre-shared key matching 172.100.99.6500:06:00: ISAKMP (0:1) local preshared key found00:06:00: ISAKMP : Scanning profiles for xauth ...00:06:00: ISAKMP (0:1): Checking ISAKMP transform 1 against priority 10 policy00:06:00: ISAKMP: default group 200:06:00: ISAKMP: encryption 3DES-CBC00:06:00: ISAKMP: hash MD500:06:00: ISAKMP: auth pre-share00:06:00: ISAKMP: life type in seconds00:06:00: ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x8000:06:00: ISAKMP (0:1): atts are acceptable. Next payload is 000:06:01: ISAKMP (0:1): processing vendor id payload
00:06:01: ISAKMP (0:1): vendor ID seems Unity/DPD but major 194 mismatch00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE00:06:01: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM100:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) MM_SA_SETUP00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE00:06:01: ISAKMP (0:1): Old State = IKE_R_MM1 New State = IKE_R_MM200:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) MM_SA_SETUP00:06:01: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH00:06:01: ISAKMP (0:1): Old State = IKE_R_MM2 New State = IKE_R_MM300:06:01: ISAKMP (0:1): processing KE payload. message ID = 000:06:01: ISAKMP (0:1): processing NONCE payload. message ID = 000:06:01: ISAKMP: Looking for a matching key for 172.100.99.65 in default : success00:06:01: ISAKMP (0:1): found peer pre-shared key matching 172.100.99.6500:06:01: ISAKMP (0:1): SKEYID state generated00:06:01: ISAKMP (0:1): processing vendor id payload00:06:01: ISAKMP (0:1): vendor ID is Unity00:06:01: ISAKMP (0:1): processing vendor id payload00:06:01: ISAKMP (0:1): vendor ID seems Unity/DPD but major 211 mismatch00:06:01: ISAKMP (0:1): vendor ID is XAUTH00:06:01: ISAKMP (0:1): processing vendor id payload00:06:01: ISAKMP (0:1): speaking to another IOS box!00:06:01: ISAKMP (0:1): processing vendor id payload00:06:01: ISAKMP (0:1:): vendor ID seems Unity/DPD but hash mismatch00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE00:06:01: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM300:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) MM_KEY_EXCH00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE00:06:01: ISAKMP (0:1): Old State = IKE_R_MM3 New State = IKE_R_MM400:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) MM_KEY_EXCH00:06:01: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH00:06:01: ISAKMP (0:1): Old State = IKE_R_MM4 New State = IKE_R_MM500:06:01: ISAKMP (0:1): processing ID payload. message ID = 000:06:01: ISAKMP (0:1): ID payload next-payload : 8 type : 1 address : 172.100.99.65 protocol : 17 port : 500 length : 1200:06:01: ISAKMP (0:1): peer matches *none* of the profiles00:06:01: ISAKMP (0:1): processing HASH payload. message ID = 000:06:01: ISAKMP:received payload type 1700:06:01: ISAKMP (0:1): processing vendor id payload00:06:01: ISAKMP (0:1): vendor ID is DPD00:06:01: ISAKMP (0:1): SA authentication status: authenticated00:06:01: ISAKMP (0:1): SA has been authenticated with 172.100.99.6500:06:01: ISAKMP (0:1): peer matches *none* of the profiles00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_MAIN_MODE00:06:01: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_R_MM500:06:01: ISAKMP (0:1): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR00:06:01: ISAKMP (0:1): ID payload
