Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peers

This topic is to discuss the following lesson:

Hi Rene,

I can’t understand How ASA1 recognizes dynamically the peer IP address with the command

ASA1(config)# tunnel-group DefaultL2LGroup ipsec-attributes

and

ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l
ASA1(config)# tunnel-group ASA1_ASA2 ipsec-attributes

Could you please help me to describe how they are working ??

br/
zaman

1 Like

Hi Zaman,

On ASA2 you will find this line:

ASA2(config)# crypto isakmp identity key-id ASA1_ASA2

When ASA2 tries to connect to ASA1, it will use “ASA1_ASA2” to identify itself. This will help ASA1 to decide which tunnel group to pick:

ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l

ASA1 will accept connections from any IP address.

Rene

Hi Rene,

I have a one question for site to site ipsec vpn. I have two ASA 5525-x firewall and using Active/Standby in production. But I have a one public ip address in WAN interface. I want to use site to site ipsec vpn now. Could I use one public ip address for active/standby design and Is it possible? How to work failover? This design we can get failover when active firewall is down. Is there any recommendation reference?

Thanks

Hi Mark,

Configure the ASAs without the standby IP on the outside interface is no problem. The standby IP is used for management and to monitor the interface (by sending hello packets). If you do specify a standby IP on the inside interfaces then you can use that to access your standby ASA. When your primary ASA fails, it will be notified through the failover link and your standby ASA will take over.

Rene

Hi Rene,

Thanks for your reply.

Thanks for all the explanations, but please I have a question "should my WAN LINK caries a public IP address or should I assign any?

Hi Emmanuel,

If you intend to build a VPN over the Internet then you will need public IP addresses. It depends on the ISP if you get these through DHCP or if you have to configure them statically.

Rene

Hello Rene,

Can this setup be applied to an ASA with a static then IKEV1 tunnels to dynamic Cisco 871 routers?

Thanks!
Jesse

Hi Jesse,

That’s no problem at all, just keep in mind that your routers will have to initiate the connection.

Rene

Hi John,

For your access-lists, something like this should work:

ASA-1:
access-list ASA1_ASA2 extended permit ip 172.16.32.0 255.255.255.0 any

ASA-2:
access-list ASA2_ASA1 extended permit ip any 172.16.32.0 255.255.255.0

This allows all hosts in the 172.16.32.0/24 subnet to go through the VPN tunnel to any destination (including the Internet). Don’t forget to configure NAT somewhere…like those routers.

About adding that second peer, is there any overlap with your crypto map (or access-lists) that could cause this? Make sure each peer “lands” on the correct tunnel group.

Rene

Hi Rene,

ASA2(config)# crypto isakmp identity key-id ASA1_ASA2

This is a configuration line on ASA2. This “ASA1_ASA2” is only present on ASA1 but doesn’t have any existence on ASA2 at all. So how the things are working.

Hi Praveen,

This matches with the tunnel-group on ASA1. Here is the tunnel-group of ASA1:

ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l
ASA1(config)# tunnel-group ASA1_ASA2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key ASA1_ASA2_KEY

And here’s the key ID on ASA2:

ASA2(config)# crypto isakmp identity key-id ASA1_ASA2
ASA2(config)# crypto ikev1 enable OUTSIDE

When ASA2 connects, ASA1 knows to which tunnel group it belongs because of the ID.

Rene

Hi Rene,

Thanks for this explanation.
my question may not be directly related to this topic, what will need to be done if ASA2 subnet and ASA3 subnet needs to talk to each other what will need to be enabled on ASA 1 or ASA2 & 3?

Also for e.g instead of ASA 2 I have a different brand of firewall like Sophos XG, will i be able to set the key-id on Sophos for ASA1 to identify which map it will use for Sophos?

Thanks in advance for your clarification.

Regards,
Zeeshan

Hello Zeeshan

We can consider this topology as a kind of hub and spoke, where ASA1 is the hub and ASAs 2 and 3 are the spokes. In order to allow ASA2 to ASA3 communication, it is necessary to do several things.

Each spoke has to send the traffic for the other spoke through the tunnel that already exists to the hub. So, both the existing access lists must be extended to include spoke to spoke traffic.

Secondly, the static routing at each spoke must include the subnets of the other spoke.

Third, the hub must be configured so that the ACL for the ASA1 to ASA2 traffic includes ASA3 to ASA2 traffic, and the ACL for the ASA1 to ASA3 traffic includes ASA2 to ASA3 traffic.

And finally, the hub must be configured to allow traffic to enter and leave on the same interface, which is not the default behaviour.

Take a look at this Cisco Community post that describes a similar configuration to that in the lesson, and adds at the end, the requirements for spoke to spoke communication.


Take a look and you should be able to conform it to the lesson.

IPsec IKEv1 is an open standard, and as long as your firewall supports this standard, the appropriate key-id will be able to be sent so that the ASA1 will identify which map to use for Sophos.

I hope this has been helpful!

Laz

Hi Rene,
What if you have dynamic peers on both sides, can you apply the similar config that you’re applying on ASA1.

thanks…

Hello Irfan

It is not possible to have both ends of a site to site connection be dynamic. At least one of the ends must be static because if both ends don’t know the IP address of the other, no VPN tunnels could be established.

If you have dynamic IPs on both ends (as would occur if you had ADSL connections on both ends with dynamic IPs), you would have to establish a way to find the IP address of one of the ends. This could theoretically be achieved using services like DynDNS, or NoIP, but ASA does not support these. The best practice is to have at least one end have as static IP.

I hope this has been helpful! Stay safe and healthy!

Laz

1 Like

Hi Laz,
That was great info.
Thanks,
Irfan

Hi Rene,

I asked something same before but please don’t mind if i ask my question again in this scenario. So is there any advantage or disadvantage if i use IKEv2 instead of IKEv1 in this scenario?

Thank you for your time!
B.A

Hello András

The advantages that IKEv2 provides over IKEv1 are not particular to the specific Dynamic Peers topology. The advantages are simply those provided by version 2 in any topology. Some improvements that may be beneficial in this specific topology include:

  1. the ability of IKEv2 to perform NAT traversal
  2. requires less overhead than IKEv1 thus making it better if you are applying it via a low bandwidth WAN

There are additional advantages, but these are note particular to the specific topology.

I hope this has been helpful!

Laz

1 Like