Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peers

Hi Rene,

ASA2(config)# crypto isakmp identity key-id ASA1_ASA2

This is a configuration line on ASA2. This “ASA1_ASA2” is only present on ASA1 but doesn’t have any existence on ASA2 at all. So how the things are working.

Hi Praveen,

This matches with the tunnel-group on ASA1. Here is the tunnel-group of ASA1:

ASA1(config)# tunnel-group ASA1_ASA2 type ipsec-l2l
ASA1(config)# tunnel-group ASA1_ASA2 ipsec-attributes
ASA1(config-tunnel-ipsec)# ikev1 pre-shared-key ASA1_ASA2_KEY

And here’s the key ID on ASA2:

ASA2(config)# crypto isakmp identity key-id ASA1_ASA2
ASA2(config)# crypto ikev1 enable OUTSIDE

When ASA2 connects, ASA1 knows to which tunnel group it belongs because of the ID.

Rene

Hi Rene,

Thanks for this explanation.
my question may not be directly related to this topic, what will need to be done if ASA2 subnet and ASA3 subnet needs to talk to each other what will need to be enabled on ASA 1 or ASA2 & 3?

Also for e.g instead of ASA 2 I have a different brand of firewall like Sophos XG, will i be able to set the key-id on Sophos for ASA1 to identify which map it will use for Sophos?

Thanks in advance for your clarification.

Regards,
Zeeshan

Hello Zeeshan

We can consider this topology as a kind of hub and spoke, where ASA1 is the hub and ASAs 2 and 3 are the spokes. In order to allow ASA2 to ASA3 communication, it is necessary to do several things.

Each spoke has to send the traffic for the other spoke through the tunnel that already exists to the hub. So, both the existing access lists must be extended to include spoke to spoke traffic.

Secondly, the static routing at each spoke must include the subnets of the other spoke.

Third, the hub must be configured so that the ACL for the ASA1 to ASA2 traffic includes ASA3 to ASA2 traffic, and the ACL for the ASA1 to ASA3 traffic includes ASA2 to ASA3 traffic.

And finally, the hub must be configured to allow traffic to enter and leave on the same interface, which is not the default behaviour.

Take a look at this Cisco Community post that describes a similar configuration to that in the lesson, and adds at the end, the requirements for spoke to spoke communication.


Take a look and you should be able to conform it to the lesson.

IPsec IKEv1 is an open standard, and as long as your firewall supports this standard, the appropriate key-id will be able to be sent so that the ASA1 will identify which map to use for Sophos.

I hope this has been helpful!

Laz

Hi Rene,
What if you have dynamic peers on both sides, can you apply the similar config that you’re applying on ASA1.

thanks…

Hello Irfan

It is not possible to have both ends of a site to site connection be dynamic. At least one of the ends must be static because if both ends don’t know the IP address of the other, no VPN tunnels could be established.

If you have dynamic IPs on both ends (as would occur if you had ADSL connections on both ends with dynamic IPs), you would have to establish a way to find the IP address of one of the ends. This could theoretically be achieved using services like DynDNS, or NoIP, but ASA does not support these. The best practice is to have at least one end have as static IP.

I hope this has been helpful! Stay safe and healthy!

Laz

1 Like

Hi Laz,
That was great info.
Thanks,
Irfan

Hi Rene,

I asked something same before but please don’t mind if i ask my question again in this scenario. So is there any advantage or disadvantage if i use IKEv2 instead of IKEv1 in this scenario?

Thank you for your time!
B.A

Hello András

The advantages that IKEv2 provides over IKEv1 are not particular to the specific Dynamic Peers topology. The advantages are simply those provided by version 2 in any topology. Some improvements that may be beneficial in this specific topology include:

  1. the ability of IKEv2 to perform NAT traversal
  2. requires less overhead than IKEv1 thus making it better if you are applying it via a low bandwidth WAN

There are additional advantages, but these are note particular to the specific topology.

I hope this has been helpful!

Laz

1 Like

Thank you for your answer!

1 Like

Hello Andras

It seems you responded in a private message. I will post your response and your question here so that you the answer can benefit others as well.

Hello Laz!

Sorry for disturbing you again, but i got an another question: When we have to do NAT while we configuring Site to Site IPsec VPNs?

I would be very grateful if you can answer this question.

Thank you very much!