next-payload : 8 type : 1 address : 172.77.200.206 protocol : 17 port : 500 length : 1200:06:01: ISAKMP (1): Total payload length: 1200:06:01: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) MM_KEY_EXCH00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE00:06:01: ISAKMP (0:1): Old State = IKE_R_MM5 New State = IKE_P1_COMPLETE00:06:01: ISAKMP (0:1): Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE00:06:01: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE00:06:01: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) QM_IDLE00:06:01: ISAKMP: set new node -1712801892 to QM_IDLE00:06:01: ISAKMP (0:1): processing HASH payload. message ID = -171280189200:06:01: ISAKMP (0:1): processing SA payload. message ID = -171280189200:06:01: ISAKMP (0:1): Checking IPSec proposal 100:06:01: ISAKMP: transform 1, ESP_3DES00:06:01: ISAKMP: attributes in transform:00:06:01: ISAKMP: SA life type in seconds00:06:01: ISAKMP: SA life duration (basic) of 2880000:06:01: ISAKMP: SA life type in kilobytes00:06:01: ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x000:06:01: ISAKMP: encaps is 1 (Tunnel)00:06:01: ISAKMP: authenticator is HMAC-MD500:06:01: ISAKMP: group is 200:06:01: ISAKMP (0:1): atts are acceptable.00:06:01: ISAKMP (0:1): processing NONCE payload. message ID = -171280189200:06:01: ISAKMP (0:1): processing KE payload. message ID = -171280189200:06:01: ISAKMP (0:1): processing ID payload. message ID = -171280189200:06:01: ISAKMP (0:1): processing ID payload. message ID = -171280189200:06:01: ISAKMP (0:1): processing NOTIFY INITIAL_CONTACT protocol 1 spi 0, message ID = -1712801892, sa = 82FE581400:06:01: ISAKMP (0:1): SA authentication status: authenticated00:06:01: ISAKMP (0:1): Process initial contact, bring down existing phase 1 and 2 SA's with local 172.77.200.206 remote 172.100.99.65 remote port 50000:06:01: ISAKMP (0:1): asking for 1 spis from ipsec00:06:01: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH00:06:01: ISAKMP (0:1): Old State = IKE_QM_READY New State = IKE_QM_SPI_STARVE00:06:01: ISAKMP: received ke message (2/1)00:06:02: ISAKMP: Locking peer struct 0x830314A4, IPSEC refcount 1 for for stuff_ke00:06:02: ISAKMP (0:1): Creating IPSec SAs00:06:02: inbound SA from 172.100.99.65 to 172.77.200.206 (f/i) 0/ 0 (proxy 192.168.9.0 to 192.168.50.0)00:06:02: has spi 0x2899FC7D and conn_id 2000 and flags 2300:06:02: lifetime of 28800 seconds00:06:02: lifetime of 4608000 kilobytes00:06:02: has client flags 0x000:06:02: outbound SA from 172.77.200.206 to 172.100.99.65 (f/i) 0/ 0 (proxy 192.168.50.0 to 192.168.9.0 )00:06:02: has spi -1758734664 and conn_id 2001 and flags 2B
00:06:02: lifetime of 28800 seconds00:06:02: lifetime of 4608000 kilobytes00:06:02: has client flags 0x000:06:02: ISAKMP (0:1): sending packet to 172.100.99.65 my_port 500 peer_port 500 (R) QM_IDLE00:06:02: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_IPSEC, IKE_SPI_REPLY00:06:02: ISAKMP (0:1): Old State = IKE_QM_SPI_STARVE New State = IKE_QM_R_QM200:06:02: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) QM_IDLE00:06:02: ISAKMP: set new node -894521910 to QM_IDLE00:06:02: ISAKMP (0:1): processing HASH payload. message ID = -89452191000:06:02: ISAKMP (0:1): processing NOTIFY unknown protocol 1 spi 0, message ID = -894521910, sa = 82FE581400:06:02: ISAKMP (0:1): deleting node -894521910 error FALSE reason "informational (in) state 1"00:06:02: ISAKMP (0:1): Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY00:06:02: ISAKMP (0:1): Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE00:06:02: ISAKMP (0:1): received packet from 172.100.99.65 dport 500 sport 500 Global (R) QM_IDLE00:06:02: ISAKMP (0:1): deleting node -1712801892 error FALSE reason "quick mode done (await)"00:06:02: ISAKMP (0:1): Node -1712801892, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH00:06:02: ISAKMP (0:1): Old State = IKE_QM_R_QM2 New State = IKE_QM_PHASE2_COMPLETETechCity_Lab_C2621#TechCity_Lab_C2621# sh crypto isakmp sadst src state conn-id slot172.77.200.206 172.100.99.65 QM_IDLE 1 0
