Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hi Rene,

What if , if we dont use the command “ASA1(config)# crypto isakmp identity address”

br//
zaman

Hi Zaman,

Somehow, your ASAs have to be able to identify each other so that you use the correct tunnel-group. This command makes sure that the IP address is used for identification.

Rene

Hi,

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP interface OUTSIDE

Lets say already there is a cryptomap called MY_CRYPTO_MAP and we want to create a site to site vpn to another site .
Is it ok If I create MY_CRYPTO_MAP_2 same as MY_CRYPTO_MAP

ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP_2 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP_2 interface OUTSIDE

Thanks

In the examples, shouldn’t there be a no-nat?

Typically, there should be no NAT performed on the VPN traffic. In order to exempt that traffic, you must create an identity NAT rule. The identity NAT rule simply translates an address to the same address.

nat (inside,outside) source static local-network local-network destination static
 remote-network remote-network no-proxy-arp route

@Sims You can only apply one crypto-map to your interface. You should create one crypto-map with different statement numbers for each peer. Something like this:

ASA1(config)# crypto map MY_CRYPTO_MAP 10 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set peer 10.10.10.2
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 10 set security-association lifetime seconds 3600
ASA1(config)# crypto map MY_CRYPTO_MAP 20 match address LAN1_LAN2
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set peer 10.10.10.3
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set ikev1 transform-set MY_TRANSFORM_SET
ASA1(config)# crypto map MY_CRYPTO_MAP 20 set security-association lifetime seconds 3600

@Ryan if you use NAT then yes, you will need to exempt your site-to-site or remote VPN traffic or it will be translated. Here’s an example:

nat (INSIDE,OUTSIDE) source static INSIDE INSIDE destination static VPN_POOL VPN_POOL

Basically it means that whenever traffic from the INSIDE destined to VPN_POOL goes from INSIDE > OUTSIDE that it will be translated to its own address. In other words, no NAT.

Rene

We have firewall 5505 where I have created site to site VPN. First time I have created crypto policy with group 2 and then changed to below.

Phase 1 failure: Mismatched attribute types for class Group Description: Rcv’d: Group 5 Cfg’d: Group 2Group
192.168.1.1, IP = 192.168.1.1, Received non-routine Notify message: No proposal chosen (14)

Phase 1 (Main mode)
Lifetime: 86400s (1 day)
Encryption: AES256
Hash: SHA1 Key-Ex:
Group5
Phase 2
Lifetime: 3600s (1 hour)
Encryption: AES256
Hash: SHA1
PFS: Group5
Below is my firewall config.

crypto ikev1 policy 170
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

I can ping to remote end peer as well from firewall and from host. It seems like cypto first checks for group2 and then it goes to group 5. I can ping to 192.168.1.1 successfully from firewall and server. What is this error message and how can I get it off?

Thank you Shraddha

Hi Shraddha,

The device on the other end starts the proposal with group 5 while on your end, it’s configured for group 2. The most simple solution is probably to change your local policy…change it to group 5 and get rid of group 2.

DH group 2 is also a bit on the weak side:

Rene

Hi Rene,

Good explanation. I was wondering what the configuration of the crypto maps would be if you were using dynamic crypto maps instead of static. I imagine the ACL would not be needed. Do you have a code snippet for this example of what the dynamic crypto map configuration would look like?

Thanks
S

Hi Shawn,

In the next lessons you have explanation of
Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peer
Cisco ASA Site-to-Site IKEv1 IPsec VPN Dynamic Peers

As you will see, in both cases you need to configure an access-list in each of the 2 ASA’s to define which traffic will be encrypted.

Regards,

Hi Rene,

I tried to setup similar tunnel config in my VIRL LAB. However couldn’t able to bring my tunnel up. I am attaching my virl LAB. Would appreciate if you can check what am missing in my setup.

Regards,
Iqbal

Here is the attahced VIRL

Topology

19 posts were merged into an existing topic: Cisco ASA Site-to-Site IKEv1 IPsec VPN

Strange my attachment is not uploaded.

Hi Rene,

I modified the network in your example with a few more nodes on each site. The network diagram is attached.

The IPSec tunnel is up. Ping from end node 1 to end node 2 is working.
Ping and wget from End Node 1 to Web Server 1 is working and from End Node 2 to Web Server 2 is also working.

However, the ping/wget from End node in one site to the web server on the other site is not working in either direction. When checked with ASA logs, the tunnel is set up and the ping is getting delivered to the web server, but the web server is not responding to the ping request.

Can you please help me find out the issue?

Hmm if you can ping from end node 1 to end node 2 then your IPsec tunnel is up and running. If you are able to ping within the local subnet then at least you know your IP addresses are configured correctly. Couple of things to check/try here:

  1. Do your webservers have a correct default gateway? Maybe they don’t know how to get outside of their own subnet.

  2. The ACL that you use for your IPsec tunnel. Does it permit all traffic between 192.168.1.0/24 and 192.168.2.0/24? Make sure it matches the traffic that you want to get through the tunnel.

Rene

19 posts were merged into an existing topic: Cisco ASA Site-to-Site IKEv1 IPsec VPN

Hi Rene,

I have a question regarding IPSEC VPN.
If there are many crypto isakmp policy configured on the ASA, how do you know which crypto isakmp policy is being used by the IPSEC VPN tunnel?

Kartika

Hello Kartika

The command show crypto isa sa detail will show you the values for the encryption hash and so on, however it does not give you the number of the policy in use. Looking at the hash you can then determine the policy, however a more elegant way would be to initiate a debug crypto isakmp and bring the tunnel down and back up again and follow the phase one negotiation messages. The debug messages will show the router going through each individual policy until it finds a match and you can determine which policy was matched.

I hope this has been helpful!

Laz

Hello Rene,

In case if you configure an ACL at Inside interface (IN) to allow the access from inside to outside, do we need to create an ACL at Inside interface for each new Tunnel to allow the traffic between encryption domain.

thanks