NAT can be used with a site to site IPSec VPN. How it will be used and how it will be implemented depends on what you need to achieve. One such scenario is when you have overlapping internal IP address schemes. For example, you may have the 192.168.1.0/24 subnet at both the local and the remote locations. You can use NAT to translate these addresses into other subnets (192.168.2.0/24 for site 1 and 192.168.3.0/24 for the other for example) so that communication can still take place. An example of this can be found at the following Cisco documentation:


Another example is where a site to site VPN is functioning, and you use split tunneling at each site for internet traffic, for which you want to apply NAT. The following Cisco documentation describes this. Although it is an older document, the principles are still the same.

If you have a more specific question, please feel free to ask, you are not disturbing us, that’s what we’re here for, to answer your questions!

I hope this has been helpful!

Laz

1 Like

A post was merged into an existing topic: Cisco ASA Site-to-Site IPsec VPN Digital Certificates

Hello,

Great lessons. Thank you very much.
There’s a little typo in the topology (ASA1 INSIDE interface number):
image

Boris

1 Like

Hello Boris

Thanks for pointing that out, I’ll let Rene know…

Laz

Hi Rene, About this kind of topology I understand that in the dynamic peer it has to be configured as aggresive mode:

ASA3(config)# crypto map MY_CRYPTO_MAP 10 match address LAN3_LAN1
ASA3(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.1 
ASA3(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 phase1-mode aggressive 
ASA3(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET

So I have 2 questions:

  • Would it be a security problem if it was configured as aggresive mode?
  • If my dynamic peer is a router instead of ASA it could it be possible to configure it as aggresive mode (if needed) ?

Thanks

Hello Daniel

Main mode uses a six-way handshake where parameters are exchanged in multiple exchanges with encrypted authentication information. Agressive mode on the other hand is considered less secure because it sends the hashed preshared key to the client in a single unencrypted message, a fact that makes this option comparatively more vulnerable.

Aggressive mode is obviously faster than main mode and is required for certain cases such as described in this lesson. For this reason, it is vital that the preshared key that is used be complex enough to protect such a connection from brute force attacks.

If the preshared key is complex enough, aggressive mode provides sufficient security for most implementations. If however security is paramount in your particular application, you should ensure that the appropriate infrastructure is available to support main mode.

Yes, you can configure aggressive mode on Cisco IOS routers as well as on the ASA. Although this is an old document, you can see how this can be accomplished at the following link:

I hope this has been helpful!

Laz

Hi Laz/Rene,

Hope you are doing well.
I have a specific requirement for hub to spoke vpns involving Cisco CSR (hub) and juniper srx320 (spoke).
Assuming spokes are getting dynamic pppoe public IP and hub is static public IP. What kind of VPN setup would be most suitable considering running dynamic routing protocol over the VPN and easy to scale in future from administrative management view point.

currently I’m able to setup hub/spoke topology using SVTI with dynamic routing protocol. Can this be further simplified considering spokes are a dynamic peer?

Many thanks
Zeeshan

Hello Zeeshan

The best situation for what you are describing would be to use Cisco’s DMVPN feature, which automatically and dynamically adds spokes, and includes the capability of employing a routing protocol as well. However, from the little research, I have done, Juniper is not compatible with Cisco in order to employ this feature.

Alternatives include the use of GETVPN, a feature that documentation of both vendors states that they support, however, until you actually try to employ interoperability between different vendors you cannot be sure. I can’t comment on the success of this beyond what documentation is available. For GETVPN implementation on Cisco devices, take a look at the following lesson:

VTI is also a very useful solution, and yes, there is a Dynamic VTI option about which you can learn more here:


But once again, interoperability between vendors can only conclusively be determined by trying it out yourself.

I hope this has been helpful!

Laz

1 Like

Hi, will this setup also work if my outside interface let’s say on-site B is getting its IP address from DHCP which is a 4G router, will I need to configure the IP address DHCP set route command?

Many Thanks

Hello Ziran

This depends upon how your setup is configured. For your site B, you are using a 4G router as the outside internet-facing interface. From my understanding, your ASA is behind the 4G router, and is getting its outside interface IP address via DHCP from the 4G router. I am assuming that the 4G router is performing NAT in order to give the ASA access to the Internet.

The IP address DHCP set route command is used in order to set the next-hop IP address for a particular interface. This will resolve the default routing capabilities and configuration of the ASA.

In the lesson, all ASAs are directly connected to the same outside network and are directly accessible. However, the configuration will work for any dynamic peer that is behind a NAT device, such as your 4G router. For the creation of a dynamic peer where the ASA is behind any device that is operating NAT, then you must enable NAT-T. This is further described in the following two documents:

I hope this has been helpful!

Laz