TechCity_Lab_C2621#TechCity_Lab_C2621# undebug allAll possible debugging has been turned offTechCity_Lab_C2621#TechCity_Lab_C2621# sh crypto ipsec sa
interface: FastEthernet0/1 Crypto map tag: labmap, local addr. 172.77.200.206 protected vrf: local ident (addr/mask/prot/port): (192.168.50.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.9.0/255.255.255.0/0/0) current_peer: 172.100.99.65:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5, #pkts encrypt: 5, #pkts digest 5 #pkts decaps: 6, #pkts decrypt: 6, #pkts verify 6 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 172.77.200.206, remote crypto endpt.: 172.100.99.65 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1 current outbound spi: 972BD6B8 inbound esp sas: spi: 0x2899FC7D(681180285)
transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2000, flow_id: 1, crypto map: labmap sa timing: remaining key lifetime (k/sec): (4500618/28629) IV size: 8 bytes replay detection support: Y inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x972BD6B8(2536232632) transform: esp-3des esp-md5-hmac , in use settings ={Tunnel, } slot: 0, conn id: 2001, flow_id: 2, crypto map: labmap sa timing: remaining key lifetime (k/sec): (4500618/28627) IV size: 8 bytes replay detection support: Y outbound ah sas: outbound pcp sas:TechCity_Lab_C2621#TechCity_Lab_C2621# sh crypto engine connections active
ID Interface IP-Address State Algorithm Encrypt Decrypt 1 FastEthernet0/1 172.77.200.206 set HMAC_MD5+3DES_56_C 0 02000 FastEthernet0/1 172.77.200.206 set HMAC_MD5+3DES_56_C 0 62001 FastEthernet0/1 172.77.200.206 set HMAC_MD5+3DES_56_C 5 0
TechCity_Lab_C2621# sh access-listsExtended IP access list 100 10 deny ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 (5 matches) 20 permit ip 192.168.50.0 0.0.0.255 anyExtended IP access list 101 10 permit ip 192.168.50.0 0.0.0.255 192.168.9.0 0.0.0.255 (11 matches)TechCity_Lab_C2621#
Verify the “Middle” WAN router
Note only the packets related to public IP addresses (the VPN peers) are “seen”:
TechCity_Lab_C2611WAN# sh ip accounting Source Destination Packets Bytes 172.100.99.65 172.77.200.206 236 32788 172.77.200.206 172.100.99.65 227 29996
Accounting data age is 01:19
Site to Site VPN between Cisco ASA and Router Wednesday, May 25th, 2011 at 5:33 pm
In this post we will configure Site-to-Site IPSEC VPN between a Cisco IOS Router and ASA Firewall. ASA configuration is not much different from Cisco IOS with regards to IPSEC VPN since the fundamental concepts are the same. Let’s start our LAB example and we’ll see how it’s done.
Consider the following diagram. The first site (Remote1) is equipped with a Cisco ASA firewall (any model) and the second site (Remote2) is equipped with a Cisco Router. Remember that a Cisco ASA firewall is by default capable to support IPSEC VPN but a Cisco Router must have the proper IOS software type in order to support encrypted VPN tunnels.
Equipment Used in this LAB:
ASA 5510 – Cisco Adaptive Security Appliance Software Version 8.0(3)
Cisco Router 2801 – C2801-ADVIPSERVICESK9-M Version 12.4(9)T4
Scenario:
LAN of Remote1 must be connected to LAN of Remote2 via VPN Tunnel. The most usual scenario is that the WAN cloud is the Internet, so secure connectivity shall be provided between the two LAN networks over the Internet.
First of all we shall make sure that the outside interfaces of ASA and router must be reachable over the WAN. Now let’s start IPSEC VPN configuration.
Cisco ASA Configuration
First I started ASA configuration.
I’ve created an Access list, which will match the interesting traffic which is the traffic to be encrypted. If source is 192.168.3.0/24 and destination is 192.168.4.0/24, then traffic will be matched by the access list as “interesting traffic” and will be encrypted and pass through the tunnel.
ASA(config)# access-list vpn extended permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0
!IKE PHASE #1! I’ve created a phase1 policy. This policy provides secured process of exchanging Keys.ASA(config)# crypto isakmp policy 1
! For authentication I used Pre-shared. This method is most frequently used today.ASA(config)# authentication pre-share
!For encryption I used 3des.ASA(config)# encryption 3des
! Hashing md5.ASA(config)# hash md5
! I used second group of diffie-hellman. Group1 is used by default. The most secured is Group5.ASA(config)# group 2
! configure crypto key. The keys must match to each other between peers. Otherwise Phase1 will not be completed.ASA(config)# crypto isakmp secretsharedkey address 192.168.2.2
NOTE: Crypto key is hidden in ASA configuration. If we look at configuration, it will be shown in following way.tunnel-group 192.168.2.2 ipsec-attributespre-shared-key *
! Activate policy on Outside interface.ASA(config)# crypto isakmp enable outside
! IKE PHASE #2- VPN Tunnel is established during this phase and the traffic between VPN Peers is encrypted according to the security parameters of this phase.
! I created Transform-set, by which the traffic will be encrypted and hashed between VPN peers.ASA(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac
! Apply the access list created earlier for matching the interesting traffic.ASA(config)# crypto map vpn 10 match address vpn
! I indicated address of Remote2 peer public outside interface.ASA(config)# crypto map vpn 10 set peer 192.168.2.2
! Apply also the transform-set.ASA(config)# crypto map vpn 10 set transform-set ts
! Attach the already created Crypto-map and VPN to outside interface.ASA(config)# crypto map vpn interface outside
ASA configuration is completed here (regarding the VPN config of course). Now let’s start Router Configuration below.
Cisco Router Configuration
ISAKMP Phase 1
! Enter crypto-isakmp policy configuration mode for configuring crypto isakmp policy.Router(config)# crypto isakmp policy 10
! Turn on 3des as an encryption type.Router(config)# encr 3des
! I indicated MD5 as a hashing type.Router(config)# hash md5
! I indicated pre-share authentication.Router(config)# authentication pre-share
! I used second group of diffie-hellman. group1 is used by default.Router(config)# group 2
! I defined peer key same as ASA site.Router(config)# crypto isakmp secretsharedkey address 192.168.1.2
It’s not necessary to match policy numbers. The most important is to match corresponding parameters of policy. Otherwise negotiation of Phase1 will not be successful.
! Access list for matching interesting traffic.Router(config)# ip access-list extended vpnRouter(config)# permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
ISAKMP PHASE 2!
! Create IPSEC transform-set, by which the mechanism of hashing and encryption is determined, by which the traffic will be hashed/encrypted in VPN tunnel later.Router(config)# crypto ipsec transform-set ts esp-3des esp-md5-hmac
! Enter into crypto-map configuration mode.Router(config)# crypto map vpn 10 ipsec-isakmp
! Indicate IP address of peer.Router(config)# set peer 192.168.1.2
! Indicate IPsec transform-set created above.Router(config)# set transform-set ts
! Apply access list created above.Router(config)# match address vpn
! Apply crypto-map to interface.Router(config)# interface FastEthernet0/0Router(config)# crypto map vpn
With this, VPN configuration is completed so let’s start verification.
! In the output below it is shown that ISAKMP PHASE1 is active, which means that negotiation of PHASE1 is completed successfully.
ASA# show crypto isakmp sa
Active SA: 1Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)Total IKE SA: 1
1 IKE Peer: 192.168.2.2Type : L2L Role : initiatorRekey : no State : MM_ACTIVE
Router# show crypto isakmp sadst src state conn-id slot192.168.1.2 192.168.2.2 MM_ACTIVE 1 0
! Checking ISAKMP PHASE2. Here we see that IPSec is working and the interesting traffic flows in VPN Tunnel.
ASA# show crypto ipsec sainterface: outsideCrypto map tag: vpn, seq num: 10, local addr: 192.168.1.2
access-list vpn permit ip 192.168.3.0 255.255.255.0 192.168.4.0 255.255.255.0local ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)current_peer: 192.168.2.2
#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344#pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 344, #pkts comp failed: 0, #pkts decomp failed: 0#pre-frag successes: 0, #pre-frag failures: 0, #framents created: 0#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0#send errors: 0, #recv errors: 0
Router# show crypto ipsec sa
interface: FastEthernet0/0Crypto map tag: vpn, local addr 192.168.2.2
protected vrf: (none)local ident (addr/mask/prot/port): (192.168.4.0/255.255.255.0/0/0)remote ident (addr/mask/prot/port): (192.168.3.0/255.255.255.0/0/0)current_peer 192.168.1.2 port 500PERMIT, flags={origin_is_acl,}#pkts encaps: 344, #pkts encrypt: 344, #pkts digest: 344#pkts decaps: 344, #pkts decrypt: 344, #pkts verify: 344#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0
VPN Tunnel is established and works.
ASA Site-to-Site IPsec VPN Today, I would like to write about the simplest configuration of ASA for Site-to-Site IPsec VPN.I'm going to post configuration example along with comments about every particular command.
!--- Configure the outside interface.!interface Ethernet0/1 nameif outside security-level 0 ip address 172.16.1.1 255.255.255.0 !--- Configure the inside interface.!interface Ethernet0/2 nameif inside security-level 100 ip address 10.10.10.1 255.255.255.0 !-- Output suppressed!passwd 2KFQnbNIdI.2KYOU encryptedftp mode passivedns server-group DefaultDNS domain-name default.domain.invalid
access-list 100 extended permit ip any anyaccess-list inside_nat0_outbound extended permit ip 10.10.10.0 255.255.255.0 10.20.10.0 255.255.255.0 !--- This access list (inside_nat0_outbound) is used !--- with the nat zero command. This prevents traffic which !--- matches the access list from undergoing network address translation (NAT).!--- The traffic specified by this ACL is traffic that is to be encrypted and!--- sent across the VPN tunnel. This ACL is intentionally !--- the same as (outside_1_cryptomap).!--- Two separate access lists should always be used in this configuration. access-list outside_1_cryptomap extended permit ip 10.10.10.0 255.255.255.0
10.20.10.0 255.255.255.0!--- This access list (outside_cryptomap) is used !--- with the crypto map outside_map !--- to determine which traffic should be encrypted and sent !--- across the tunnel.!--- This ACL is intentionally the same as (inside_nat0_outbound).
!--- Two separate access lists should always be used in this configuration.pager lines 24mtu inside 1500mtu outside 1500no failoverasdm image disk0:/asdm-613.binasdm history enablearp timeout 14400global (outside) 1 interfacenat (inside) 1 10.10.10.0 255.255.255.0nat (inside) 0 access-list inside_nat0_outbound!--- NAT 0 prevents NAT for networks specified in !--- the ACL inside_nat0_outbound.access-group 100 in interface outsideroute outside 0.0.0.0 0.0.0.0 172.16.1.2 1timeout xlate 3:00:00timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00timeout uauth 0:05:00 absolutehttp server enablehttp 0.0.0.0 0.0.0.0 dmzno snmp-server locationno snmp-server contact!--- PHASE 2 CONFIGURATION ---!!--- The encryption types for Phase 2 are defined here. crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac!--- Define the transform set for Phase 2. crypto map outside_map 1 match address outside_1_cryptomap!--- Define which traffic should be sent to the IPsec peer.crypto map outside_map 1 set peer 172.17.1.1!--- Sets the IPsec peercrypto map outside_map 1 set transform-set ESP-DES-SHA!--- Sets the IPsec transform set "ESP-AES-256-SHA"!--- to be used with the crypto map entry "outside_map". crypto map outside_map interface outside!--- Specifies the interface to be used with !--- the settings defined in this configuration. !--- PHASE 1 CONFIGURATION ---!!--- This configuration uses isakmp policy 10. !--- The configuration commands here define the Phase !--- 1 policy parameters that are used. crypto isakmp enable outsidecrypto isakmp policy 10 authentication pre-share encryption des hash sha group 1 lifetime 86400telnet timeout 5ssh timeout 5console timeout 0threat-detection basic-threatthreat-detection statistics access-list!tunnel-group 172.17.1.1 type ipsec-l2l!--- In order to create and manage the database of connection-specific
!--- records for ipsec-l2l—IPsec (LAN-to-LAN) tunnels, use the command!--- tunnel-group in global configuration mode.!--- For L2L connections the name of the tunnel group MUST be the IP !--- address of the IPsec peer. tunnel-group 172.17.1.1 ipsec-attributes pre-shared-key *!--- Enter the pre-shared-key in order to configure the !--- authentication method.
Site to site VPN tunnel between ASA and Router
May 2nd, 2010
Using the above network diagram, the scripts below can be applied to both ASA’s to build a site to site VPN tunnel. The firewall on the left is a Cisco ASA and device on the right is a Cisco Router. The router needs to have an IOS that supports VPN’s. You can test this by typing ‘crypto ?’ and see if it has the commands available to make the tunnel.
After applying the config below the device at 192.168.11.2 should be able to access 172.16.22.2 and vice versa.
BLUE ASA
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! The policy number is arbitrary. The parameters inside the policy
! must match with the other side in order for Phase 1 to complete.
! Lower policy numbers will likely be used before higher ones.
crypto isakmp policy 5
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
! Enable ISAKMP on the outside interface
crypto isakmp enable OUTSIDE
! Define the pre-shared-key
tunnel-group 22.22.22.22 type ipsec-l2l
tunnel-group 22.22.22.22 ipsec-attributes
pre-shared-key sekretk3y
!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
! Create a crypto map entry that defines the tunnel
crypto map MAP-OUTSIDE 20 set peer 22.22.22.22
! ACL must be exactly the opposite of the other sides ACL
crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN
! Transform set must match other side identically
crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
! Apply crypto map to an interface
crypto map MAP-OUTSIDE interface OUTSIDE
!^^^^^^^ Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
route OUTSIDE 172.16.22.0 255.255.255.0 11.11.11.1
! Make sure that the VPN traffic is NOT NAT’d
access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
RED ROUTER WITH CRYPTO SUPPORT
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! Note: The default isakmp settings on a router are Encr:DES Hash:SHA DH:Group 1
! If these settings are used, they will not show under ‘show run’
crypto isakmp policy 5
encr aes
hash sha
authentication pre-share
group 2
crypto isakmp key sekretk3y address 11.11.11.11
!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
ip access-list extended ACL-VPN
permit ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
crypto map VPN-TUNNEL 1 ipsec-isakmp
set peer 11.11.11.11
set transform-set AES-SHA
match address ACL-VPN
interface Fa0/0
crypto map VPN-TUNNEL
ip nat outside
interface Vlan2
ip nat inside
!^^^^^^^ Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
ip route 192.168.11.0 255.255.255.0 22.22.22.1
! Make sure that the VPN traffic is NOT NAT’d
ip access-list extended ACL-NAT
deny ip 172.16.22.0 0.0.0.255 192.168.11.0 0.0.0.255
permit ip any any
ip nat inside source list ACL-NAT interface Fa0/0 overload
![NETGEAR Insight 5.8 Offers and Features · 2020. 2. 4. · 3 Year –Insight Instant VPN subscription [Remote + Site-2-Site VPN] $67.50 5 Year –Insight Instant VPN subscription](https://img.pdfslide.us/doc/110x75/5fed935f88c3ac3cda615001/netgear-insight-58-offers-and-features-2020-2-4-3-year-ainsight-instant.jpg)
